It is not possible to allow for every scenario when it comes to cyber security incident response management, but having the right processes in place can alleviate some of the panic which often ensues during an incident. A well-prepared plan affords both management and staff the knowledge of how they should respond and what they should do when an attack happens.

Part of effectively managing your teams response to a cyber incident, and preparing them for the real thing is conducting a number of ‘test runs’ in the form of table top exercises. These are pre-defined scenarios, simulating a cyber-attack or security related incident for the incident response team to work through. These exercises prove invaluable when it comes to preparing the team for the real thing.  If staff have confidence in the steps they need to take, incidents can be better managed and recovered from much more efficiently.  These exercises also enable the team to identify where any gaps or failings might lie, or where additional training might be required and the incident response plan updated accordingly.

Although there are some generic table top exercise resources available, we strongly believe that creating simulated cyber-attack scenarios tailored to the organisation and based on real world attacks, latest techniques and tactics used by cyber criminals have the most benefit.  These scenarios could well become a reality and having staff who already possess the knowledge and understanding of what to expect can minimise mistakes when time is of the essence as an incident unfolds.

So, how do we do this?  During an initial workshop, we aim to determine what incident response processes and practices are already in place and what the organisation would like to achieve.  This is followed up by some further research which can be pertinent to the types of scenarios the organisation will get the most benefit from.  We will ask what industry is the organisation in? How big the company is?  Is location relevant? And seek statistics around what types of attacks are most common for their particular demographic, and who attacks were carried out by. Even down to specifics surrounding each attack.  The aerospace sector, for example, may have a different attack group to a financial company and so we can assure the most likely scenarios are tested.

Once the workshop and research are completed, we build scenarios tailored specifically to the organisation. These would be presented in the form of play books and would contain a thorough, fully developed exercise for the incident response team to follow. Playbooks can test the entire incident response process end to end or they can be targeted towards a specific part of the process, or even a specific responsibility or role of the incident response team.

Exercises can often contain curveballs and move in another direction depending on the actions of the Incident Response team. This can further help mimic real world situations and allow for likely changes and developments as the incident progresses.

Actually participating in exercises is so important for the Incident Response team to become familiar with and understand how the process should work. It allows staff to ask questions, make mistakes, understand how best to work together, learn and really take notice and control of the responses and ultimate outcome.

It is also critical for the Management team to have visibility of how the Incident Response team works together during an incident.  They need awareness of what can be improved upon or what further resources the team would benefit from, in order to further improve their responses as this will guide how they invest in defence.  Crucially, it gives an insight into what changes or improvements need to be made to the overall incident response process to make it more efficient and minimise downtime for the organisation in the event of a real attack.

We have lots of information available about Incident Response Management and you can also take a look at the training we have built for both leadership teams and specifically on Incident Response for your business.