In observance of Cybersecurity Awareness Month, this week we explore best practices related to incident response planning. Specifically, we’ll talk about the importance of routinely flexing your incident response muscles to make sure they’re toned and strong—so that you can count on them when you need them. And you will need them!
NIST Urges Incident Response Planning
Data breaches and other cybersecurity incidents continue to occur despite our best collective and individual efforts to thwart them. It’s just a fact of doing business online today.
Last year was a record year for data breaches in the U.S., with 3,950 confirmed breaches affecting virtually all industries in 2020. It took organizations an average of seven months to detect a breach and then an average of 80 days to contain the breach. These are not numbers to be proud of.
An incident response plan is a tool that enables organizations to detect and address data breaches much more quickly.
The National Institute of Standards and Technology (NIST) provides excellent, reality-driven guidance on incident response planning, including testing your plan.
NIST Special Publication 800-61 (Rev 2) is a popular Cybersecurity Incident Handling Guide, whose preface includes these insightful remarks:
“Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.
An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.”
We couldn’t have said it better ourselves.
The influential and over-arching Cybersecurity Framework developed by NIST consists of five core functions that comprise a compliant cybersecurity program. They are Identifying, Protecting, Detecting, Responding, and Recovering. Note that two of these five pillars (40%) relate to an organization's ability to respond to and recover from a data breach or other cybersecurity incident.
Why You Need a Plan for Responding to Cybersecurity Incidents
Certainly, maintaining a robust cybersecurity infrastructure, tools, processes, and policies are crucial to safeguarding your organization’s important digital assets, including data. In our hyperconnected 21st century, this simply goes without saying.
In addition to proactive and preventive measures, it is also vital to maintain a cybersecurity incident response plan so that when an incident or data breach does occur, all assigned stakeholders are prepared to act in meaningful ways.
Having a documented, tested plan allows everyone on the response team to understand their roles and responsibilities. It means that your response will be coordinated and efficient. That time, effort, and budget will be used more wisely. It also means greater cooperation, and less blame, when everyone understands their assigned roles.
However, unless your organization is regularly attacked, hacked, ransomed, or otherwise breached, your incident response plan is likely to gather dust on the shelf and your response team is likely to forget their assigned roles.
Keeping Your Incident Response Plan Alive
There are several prescribed ways to maintain a viable, current, top-of-mind incident response plan, and once again the National Institute of Standards and Technology has come through for us. NIST has collected best practices from around the world, evaluated them, identified commonalities, and developed a handy, real-world Guide to Testing, Training, and Exercise Programs for IT Plans and Capabilities. It’s also known as NIST Special Publication 800-84.
This 97-page manual provides detailed testing, training, and exercise guidance to support your organization’s incident response plan. While an effective TT&E program for your incident response plan should employ a mix of training, testing, and exercise activities, today we’re focusing on exercises, which the guide defines in these terms:
- Tabletop Exercises. Facilitated, discussion-based exercises where employees meet to talk about their roles during a cybersecurity incident and their responses to a particular incident. A facilitator presents a scenario and poses questions related to the scenario, which in turn initiates discussion among the participants about roles, responsibilities, response coordination, and decision-making.
- Because tabletop exercises do not involve deploying equipment or other resources and do not utilize simulated environments, they can be conducted in shorter periods of time and with less company investment.
- They are a useful tool for making sure that employees with incident response duties clearly understand their roles, responsibilities, and procedures.
- Functional Exercises. Employees demonstrate their emergency readiness by actually performing their assigned roles and responsibilities in a simulated environment. These exercises vary in complexity and scope, from validating specific aspects of the incident response plan to full-scale exercises involving all plan elements. These exercises are similar in concept to cyber range simulations.
- Functional exercises require greater investments of time and budget, but also provide greater assurance that the incident response plan and procedures would operate as intended during a real incident.
When to Conduct Tabletop Exercises
Most organizations have the resources needed to conduct tabletop exercises on a routine basis, which makes these exercises a popular approach to validating your incident response plan.
When conducted monthly, tabletop exercises can be highly effective in fostering learning and information retention by all stakeholders. Monthly exercises are especially important if employee attrition is high, if organizational changes are frequent, if the incident response plan has changed, or if NIST has issued new TT&E guidance, as a few examples.
A common approach to planning and executing tabletop exercises includes phases for exercise design, exercise development and documentation, exercise performance, and post-exercise evaluation. These phases are described in detail in Section 4 of NIST SP 800-84.
