Since we were founded in 2019, we've run a wide range of different types of cyber security exercises for many organisations. From short, sharp tabletops that are designed to introduce key incident response concepts and get people thinking about what they need to do during a cyber incident, through to complex hands-on exercises spanning across days involving multiple teams, forensic artefacts, personas... you name it, we've done it!
Throughout all of the exercises we've delivered - there have been some common findings. Areas that most organisations can improve upon and greatly increase their readiness. Here are the three common key findings that we've identified.
1. A lack of understanding of roles and responsibilities
During the chaos of an incident and the associated response activities, it is crucial that each and every team member involved knows what their discrete roles and responsibilities are. Knowing who is responsible for specific outcomes saves valuable time - that is, the time saved not trying to figure out who is best placed to carry out an action as well as when it should be done.
Understanding roles and responsibilities before an incident also allows teams and individuals to develop the right skills and procedures needed to ensure their part of the response effort is effective. With discrete roles and functions, team members become confident in their role and increase their capability to respond. Each team member is an important part of the response effort and during an incident you need each team member to know what they're doing.
2. Ineffective incident response plan and playbooks
Having well thought out and, importantly, thoroughly tested incident response plans and playbooks can be the difference between stopping an incident in its tracks, or it turning into the type of incident that the media reports on. These plans need to be current - with the right people and roles maintained, up to date and relevant tools documented, and processes clearly described in an easy to follow way. No one should be trying to figure out what the plan is trying to get you to do during an incident - that's wasting precious time!
These plans also need to be readily available and socialised within the organisation so that everyone can easily leverage them when incident happens. Your incident response personnel will be able to make quicker, better informed decisions, reducing the risk of an incident going awry.
3. A need for better communication
Communication continues to be an area that is often mishandled during cyber incidents, and yet poor communication can (and almost always will) lead to issues during an incident response operation. Incidents can be very complex, with many moving parts and difficult (or at the very least, non-familiar) things happening that the responding team needs to rapidly understand. Routine, clear, and concise communication to relevant stakeholders early on in an incident significantly increases the probability for effective remediation.
It can be a tough call who, and when, to loop other stakeholders in. But we've learnt that good communication, early on with trusted parties, can greatly increase the chances of an overall effective response. Get the right people, the right information, in a timely manner - this should be a key goal. Remember, it is not always just about the technical response.
All of the findings highlighted are integral to a successful incident response. Practicing them, improving them, and getting your teams actively doing them could make the difference between an incident being handled successfully as a minor incident or the type of incident that hits the news headlines!
Incident response is complex and no one is perfect at every part during it. But cyber security exercises are crucial to identifying the team's strengths and weaknesses before something bad happens. The more ready you are for your next incident, the less of an impact it will have, and the happier your teams, your executives, and your customers will be!