Until recently, tabletop cyber security exercises were a staple of any serious approach to maintaining and improving an organisation’s security posture. Tabletop exercises engage key stakeholders within the organisation such as senior management, IT and SOC teams, HR, PR and legal staff. Through a series of roleplay-based exercises (usually called injects) the stakeholders are encouraged to walk through the incident response plan and discuss where potential issues may arise.
The value of tabletop exercises should not be overlooked, they allow the organisation to test potentially business crippling scenarios without having to wait for the scenario to manifest in real life. A good tabletop exercise will test the response of the organisation in a number of different ways to tease out any gaps in processes, people or technologies. Lessons learned from the tabletop are fed back into the Incident Response plan (like when a real incident is dealt with).
However, they do come with some drawbacks. The first of these is the ‘roleplay’ nature of the delivery. This makes it hard to create realistic scenarios without a lot of research into the systems and processes an organisation already has. In turn, the delivery of the exercise is ‘contrived’ and fails to engage people in the necessary way. The next drawback is that because the scenarios are entirely theoretical, no testing of the infrastructure is performed. Another drawback is that they follow a static flow instead of changing and responding to the performance of the team, this can lead to scenarios that do not make logical sense (i.e a step taken by the team on one inject completely negates the next inject).
So, what is the solution to these issues? Enter the Cyber Incident Exercise.
What Are Cyber Incident Response Exercises?
Cyber Incident Exercises (CIE) aim to build upon the tabletop exercise rather than replace it completely. The key stakeholders from all parts of the organisation are still present and there are still scenarios which are played out. It is how the scenarios are played out that is different.
In CIE, the scenarios are played out using either a simulation or live tools. A manual example would be dropping a known malicious file (usually an EICAR file which is automatically detected as a virus despite being just a plain text file) on a server or workstation in the network. This will trigger the in-place AntiVirus or Endpoint Protection and the alert generated should prompt SOC and first responders to enact the incident response process.
Where CIE can really excel is in emulating real world adversaries and the types of attacks they employ. In order to do this effectively, it’s useful to have a framework that describes these attacks and allows the consultant to string these attacks together into something similar to that seen when an Advanced Persistent Threat or even a disgruntled employee attacks the system. A common framework when classifying attack methods is MITRE &ttack framework.
How Are Cyber Incident Response Exercises Delivered?
In order to deliver CIE engagements, 3B Data Security deploy an agent on systems in the target network (this can be a test network or production). This agent can in turn emulate thousands of potential MITRE &ttack code snippets which will test and trigger end point detection technologies. Using a library of pre-configured ‘atomics’, the consultant can build out an attacker profile. This profile can then be pushed out to the agents in the network to test the technology, the response of the teams to the events that are generated will test the process and people aspects.
What Are the Advantages of Cyber Incident Response Exercises?
As stated before, CIE attempts to build on tabletop exercises rather than replace them. This allows for input from senior managers, legal, PR and HR teams to influence and question the approach taken by the organisation as a whole. The live-play elements introduced in CIE serve to bolster the realism of the scenarios as well as test the technology, process and staff.
Another advantage of CIE is that due to the structured nature of the live-play elements, it is much easier to quantify the organisations response. Whereas previously under tabletop exercises there was a subjective nature to feedback, it is now possible to score the response based upon the performance during the live-play.
For clients unhappy to test against their production or test networks, it is possible to deploy a CIE agent to a standalone machine that is representative of the target machine type in the organisations network (i.e a server). This can be a virtual or actual machine. This however does not benefit from the real-world scenario testing that a full deployment would.
Cyber Incident Exercising offers the best elements of tabletop with the real-world scenario testing akin to that of red team exercises. It tests not only the staff and processes, but the deployed technologies and 3rd party vendors like SOCs. It provides a structured way to test and score the organisations response rather than just the subjective feedback of a tabletop. CIE is more than a tabletop in many ways, most importantly it provides some confidence that the processes and tools can defend the organisation in the event of a Cyber Incident.
Take a look at our Cyber Incident Exercising, and how we can help your organisation test and improve their incident response procedures.
