return to research

Rehearsing Your Cyber Incident Response Capability During Periods of Instability

Rehearsing Your Cyber Incident Response Capability During Periods of Instability
Download to share with your network

Six Proactive Steps Towards Stabilisation

Loss and damage due to cyber attacks has become an increasing concern that represents a board-level significant risk. During periods of instability, the risk of an attack on an organisation’s interests – either directly or indirectly – can increase. Should the worst happen, a regularly maintained and well exercised incident response plan can improve an organisation’s ability to mobilise swiftly, contain the attack, and limit the damage.

What are the most important considerations when planning such an exercise to ensure its success and deliver business benefit?

1. Know what objectives you wish to achieve

Be clear on your objectives and success criteria for the exercise. Test discrete aspects of your response plan, specific areas (for example a newly acquired business, particular systems and/or infrastructure), or explore specific attack scenarios such as ransomware.

2. Pick the right type of exercise to suit the objective

Consider operational and logistical constraints alongside your desired outcome to select the most appropriate type of exercise. Options include table-top exercises, digital interactive simulations, red/blue/purple teaming, phishing or war games simulations.

3. Choose your exercise target(s)

Identify the right combination of targets to build an exercise that meets the desired objectives whilst still being practical to design, organise and execute. These targets can include specific business applications and/or technical infrastructure, physical assets such as servers and workstations, business locations and people. It may also be beneficial to include aspects of your supply chain in exercises, for example, by simulating the effects of an attack on a managed service provider.

4. Design an exercise scenario that is challenging, but achievable

Use planning tools such as the ISF Cyber Attack Scenario Builder to create an exercise playbook that brings together the identified targets, exercise type and desired objective using a specific attack scenario. Add complexity by exploring a specific aspect or multiple parts of the cyber attack chain, as well as considering extreme scenarios such as so-called ‘black swan’ attacks.

5. Involve all the right parties

Select the right mix of resources from both business and technical teams who could be called upon to support an incident response. Consider the engagement of retained third parties such as forensic and legal experts, as well as suppliers and clients. Get the buy-in of senior and executive management both in the exercise planning and execution, and in post-exercise debriefs.

6. Be open, be honest, and learn together

Encourage participants to remain open-minded and not over-analyse the scenarios used. Make the exercise fun and engaging, but as real as possible. Encourage honesty and critical thinking, giving all participants the opportunity to contribute. Conduct post-exercise reviews promptly and commit to addressing issues identified during the exercise through documented, corrective action plans.