"I have an IR Plan... What's Next?"

In today’s world, it has become commonplace for companies to develop cybersecurity incident response plans, just as they do for physical hazards like earthquakes, blackouts, city lock-downs, and pandemics. These plans are often tested through event simulations.

However, cybersecurity incident response plans are seldom tested, which can result in an incident response that affects more information and investigation results than the attack itself. This lack of testing and training can result in problems like a lack of coordination between security areas and systems during an incident, causing delays in responding to and containing the cyber attacks.

Table-top exercises play a crucial role in addressing this issue. These exercises simulate cyber crises and involve the teams outlined in the incident response plans, validating their skills in management, investigation, containment and other essential areas necessary to mitigate the impact and restore normal operations. Executing a table-top exercise requires clear objectives, appropriate scenario design, and the involvement of the right personnel.

In a real crisis situation, every second counts and it is vital for all team members to know exactly what to do. To illustrate this point, consider a scenario where hackers compromise a dam’s gate-closing control system and threaten to open the gates, potentially putting millions of lives at risk within seconds. In such a context, wasting time on accessing information becomes more than critical.

Types of Table-top exercises

To conduct a Table-top exercise successfully, it is essential to have a clear objective in mind, allowing for the design of the most suitable scenario and the participation of the appropriate personnel. While these exercises may not always validate all incident response plans, they provide an opportunity to analyze common scenarios in such situations.

1. Testing the IRP. Without a doubt, this scenario is highly desired, as it allows testing everything that has been planned. However, on many occasions this plan involves various areas of the organization, such as the legal team, communications and even managers, which makes it difficult to all those involved to participate.

2. Tactical Response. These tests primarily focus on non-technical areas within the company, enabling the validation of legal and communications aspects in attack scenarios. They help clarify actions within the operational domain and, from a non-technical standpoint, ensure that the response plan does not create legal complications or reputation problems that may be more critical than the actual attack itself.

This type of test is beneficial during plan creation or system audits, allowing for the consideration of administrative details and the development of necessary communication channels within the Incident Response Plan (IRP). It also validates the knowledge of non-operational areas regarding cybersecurity procedures during an incident.

3. Operational response. This is likely the most common type of Table-top exercise and should ideally be conducted at least once every semester. It serves as a crucial platform for operations and crisis management teams to refine their actions during an incident. Similar to tactical testing, the exercise can be performed during IRP development or as part of a systems audit.

The importance of the Design Process

During the plan development phase, validating potential approaches and understanding the technical capabilities of staff and available tools are highly beneficial. It allows teams to contribute based on their expertise in crisis timing and management, particularly crucial in OT/ICS environments, for example.

When it comes to audit tests, they not only serve as training opportunities for personnel but also validate the knowledge of established plans and procedures. In many cases, it’s not necessary to test the entire Incident Response Plan (IRP), but occasional testing of a playbook or specific procedure can provide valuable insights for training plans or technological improvements.

Based on our experience in developing this type of training, we recognize that these three scenarios are just the basis for creating a Table-top. However, each organization can request the adaptation of the scenarios according to their specific needs and objectives. It is crucial to take into account the maturity in managing cybersecurity risks, the type of operation and the personnel available when making these adaptations.

Execution of Table-top exercises

To ensure the effectiveness of these exercises, we always conduct multiple meetings with the organizations involved to establish a clear objective and approach from the outset. This collaborative process helps us determine the key individuals required to participate in the exercise and design it in a way that achieves the desired level of realism. Our goal is to make the exercise engaging for the attendees and evoke a sense of urgency as if they were facing a real incident.

Definitely, the experience accumulated in years of incident response allows the team to create a realistic narrative adapted to the characteristics of the organizations. This work provides added value and knowledge to incident response teams, which will allow them to act accurately and effectively at the time of a real incident. Thus, training gives team members confidence and management peace of mind by having a response as well trained for cybersecurity incidents as they are for physical ones.

Would you like to ensure the preparation of your organization for possible cybersecurity incidents? Contact us at sales@one-esecurity.com for more information on our incident response services. We are ready to help you!

Author: Diego Espitia - Senior Consultant at One eSecurity

This website www.one-esecurity.com uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.