Response is a key stage in the best practice NIST Cybersecurity Framework. But how can you test your capabilities in this area? The last thing you want to do is find out during a real incident that there are some critical gaps in your planning.
Tabletop exercises are a good start. These discussion-based workshops help to define roles and responsibilities and evaluate whether everyone knows what they should do during a breach incident. Similarly, paper testing exercises offer an opportunity to run through incident response plans and allow participants to make recommendations to improve it.
However, there's no substitute for the adrenaline rush of an interactive live exercise. You can customize these to introduce executives and operational staff to the pressure they'll face during a real-world incident. These usually last up to three hours or so and may include new and unexpected challenges designed to mimic the unpredictability of genuine incidents. During the exercise, incidents must be identified, triaged and contained before a root cause analysis and remediation.
Attacks could be designed to simulate multiple scenarios, such as:
- Theft of customer or employee data and/or trade secrets.
- Ransomware causing a serious operational outage.
- A malicious insider incident.
- Sabotage of industrial control or operational technology (OT) systems.
- Phishing and impersonation attacks targeting executives and employees.