Cyber Incident Response: How Strong is Your Incident Response Plan?

High expectations are set from organizations, markets and regulators to protect their internal assets as well as their customers’ information. Companies are more and more looking at developing and optimizing their incident response capabilities in order to strengthen their incident response and preventative security postures towards a constantly evolving threat landscape, and to minimize the risk incurred.

The cyber incidents occurring throughout the current year have shown that companies need a robust and effective prevention and Cyber Incident Response capability. Moreover, in order to prevent cyber incidents, it is of utmost importance to ensure regular incident response capability is tested and reported efficiently.

Furthermore, we expect governments and regulators to further mandate organizations to organize Cyber Incident Response Exercises. Globally, SWIFT is asking all its users to test their Cyber Incident Plan on a yearly basis as part of the Customer Security Program. In the United States, NIST SP 800-53 requires federal agencies to test their system’s contingency plans at least annually, and a few states are asking companies to document a cybersecurity incident response plan (e.g. NYDFS Part 500). In Asia, institutions such as Certified Risk Management Professionals (CRMP) and ICAST are imposing on financial institutions and regulators (Monetary Authority of Singapore and Hong Kong Monetary Authority) to perform incident response exercises regularly. Also, specific regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) require conducting incident response exercises on a frequent basis. At national level, several European countries and other countries such as USA, Canada and Qatar are conducting incident response exercises to test their incident response capabilities (i.e. Cyber Europe 2016: multi-event cyber exercise that involves more than 700 cyber-security professionals from 30 EU and EFTA countries and over 300 private and governmental organizations, and STAR 5 exercise in Qatar…).

In this article, we provide an overview of the different types of incident response exercises that can be organized as well as some insights into the key success factors and pitfalls for organizing these exercises.

Before delving into the specifics of an incident response exercise, it is useful to remind us of the need to establish a documented Cybersecurity Incident Response Plan. Responding to a cyber-incident can be quite challenging especially if not properly planned. The objective of this plan is to define the typical structure of the response, usually along the lines of the following phases:

The cyber incident response is a continual process where preliminary preparation is needed in terms of cybersecurity resources readiness. Whenever an event occurs, and once the presence of an intrusion is properly identified and classified as an incident, its impact is assessed and containment measures are deployed in order to temporarily reduce the incurred risk to an acceptable level.  The incident is then eradicated, its root-causes are analyzed and the remediation actions are defined. After that, targeted and faulty systems or applications are recovered, remediated and restored into operation. Lastly, the details of the incident are reported to relevant parties, logged, and the incident is closed.

In that regard, a cyber incident response plan needs to be established and adequately tested and maintained, in order to ensure proper incident detection and prevention.

Incident response exercises enable organizations to test their incident response plan and their ability to properly react and respond to cyberattacks. Through emulation of cyberattacks, organized by an authorized group of people called the Red Team (RT), organization can prepare and coordinate their response. The objective of an Incident Response Exercise is to identify whether roles, responsibilities and protocols are fully understood by all stakeholders in a practical real-world manner, in addition to helping identify which threats are most relevant to the organization’s business.

If properly executed incident response exercises ensure the following:

• Strengthened incident response plan and capability through testing of people, processes and technology aspects and identifications of risks and areas for improvement;
• Improved readiness of cyber team and a better response to cyberattacks through muscling up the cyber response practice;
• Identification of roles and responsibilities, internal communication paths and escalation procedures in the event of a cyber-attack;
• Enhanced compliance with regulatory requirements and applicable rules and regulations;
• Opportunity to enhance the planning and execution of future incident response exercises through sharing of lessons learnt.

Incident response exercises can vary in form and complexity, depending on the organization’s industry, size, type of business and maturity. In the event of conducting an incident response exercise, key stakeholders (i.e. information security team, incident response team…) are invited to sessions supported by an experienced trainer. Sessions are made dynamic using videos, laptops and communication as needed to fulfill the exercise. Incident response exercises can be categorized as follows:

Tabletop exercises (scripted events)

Tabletop exercises are the simplest. They have a small training audience and a list of very well-defined objectives. In this type of setups, communication between different players is made easier and helps to establish the business processes associated with planning, executing, and training during an exercise. Injects are hypothetical, pre-coordinated, and written down. Many organizations use tabletop exercises to establish relationships and share information with other organizations, partners, or countries, to test the readiness of response capabilities and to raise awareness. Tabletop exercises are suitable for organizations that need to validate processes or train personnel. Injects can be either directed at the company (would need a preliminary of the company’s architecture and organization), or completely hypothetical (in this case the trainer would target it to a mock organization). It is important that tabletop exercise have a mixed audience with different company’s departments and/or functions (e.g., IT, Risk, Legal…).

