Incident Response Testing

1
Testing Incident Response

• Putting Your Incident Response
• Processes to the Test

2
Introduction

• Your class being gathered and ushered into the
  centermost room of your school.
• Schools run tornado and fire drills so everyone
  knows what to do, when. Plus, you dont want to
  find out your emergency plans dont work at the
  moment disaster actually strikes.
• So why arent we applying this logic more
  broadly in cybersecurity?

3
Are You Regularly Testing Your Incident Response
Processes?
4
Incident Response in Kindergarten

• Security operations leaders would do well to take
  a queue from the emergency drills of their
  childhood when it comes to their incident
  response programs and processes. What makes sense
  on paper or the whiteboard often doesnt work as
  planned when put into practice.

5
Cybersecurity Incident Response

• As the cybersecurity landscape continues to
  evolve and threat actor sophistication increases,
  it is ever more important that you not only have
  incident response processes in place but that you
  ensure they work consistently. And, of course,
  you should continuously iterate and improve over
  time.

6
IR Processes and the School of Hard Knocks

• While many organizations go a great lengths to
  set up effective security operations incident
  response plans, very few proactively test their
  processes to ascertain how they will work when
  faced with a real threat. SANS found that only
  33 of organizations periodically review and
  update their incident response processes, while
  another 25 only review and update their
  processes after a major incident.

7
Assessment of IR Process
8
How to Test Your IR Processes

• Paper tests are mostly theoretical and may be a
  first step for security operations teams who
  dont have well-documented incident response
  processes.
• Tabletop exercises are just that - stakeholders
  around a table running through a security event
  scenario. This technique allows teams to review
  and practice the various actions detailed in an
  incident response process.
• Simulated Attacks - A fully simulated attack is
  the most effective way of pressure testing your
  incident response processes as it uses real life,
  controlled attacks to see how an organization
  will respond when hit by an external threat. For
  instance, an organization can simulate the
  deployment of a known threat

9
Simulated Attacks
10
Optimizing Your IR Processes

• Testing your incident response processes yield
  two important results - a clear understanding of
  whether your plan is likely to work and a list of
  gaps that should be addressed.
• Your incident response playbooks should always be
  updated after theyve been put to use, whether in
  a simulated scenario or as part of real security
  incident triage and remediation. And, through
  testing, you should identify opportunities to
  apply automation to your incident response
  processes to expedite remediation and keep your
  analysts focused on the highest value tasks.

11
The Role of Playbooks

• Everything weve discussed in this article
  assumes your organization has some level of
  documentation for your incident response
  processes.
• Playbooks ensure that everyone in your
  organization is on the same page, will execute
  processes the same way and knows what their role
  is in the event of an incident. As with attack
  simulations, there are a variety of ways to
  approach playbook creation, including automated
  playbooks available within many security
  orchestration platforms.

12
Conclusion

• Having the best incident response plan is only as
  good the paper its written on if it fails to
  provide a suitable response to a threat. Your
  incident response processes should be codified,
  documented and regularly pressure tested for
  vulnerabilities. And you must ensure that
  playbooks exist and are regularly updated to
  reflect lessons learned from the tests and actual
  incidents.