In my previous article, I argued that a simulation was the best way to test an organisation's response to a cyber breach.
To recap, simulations provide a safe environment in which to test and refine incident response plans, and in the process will enhance employees’ detection and response skills, and make them more confident. If the team is skilful and confident of its skills, and is accustomed to working as a team, the company is halfway to victory.
Performed regularly, simulations ensure not only that response plans are effective, but that they are getting better and the team's skills are also improving.
To create an effective simulation, follow these steps:
Conduct a risk assessment: Identify threats that are relevant to the organisation and prioritise them. Test the most likely ones first. As part of this assessment, analyse the company’s infrastructure, systems and processes to understand where vulnerabilities lie.
Define clear objectives: It's important to set specific objectives for each simulation to guide how it's developed and provide a basis for evaluation.
Develop scenarios: These should be as detailed as possible to maximise the benefit. Use real-world incidents as the basis for the scenarios to make them authentic, not least because cyber criminals reuse successful playbooks. That's why so many of those phishing e-mails share similar approaches.
Involve the right stakeholders: All relevant departments should be part of the exercise, including IT, legal, communications and, crucially, executive leadership.
Execute the simulation: Follow the predefined scenario and use facilitators to ensure all participants are actively involved and follow the steps laid down in the incident response plan. The facilitators are there to give guidance and keep the simulation on track.
Evaluate performance: The simulation only really becomes valuable once the actions taken are evaluated and the key metrics are measured. These include response time, communication effectiveness and decision-making quality. In addition, collect feedback from participants.
Improve and refine: Analyse the results and feedback to identify strengths and weaknesses, and use this to strengthen existing incident response strategies. Adjust scenarios and training as needed to address identified gaps. Each simulation should be seen as part of an ongoing sequence aimed at ensuring continuous preparedness. Of course, scenarios must be varied in line with the different threats identified − the organisation needs to adopt a culture of continuous learning.
Make it real
One of the secrets of creating successful simulations is to base them on real-world incidents. To do so, the following steps should be followed:
- Identify key elements, such as the type of attack, the entry point and the impact.
- Develop a baseline scenario that replicates the incident, and then customise it to the organisation's actual environment. In this process, it's important to balance staying as close as possible to the actual incident (in order to give the team the closest approximation to what might actually happen) with making some minor alterations to speak to the environment.
By following this approach, the simulation will be more credible and engaging to those participating, while still being relevant to the environment or context in which the organisation exists.
Key lessons
South African organisations have experienced a number of significant cyber incidents that can be used to improve other companies’ own security and response capabilities. By regularly analysing what happens to peers, companies will gain a better understanding of how the threat landscape is evolving.
Well-resourced cyber criminals are constantly developing new ways of attacking systems.
One thing is certain: well-resourced cyber criminals are constantly developing new ways of attacking systems.
Based on an analysis of major cyber attacks on South African institutions, the key takeaways are:
Early detection and response: These are vital to mitigate the impact of any breach. Advanced threat detection systems should be implemented, and regular incident response drills should be conducted.
Regular testing: A well-rehearsed incident response plan is the product of regular simulations followed by refinement/updating of response plans.
Effective communication: Co-ordinating the response and maintaining stakeholder trust during an attack depend on effective communication. Communication protocols must be established beforehand, and all relevant stakeholders must be briefed and prepared. Scenarios should be developed to include all relevant stakeholders across the organisation.
Continuous improvement: Scenarios should be seen as part of an ongoing improvement loop, constantly updated as new threats emerge. Investing in training and development will also pay dividends.
Rigorously followed, these lessons will help the company improve its security posture, becoming more resilient in repelling and recovering from cyber threats. Given the importance of an organisation's systems, getting this right is literally a question of success or failure.
Share