Hybrid (scripted injects with real probes/scans)

Hybrid exercises include scripted and live events, in order to increase the realism of the scenario. In this type of exercises, the RT simulates real-time scenarios and the planners pre-coordinate real-life injects or scenarios to be executed during planned scenarios. This type of exercise can include multiple organizations and the coordination and planning of such exercise necessitates approximately 3 to 6 months. Hybrid exercises are most suitable for organizations familiar with inter- organization exercises and dotted with a clearly defined set of objectives.

Full Live (real and scripted events)

Full live exercises are based on real events in order to increase the realism and training opportunities for the target audience. Exercise facilitation is made by the exercise planners along with a “Red Team” that executes real events against pre-determined targets. Injections can be made as the exercise progresses, creating a dynamic scenario, and simulating real-time attacks. The realism of exercise injects and of the training audience responses are key success factors to this type of exercises. Full live exercises are suitable for mature organizations that have previous experience in conducting such dynamic tests, and that wish to strengthen their incident response plan.

According to our experience, Incident Response Exercises are essential to test the real response capabilities of the organization. Below we list some of the key success factors & pitfalls.

Planning Incident Response Exercises

Incident response exercises require preliminary preparation and planning. This involves the following phases:

• Design phase: defining the scope, objectives, rules of engagement and exercise requirements, identifying the participants and facilities required;
• Development phase: creating all documents necessary to conduct the exercise including tailored scenario scripts, needed policies and reports;
• Execution phase: conducting exercise pre-validation checks, and structuring the engagement in a way to spot potential weaknesses and areas to be improved;
• Evaluation phase: summarizing and documenting lessons learnt.

Pitfalls to avoid while planning incident response exercises

In order to come up with an effective incident response exercise, planners must make sure to avoid the following:

• Unclear scenario objectives and rules of engagement: poorly defined objectives may lead to ineffective testing of real-world scenarios and/or unplanned exercise outcomes and impacts;
• Poor involvement of senior leaders in exercise planning: resulting into resistance in conducting exercises;
• Improper execution of cyber injects: injects must be appropriately planned and spaced out to account for reaction time;
• Out of scope injects: injects which are too far from reality at the company could lead to inefficient testing and responses...

“The Northstar Collective” is a fictional hacker collective, which utilizes zero-day exploits and tailored vectors of attacks. For this specific exercise, the collective has targeted a financial institution by a number of coordinated attacks including a DDoS on their Internet Banking Application, a DNS Hijack, a SWIFT fraud and an encryption attack (using WannaCry). Related to this scenario, there is a number of questions that companies may need to address:

• Does my Cyber Incident Response Plan list the key contacts?
• Does my Cyber Incident Response Plan detail the responsibility of each person in the Incident Response Team?
• Does my Cyber Insurance cover all current the cyber threats?
• Are my critical vendors ready to answer the most recent cyber threats? 

  “Incident response Exercise for an Oil and Gas Joint-Venture"

In the context of the creation of new Oil & Gas Joint-Ventures, Sia Partners organized within a two week timeframe an incident response exercise, aiming to make all stakeholders familiar with the incident response plan that was freshly developed, to raise the required awareness around that plan and to facilitate communication between different stakeholders. Ready-made videos and quizzes were used in that regard, for facilitation purposes.

A major take away from this exercise was to have people sensitized about the impact of information security incidents in industrial environments. People are often too focused on their business-as-usual activities (oil spills, power outages…) and therefore fail to recognize the impact that can be caused by a cybersecurity breach.

As part of its CIO Advisory practice, Sia Partners assists private and public organizations in testing their incident response plan and capabilities.

Relying on a pool of highly qualified resources dotted with an international subject-matter expertise as well as a deep knowledge of latest best practices and regulatory requirements, Sia Partners offers incident simulation exercises adapted to each organization’s environment, in line with the latest threats landscape.

• We closely collaborate with our Clients in order to develop incident response plans, coordinate the design and implementation of incident response exercises, and advise on the best practices and pitfalls of the incident response. 
• Regulators and Industry Standards tend to mandate more and more companies to perform an annual cyber incident response testing.
• Tabletop Exercises are the most commonly performed exercise, but depending on the organization need, policies and organization, it might be worth considering testing its cyber incident response plan with a Hybrid or Full Live Testing. Planning the exercise and properly design it is key as part of an efficient testing of the cyber incident response capabilities.