Conducting Incident Response Plan Table Top Exercises
So, your Incident Response Plan looks good on paper – it’s been mapped, planned, and documented. But has it been tested? Will it actually work?
According to the 2022 IBM Cost of a Data Breach Report, organizations that had an incident response (IR) team in place and tested their incident response plan had an average of $2.66 million lower breach cost than organizations without an IR team and that didn’t test their IR plan.
Testing and drilling your employees and your IR Team to understand how to respond in the event of an incident not only prepares them for an actual event but it also helps to ensure that your plans are current and effective in the existing threat and organizational climate. Experts suggest that participating in table top exercises to simulate a real-world scenario is the best way to prepare. When facilitating these exercises, make sure that the employees understand the purpose for conducting the exercises.
They should be fully engaged so that you can determine if your team has all bases covered and be able to identify any previously unknown gaps in your current plan. They should understand that participating in these exercises will help determine if everyone can hypothetically talk through their respective functions during an incident and make sure everyone fully understands their role when responding to an actual incident. When everyone understands their role, errors are less likely to occur.
During the exercise, the facilitator should present a scenario, asking participants specific questions related to the scenario, and from there, participants will engage in a discussion that focuses on roles, responsibilities, coordination, and decision-making in the event of an incident. Prepare several scenarios in advance that will address specific areas of your Incident Response Plan you wish to test. Some sample scenarios include:
- During a routine evaluation of system logs, an administrator discovers that company data has been obtained by an unauthorized user account.
- A remote user has lost his/her laptop containing stored sensitive company data.
- After a recent move, it has been discovered that a locked cabinet containing sensitive company data is missing.
- A former employee, disgruntled after employment termination, has realized that he/she still has remote access to the company’s server and decides to infect the system with a virus.
We are already familiar with the stages of Incident Response: Preparation, Detection and Identification, Containment, Remediation, Recovery, Lessons Learned. Once presented with a scenario, the participants should begin going through these stages to determine what steps to take to handle the incident appropriately.
Here are some example questions that participants should be addressing during each stage of the exercise:
Preparation
- How are we currently preparing for a security incident? What are we doing to prevent an incident from occurring? What are we doing to limit the impact of this type of incident occurring?
- Do we have proper policies and procedures in place for handling an incident? Are they adequate?
- What actions would have helped to prevent this type of incident from happening?
Detection & Identification
- What controls are currently in place that would help identify this incident, and what are the procedures for reporting this incident?
- How do we detect malicious activity of unknown origin on our systems?
- How would we respond quickly to a suspected incident?
- What tools or assets do we have to assist us in detecting unauthorized activity?
- How would we assess the incident?
- Do we have a specific incident response team for this type of incident?
Containment
- How are we documenting the incident? What evidence should be collected? Have all aspects of the incident been assessed? (size, scope). What is the risk of the incident on operations?
- What do our procedures say about containing an incident?
- What strategies should we take to contain the incident?
- How can we prevent further damage from this incident?
- What could potentially happen if the incident were not contained properly?
Remediation
- How can we clean the system?
- Have we documented the footprint of the intruder? Where did it originate?
- Have we made necessary changes to ensure successful restriction of a repeat incident?
- Have the changes been tested?
- Have we implemented any remote wipe capabilities?
- Has a system access review been completed to ensure there are no other users that need to be removed?
- What chain of custody procedures have been modified to ensure incident will not reoccur?
Recovery
- How do we securely restore the system?
- What monitoring procedures will be in place to ensure successful recovery?
- What backups of files existed to replace the lost files?
- Have we prepared a backout plan if recovery is unsuccessful?
- Have we considered alternatives for database access without the infected system being involved?
Lessons Learned
- What happened? What gaps can we now identify from this incident?
- How do we go about regaining our customers’ confidence?
- Now we must revise our policies and procedures to prevent future attacks. What adjustments should be made to avoid these attacks going forward?
Use this exercise to be a teaching, educating, and inspiring experience. Practicing your step-by-step Incident Response Plans will help your organization to be able to respond quickly and effectively during a real-world incident.
Prepare with KirkpatrickPrice
Developing and testing an incident response plan can feel overwhelming, especially when the stakes of a breach are so high in today’s threat landscape. If you need help with your Incident Response Plan or need unbiased guidance on Information Security best practices, contact us today.
More Resources
SOC 2 Academy: Incident Response Best Practices
SOC 2 Academy: Testing Your Incident Response Plan