Skip to navigation Skip to main content Skip to footer

Incident Response Exercising: Your Prescription for Building Cyber Resilience

22 April 2024

By David Brown

Treat your cyber security resilience strategy like a workout

We all know that staying fit and healthy plays a huge role in being more resilient against illness and injury. But going to the gym or doing cardio isn't a once-a-month activity.

Building resilience requires regular exercise and testing yourself to improve strength and stamina. Nobody in their right mind would jump into playing a competitive sport or running a marathon without some level of preparation and training.

Like physical health and fitness, building cyber resilience requires a proactive, comprehensive strategy to build, strengthen, and flex your defensive muscles. It includes investing in staff, technical solutions, testing, and exercising to improve your ability to detect and respond to threats and then the resilience and stamina to recover from an attack.

While every organization relies on technology, many still need a holistic strategy for building their resilience.

Whether limited by internal resources or budget constraints, they neglect key aspects of cyber resilience—testing and exercising—and slowly become less resilient to threats until an attack blindsides them.

Strengthening cyber health: A 7-step cyber resilience plan

To help protect your organization’s critical assets, here's your 7-step program for comprehensive cyber incident response fitness leading to increased cyber health and resilience:

1. Take and maintain a technology inventory.

You can't strengthen and protect what you can't identify. So run a regular inventory of your assets, devices, technology stack, and the associated software linked to them across your entire network. Shadow IT is often the way to let infections in, so find it, remove it, and replace it with healthy managed systems. Remember, every new addition or configuration change also changes your security posture, so prioritize keeping this inventory up to date.

 

2. Review incident processes and procedures.

Having a structured and consistent fitness plan you can follow is essential to building strength and stamina. Incident response plans and playbooks are vital tools in your defense strategy, but only if they're relevant and valid. So, have plans for the key challenges you are likely to face, like ransomware, data loss, forensic readiness, phishing, emergency patching, etc., and set a schedule for regular reviews and updates (then stick to it).

 

3. Reinforce roles and responsibilities.

Even the best fitness intentions are useless if you don't know what exercises to do when you get to the gym. Everyone plays a role in securing your estate, data, and operations, but some people will have specific responsibilities. Ensure your colleagues are aware of and trained in their specific role in an incident. Ensure that the escalation path and policies around incidents are clear for everyone. They must know what to do, when, and what to avoid—including communication best practices.

 

4. Get communications and legal on board.

Every day can't be "leg day"—you need total body fitness to be at your best. Similarly, cyber incidents aren't just about the technical aspects sitting within an IT department. There are regulatory reporting requirements and internal and external communications strategies that can help minimize reputation damage and liability. In some cases, there may even be personal liability (potential prosecution) on the line.

So, make sure your legal and communications departments are included in planning, understand their roles and responsibilities, and participate in every exercise and live-play scenario. The whole team needs to understand the issues around liability and responsibilities if an attack occurs to make them all match fit.

 

5. Perform routine exercise.

Even the strongest incident response plans need to be exercised to make sure they're valid and robust. Regular cyber exercising at all levels helps to establish a baseline of how resilient you are now and exposes areas for improvement.

Because cyber resilience is a team sport, these exercises should include technical staff, mid-level management from across the organization, and executive leadership, including the C-suite and Board, all doing their part at the appropriate time. However, as with any team, there are specialists, so it may be that the exercises take place separately and at different frequencies to ensure that they are ready to respond. 

 

6. Use tabletop exercises and live-play scenarios.

What good is a training program if you never put it to the test and benchmark your results? Technical live-play scenarios, like Purple Team and Red Team exercises, can give you a sense of what it's like to face an attacker and practice your response in a controlled environment. Bronze and Silver Team exercises can help specific groups understand their roles, while Gold Team Crisis Management exercises that focus on strategy, stakeholder management, and incident communication approval should be included for comprehensive resiliency.

 

7. Evaluate and adapt.

Continuing to do the same routine over and over will achieve limited results. Getting stronger and more resilient requires progressive overload—increasing the intensity and robustness of your program. The secret to building cyber resilience in the evolving threat landscape is regularly evaluating what's working and what's not and adapting your strategy for continuous improvement. Strong cyber resilience results today might be significantly weaker six months later.

If you don't know where to start, beginning a cyber resilience journey might seem daunting. That's why having a personal trainer—a partner who understands what it takes to get fit and offers the expertise and tools to help you reach your cyber resilience goals—can be a game changer.

NCC Group provides an end-to-end suite of cyber security capabilities, cross-sector skills, and expertise to help you achieve robust cyber fitness in IT and OT environments.

As an assured NCSC Cyber Incident Exercising provider, our comprehensive Incident Response Planning and Digital Forensics Incident Response programs help clients of all sizes—from small businesses to government agencies to the world's largest and most successful organizations—strengthen their defenses and get maximum value from their cyber security investment.

David Brown

David Brown

Principal Consultant DFIR, NCC Group UK

David Brown brings 10 years of experience in Digital Forensics and Incident Response. A former Police Detective of 18 years, he is an experienced technical security consultant who leads complex investigations and helps organisations respond to and recover from significant cyber crises.

David holds a Master's Degree in Digital Forensics and Advanced Securities and is a full member of the Chartered Institute of Information Security.

Get started on your cyber resilience journey.

Call us before you need us. Our DFIR experts are here to help.