In Part 1 of our blog series on incident response planning for Cybersecurity Awareness Month, we covered why incident response plans (IRPs) are important and how to build one.
In Part 2, we’re looking at how to practice your IRP with five different data breach “fire drill” approaches.
Before you can practice an IRP, however, it’s important to make sure the plan itself is sound.
The IRP should be reviewed by a Breach Coach®—a data breach consultant or cybersecurity expert who typically acts as a first responder—to ensure that it meets the requirements of relevant laws and regulation at both the state and federal levels. Since the Breach Coach will be there to coordinate the response with external partners such as forensic companies and IT restoration services as well as the insurance carrier’s claims department, their input is critical for success.
Why Practice an IRP?
Simply having an IRP in place will not guarantee an effective response. After all, a plan is only a document, unless it can be put into action. The first time key players on your team see your IRP should not be the moment when an incident has occurred. To make sure that all parties understand what is in the plan, their role and whether the plan covers all needed bases, your organization must review and practice the plan; and the best way to do that is by running through various cybersecurity “fire drills”, also known as tabletop exercises.
“Practicing an Incident Response Plan (IRP) in real time is the only way to know that it will work,” says Billy Gouveia of Surefire Cyber. “If you were a coach, I can’t imagine you’d know if the team is ready to perform until you played a scrimmage. It’s the same with exercising an IRP. This involves testing key elements of your response processes, such as alerting procedures and restoring data from backups. Yet it is also essential to tie all of these drills together with a rigorous comprehensive exercise that brings together a range of internal stakeholders such as the executive team, IT, the security team, and functional leaders along with external stakeholders such as insurance brokers, carriers, outside legal counsel, cyber response firms, and law enforcement. It’s through these exercises that stakeholders can obtain the required understanding of the overall response strategy as well as the desired confidence in the organization’s cyber resilience.”
Practicing an IRP also helps perfect or improve the plan before it’s actually needed. Key personnel can use the process to identify the plan’s oversights and gaps; and then address all of the above with revisions to the plan.
IRPs that have not been exercised cannot be relied upon, Gouveia says.
“Often, exercises expose planning flaws—such as relying on the same individual to execute multiple tasks at the same time or illogical restoration sequences (that is, the plan has system A brought up before system B but it turns out that A relies on B). Moreover, it’s through rigorous exercising that the team develops the required understanding of everyone’s role and how they all tie together. For example, often IRPs are not properly tied into the organization’s crisis management, business continuity, and disaster recovery capabilities, and an exercise highlights those gaps. Without rigorous exercising, information flows are often unclear and stakeholders do not understand who will provide what information, to whom, in what form, to enable which decision. Otherwise, valuable time is wasted sorting this out—time during which a threat actor could be stealing and encrypting your data.”
This is not a one-off practice, either. Plans should be reviewed, tested and updated frequently. It is recommended to run these exercises annually. Certain aspects of the plans, like your business recovery functions, should be tested quarterly to ensure they are still operating as expected.
Don’t have an incident response plan? Check out Breach Plan Connect® from NetDiligence!
How to Run a Data Breach Fire Drill
A tabletop exercise allows you to walk through a data breach event before it happens. Typically, the exercise is facilitated by an outside expert such as a Breach Coach or forensics expert who walks through simulated security incidents step by step in real time. Like a choose your own adventure book, the outside expert asks critical questions to staff to determine what actions should be taken to respond. Some general considerations to keep in mind as you begin a fire drill:
- Ensure all key personnel listed in your IRP are present. It’s important for every team member to participate, including executives, so it’s clear who is responsible for what.
- Answer to the best of your knowledge and ask questions of your teammates throughout. These exercises are not meant to be a test of knowledge, they are meant to sharpen your response skills.
- Interact with your teammates to get their perspective. Use the time to uncover gaps and learn from the dialogue.
- Test for real edge cases, such as team members being out sick or on vacation.
- Document the results to keep the response team apprised of any changes that need to be implemented.
Complete the form below to download the 5 Ways to Practice Your Incident Response Plan tips sheet from NetDiligence.