LOSSES, disruptions and damages due to cyber attacks have become a major risk to governments and businesses alike. Such risks get amplified significantly during times of conflict or instability and Russia’s invasion of Ukraine is a case in point. Should the worst occur, cyber incident response plans can help mobilize resources, contain the attack, mitigate damages and expedite recovery.

But having a plan on paper is never enough; it’s not a substitute for actual practice. Cyber drills need to be carried out repeatedly, tested thoroughly, and optimized for the real world. Like fire drills at school, when the bell goes off, everyone should know their place.

Cyber incident response capabilities

Listed below are some important considerations for organizations to consider when evaluating cyber incident response capabilities:

1. Be clear with objectives

Before diving into the specifics of the process itself, organizations must ensure they are clear on the objectives and the success criteria of the test. The entire exercise must ideally yield two important results: one, a clear understanding of whether the plan is likely to succeed (or not);

Two, it must help identify a list of critical gaps that must be addressed immediately. Additionally, organizations must aim to test different aspects of the response plan, such as a newly acquired business, a particular system or infrastructure, or specific attack scenarios such as ransomware.

2. Pick an exercise that matches the desired objectives

Businesses must take into account real-world logistical and operational constraints when selecting an exercise to test the objectives that have been laid out. Options include:

Table top exercises (e.g., calling people listed in the plan to ensure their phone numbers work);

Phishing simulations (launching phishing attacks on employees to test if they recognize and report them); password and other suspicious requests;

Red/blue/purple teaming exercises (simulated cyber attacks to test whether systems can be broken in and whether defences are working as expected); 

War games (to test defences and cyber readiness of the organization); 

Parallel tests (testing recovering systems to see if they are operational and are able to support key processes); 

and cutover tests (disconnecting primary systems and checking whether secondary systems are working as expected).

3. Choose your exercise target wisely

It’s important that organizations identify the right combination of targets to build an exercise that helps meet desired objectives. Targets can include specific business applications, physical assets such as servers and workstations, virtual and cloud infrastructure, remote business locations and employees. It might also make sense to include supply chain partners as part of the testing exercise.

For example, simulating an attack on a managed service provider. Some simulations can also be designed to target the C-suite, since executive teams are critical to any crisis response.

4. Develop cyber incident scenarios that are challenging but achievable

Exercises are always a great way for businesses to test their cyber incident response abilities and gauge the cybersecurity readiness of their employees. Exercises should be challenging but achievable at the same time; the idea is not to discourage or demoralize employees but to engage and excite them about developing a strong security culture and ensuring they are well-equipped to handle cyber incidents.

Consider providing participants with scenarios tied to real-world events like ransomware to make exercises seem more realistic and urgent. If possible, distribute guidance to participants ahead of the exercise so that they feel adequately prepared.

Try to be as transparent as possible; make clear who will be taking part, how will the feedback be captured and what kind of metrics will be reported. Add complexity to the exercise by focusing on a specific system, process or individual components of the cyber kill chain. One can even test extreme attack scenarios like “black swan” attacks – incidents that can occur suddenly, with unexpected, widespread ramifications.

5. Ensure to involve all the right parties

It’s important to select the right mix of resources from both business and technical backgrounds so they can help deliver incident response exercises using a wide range of use-cases and expertise. Businesses should include third parties such as forensic and legal experts as well as supply chain partners and customers.

The idea is to select an audience that allows you to meet your desired objectives. Securing buy-in from senior management teams is also advisable as this will greatly impact how participants perceive and participate in the exercise.

6. Be open and learn together

Encourage participants to remain open-minded and not to over-analyze the given situation. Encourage honesty and critical thinking, give all participants the opportunity to contribute. Record all major observations and recommendations from participants, including things that may not have worked as expected.

Conduct post-exercise feedback promptly and commit to addressing issues identified during the exercise via streamlined and well-defined action plans. Capture feedback on how future exercises can be improved; ensure recommended changes are implemented ahead of your next exercise.

In times of conflict or instability, cyber incident testing exercises should be put to action as this can help identify gaps in the most seemingly robust incident response plan. Incident management plans must be thought of as a living document that needs continuous reviewing and updating as the threat landscape evolves.

After all, true cyber resilience can only be achieved if the organization is truly capable of detecting, responding and recovering from a genuine, real-world cyber incident.