Examples of Tabletop Exercises
If a picture is worth a thousand words, an example is nearly as valuable. Special thanks to Washington State government staff for the following example of a tabletop exercise that can be completed in 30 minutes or less. Then we’ll review the cybersecurity scenarios offered by NIST.
Scenario: Internet of Things Device
A trusted third party has notified you that a device that controls an aspect of building management (such as a water valve or HVAC) is readily accessible from the Internet. This trusted third party has given you the live IP address of the device and claims it does not require any authentication to access. What do you do about this potential cybersecurity incident?
Discussion Points:
- How do you validate that the device exists?
- How do you find out if this device is authorized to be internet-accessible?
- Do you have an inventory of internet-accessible devices?
- How do you verify whether the device was deliberately connected to the internet or is the result of a misconfiguration?
- Do you have an inventory of any devices that may be part of a building management system or control system that your organization is responsible for securing?
- Do you have a way to find out who could be responsible for this device? How could you find out?
- How could you determine when this device was connected to the internet and how long it has been connected? What role would cyber forensics play?
- How do you discover who has been connecting to that device and what resources they may have accessed or changed?
As you can see, a tabletop exercise involves (1) creating a cyber incident scenario that could be real, (2) creating questions about the scenario that will prompt (3) discussion among the exercise participants or members of the incident response team, with the goal of (4) addressing the potential breach as quickly and effectively as possible.
In Appendix A (pages 52-57) of Special Publication 800-61 (the Cybersecurity Incident Handling Guide), NIST has provided 11 unique scenarios for your use, as follows:
Scenario 1: Domain Name System (DNS) Server Denial of Service (DoS)
Scenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation
Scenario 3: Stolen Documents
Scenario 4: Compromised Database Server
Scenario 5: Unknown Exfiltration
Scenario 6: Unauthorized Access to Payroll Records
Scenario 7: Disappearing Host
Scenario 8: Telecommuting Compromise
Scenario 9: Anonymous Threat
Scenario 10: Peer-to-Peer File Sharing
Scenario 11: Unknown Wireless Access Point
Following is an example of the type of information provided by NIST for these scenarios.
Scenario 10: Peer-to-Peer File Sharing
Your company prohibits the use of peer-to-peer file-sharing services, and your network intrusion detection sensors have signatures enabled that can detect the use of popular P2P services. On a Monday evening, an intrusion detection analyst notices that several file-sharing alerts have occurred during the past three hours, all involving the same internal IP address.
Discussion Points:
- What factors should you use to prioritize the handling of this incident? (The apparent content of the files being shared is one factor. What are others?)
- What privacy considerations might affect how you manage this incident?
- How would your handling of this incident differ if the computer performing the P2P file-sharing also contains sensitive personally identifiable information?
Once you’ve read through these scenarios, creating your own will be easy! And the NIST manual actively encourages the liberal use of these scenarios and questions in conducting your own tabletop exercises. No need to reinvent the wheel!
What You Gain from Tabletop Exercises
Tabletop exercises, and the discussions prompted by well-designed exercises, are valuable for several reasons.
- They reveal gaps or weaknesses in your incident response procedures and security measures
- They educate the incident response team about current and emerging threats, their sources and effects, and refresh that education is conducted on a monthly basis
- They highlight areas where your team may not be adequately prepared to respond to a particular breach or other cybersecurity incidents
- They serve as team-building exercises, bringing team members together for a common goal or purpose
- They drill your team members in creative ways, so they are more likely to act effectively according to plan, rather than defaulting to instinctive behavior, which is often counter-productive
- They guide the team in resolving incidents effectively and with minimal disruption to operations
- They help accelerate your team’s incident response time. Because as we observed at the beginning of this post, seven months to detect a breach and 80 days to fix it are just not acceptable numbers.
Summary
In addition to maintaining a robust cybersecurity infrastructure, it is also vital to have a comprehensive incident response plan to guide employee actions when a cybersecurity incident or data breach occurs. Any incident response plan must be maintained as a living program that is routinely tested and exercised.
Most organizations have the resources needed to conduct tabletop exercises on a monthly basis, which makes these exercises a popular approach to validating the incident response plan.
To start your own tabletop exercise program, first, develop a wide-ranging set of scenarios and discussion-prompting questions, and then meet with the team each month for an active discussion of one of the scenarios. Be sure to update the incident response plan and related procedures, processes, and systems as needed. View your tabletop exercises as fun, creative ways to keep your people, processes, and paperwork up-to-date and ready to roll!