Security Experts:

Making the Grade When It Comes to Incident Response

This fall, millions of students entered colleges or universities for the first time. As final exams approach, many are coming to the realization that a syllabus is more than an email you skip over or delete. The assignments, lecture schedule, labs – you name it – are key to your success in class. For those who haven’t adequately prepared, winging it will only take them so far.

That syllabus is kind of like the incident response plan that many organizations have filed away somewhere and forgotten. Without having gone through the rigors of various exercises to know what to expect and what to do when, pulling it out in the midst of a cyber attack or once a breach has happened has little impact.

As the number of successful breaches continues to rise and attackers remain active and undetected for weeks, months, or even longer, waiting for something to happen isn’t an option. By then the damage is done. There’s a lot organizations can do to strengthen their incident response capabilities so that they’re up to the test. Here are a few ways to take charge and ensure a better outcome:

Incident Response Strategy

Table Top Exercises (TTX) – More than ensuring all documentation, templates, procedures, and processes are in place, a TTX starts with a scenario created specifically for your organization and the types of threats you’re most concerned about. Participants should include not just IT, but public relations, legal, human resources, executives, and more. During the day of testing a scenario is talked through with new information introduced along the way. These curve-balls change the scenario, mimicking the dynamic nature of attacks and investigations. Following the session you get an objective evaluation of the team’s performance including strengths, weaknesses, and lessons learned. The report typically also includes recommendations for areas of improvement including low-hanging fruit and more strategic investments. A TTX is highly educational, fairly un-intrusive and, when led by an incident response service provider, they aren’t overly time consuming.

Simulated Incidents or War Games – This exercise involves looking at the organization from an attacker’s perspective and mimicking their tools, techniques, and procedures (TTPs) to see if and how a contracted team can penetrate the network. Simulations can be tailored to specific types of attacks based on your organization’s direct experience or attacks your competitors have faced. This is a more invasive test that leverages a Red Team to identify vulnerabilities and simulate an attack against the company, and a Blue Team to detect and respond to attacks; it’s important to note that these tests can be done in virtual staging environments, but it may be difficult to mimic real life scenarios. These types of war games offer a more comprehensive way to test the Security Operations Center and Incident Response team. The complete spectrum of incident response activities (detection, collection, containment, analysis, communication, and more) are tested to ensure the full extent of the attack is discovered and responded to. As in TTX, representatives from multiple functions across the organization can be brought into this testing to ensure the incident is properly responded to in its entirety.

Threat Hunting – I’ve already written about this topic extensively so I’ll just quickly recap that threat hunting involves seeking out active threats and breached systems to better protect company assets. This exercise is most effective when analysts have access to advanced security analytics technology, big data platforms, and threat intelligence. These capabilities allow them to focus their hunting on assets that are more likely to have been breached, and to reevaluate past events in light of the latest threat intelligence.

Retained Incident Response Services – No matter how prepared you are, when an attack does happen you need “all hands on deck” and most organizations don’t have enough hands. Finding and retaining elite, quality talent is a huge challenge given the shortage of skilled experts and overwhelming market need. That’s when a retained incident response service can help, jumping into action and supplementing your team when an attack does happen. When they aren’t actively engaged in incident response they can help focus on and develop proactive efforts. In the process they’ll learn more about your organization which improves their efficiency and effectiveness during a response, while your internal team will be better able to handle other tasks that need attention.

Every organization has a limited amount of time and budget to deal with today’s complex and relentless attacks. By engaging in these exercises and working with a partner, you can identify gaps previously unknown and make the right investments to close those gaps. Whether its additional defenses, education, training, and/or processes, you’ll be ready to take charge when put to the test.

Related: Using Machine Learning for Red Team Vs Blue Team Wargames

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.