Incident response handling procedures could use some improvement. By utilizing and practicing incident response exercises, organizations can put in place a strong and integrated response to incidents of varying types. Exercises teach the security operations center (SOC), which comprises the incident response team (IRT) and associated staff (i.e., forensic staff, cyberthreat intelligence staff), how to investigate, correlate, respond to and recover from network intrusions, system compromises, malware attacks (e.g., botnets, viruses, Trojan Horses), phishing and spear-phishing attacks, device compromises, data breaches, denial of service (DoS) attacks and insider attacks.
According to the CyberEdge Group 2021 Cyberthreat Defense Report, the likelihood of a successful incident in 2021 has risen to 75.6% from 61.5% five years ago. As a result, SOCs have had to modify and enhance their methodology and procedures to keep up with new threats such as ransomware, artificial intelligence, mobile devices and the Internet of Things. New software, handling techniques and services have been developed (and sometimes acquired) to address the latest threats.
However, there is also a shortage in skilled staff and an increase in new and untrained employees. Even with all the preparation and prevention measures implemented, there are always some weaknesses in the cyberdefense program. These weaknesses include weak device configurations, weaknesses in vendor products and application code (from new and evolving software systems and applications), social engineering (weakness resides with the user and the security awareness training program), zero-day exploits and third-party interactions.
Approaches such as incident response plans, cybersecurity attack vectors, tabletop exercise design and scenarios, incident response lifecycle activities and continuous improvement can aid organizations in conducting incident response exercises, specifically the SOC and IRTs. Others who participate in activities that support the data gathering and correlation, maintenance of security tools, incident reporting and response evaluation, cyber threat intelligence, and incident management and coordination may also find these approaches helpful.
Remember the saying “practice makes perfect.” Exercises are meant to be able to (1) improve incident metrics associated with identification, response and resolution; (2) improve procedures and actions taken; and (3) minimize the scope and impact when they occur.
By conducting exercises on a regular (e.g., semiannual) basis, your team’s performance should improve as well.
Editor’s note: For further insights on this topic, read Larry G. Wlosinski’s recent Journal article, “Cybersecurity Incident Response Exercise Guidance,” ISACA Journal, volume 1, 2022.
ISACA Journal Turns 50 This Year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!