As a Secureworks® incident responder and a volunteer firefighter, the author has a unique perspective on incident response. This blog series highlights overlaps between cybersecurity tabletop exercises and firefighter training to prepare for emergency situations.
At 3:30 AM on a Thursday, the security operations center (SOC) calls you to report a Secureworks Taegis™ alert indicating a possible Cobalt Strike attack. Your brain immediately shifts to response mode. Is this an incident? What is the severity? Who is responsible for responding?
As the tabletop exercise gets underway, participants must identify the incident commander. In fire departments, the incident commander is easy to identify: they wear a white helmet, issue commands, and often possess years of experience and leadership. Organizations should select an incident commander well in advance of an incident and document the assignment in their Cybersecurity Incident Response Plan (CIRP). As in an actual incident, this person leads the response effort during the exercise, assigns tasks, and ensures response efforts are completed.
Exercise participants should seek guidance from their CIRP, playbooks, and process guides that apply to the tabletop scenario. In the fire service, “pre-plans” provide instructions on the response appropriate for the location and type of incident. For example, the pre-plan for a multi-story high-rise fire dictates the location of the fire apparatus and the evacuation strategy. An organization’s CIRP, playbooks, and process guides should guide the Cybersecurity Incident Response Team’s (CIRT) response actions, such as clarifying who must respond based on the incident type and incident severity.
During the exercise, participants and the training officer should note issues and areas for improvement. In a debrief (also called “lessons learned”) at the end of the exercise, issues with people, processes, and technology should be discussed and documented. Discovering these gaps is the ultimate goal of a tabletop exercise, as the intent is to improve the participants’ performance and the organization’s resilience. The lessons learned may reveal a need to improve the CIRP or to add individuals to the CIRT. Any new CIRT members must be trained on their role.
For future tabletop exercises, the training officer uses the lessons learned to improve the scenarios and ensure that CIRT knows how to best react and respond to any incident.