Responding to a cybersecurity incident is easier, less costly, and less stressful when you are prepared. However, preparing for incidents should not be regarded as a one-time activity; ideally, it should be part of an ongoing process. Proper incident response (IR) is a cyclical process that generally has six stages: preparation, when the IR team is assembled and plans are made; identification, when an incident is identified; containment, when the incident is contained to prevent further damage; eradication, when artifacts related to the incident have been removed; recovery, when systems and services are restored; and lessons learned, when lessons are documented for the preparation stage. IR is an ongoing process that improves itself with each lesson learned so that the organization can be better prepared to respond to future incidents.
The work done in the preparation stage provides a foundation for the execution of the other stages. The first step of preparation is to identify the members and leadership of the IR team. Although IR teams may tackle cybersecurity incidents, they are not solely comprised of cybersecurity experts. IR teams are multidisciplinary, and typically include staff from the departments of management, IT, security, communications, public relations, legal, and HR. Law enforcement may be part of an IR team, but only when a specific incident requires their involvement. After the IR team is assembled, the next step of preparation is to devise plans to deal with incidents, and the step after that is to conduct exercises to verify the functionality of those plans. However, IR exercises vary by the level of time, effort, and resources needed to conduct them, as well as by the potential insights they offer.
Tabletop exercises (abbreviated as TTXs, or TTEs) are discussion-based brainstorming sessions. The IR team is given a scenario of a cybersecurity incident, and they are inquired about how they would respond, what types of resources or information they need to follow the IR plan, and what issues may arise. The ideas and findings of these brainstorming sessions are used to update the plan. Whenever a tabletop exercise is conducted for a very large organization with multiple departments or sub-organizations, members of the IR team representing each department learn about the processes of the other departments. This has the added benefits of clearing misconceptions and improving both communication and coordination between departments or sub-organizations.
Whereas tabletop exercises are discussion-based, walk-throughs are more involved. In a walk-through, the team goes through each step of the IR plan. Instead of fully following each step and turning things on or off, they simply check to make sure that they have access to the tools, places, and people they need to reach during an incident. They would check to verify that phone numbers and email addresses can be used to reach the intended recipients, that they have access to the software tools necessary for responding to an incident, that they have access to backup servers, backup generators, and other necessary infrastructure for responding to an incident. In addition to reviewing the plan itself, walk-throughs help verify whether the plan could work in practice.
Unlike walk-throughs, simulations take things a step further and mimic the conditions of the incident scenario. Full-scale exercises simulate the entire IR plan, which is extremely helpful in testing whether the plan truly works, but it also results in significant overhead. Some simulations can be focused on specific parts of the IR plan or on specific parts of an organization. For example, there are different solutions for phishing email simulations that can be used to send fake phishing emails to employees. Employees who click on links in the fake phishing emails are either directed to a training page or are identified as employees who need further cybersecurity training.
In summary, IR exercises vary in terms of overhead and insights. At one end of the spectrum are the discussion-based tabletop exercises, which help the IR team verify whether the plan works in theory and improve coordination between multiple departments or sub-organizations. At the opposite end of the spectrum are full-blown simulations of either the entire IR plan or just parts of it. Although simulations can have significant overhead—especially if they are full-scale simulations—they can also help the IR team confirm whether the plan is truly practical, and that all tools and procedures work as intended.