Strengthening Cybersecurity Defenses: Validating Incident Response Plans with Red Team Tabletop Exercises

At Bishop Fox, we understand the ever-changing and unpredictable threat landscape that businesses worldwide face. The frequency, depth, and breadth of cybersecurity incidents and data breaches in today's world is a stark reminder of the need for organizations to be fully prepared against the most advanced cyber threats and adversaries. Our offensive security expertise lies in Red Teaming and penetration testing, enabling us to assess an organization's security posture by simulating attacker behaviors and helping security teams curate mature cybersecurity defense strategies.

While tabletop exercises are often viewed as mandatory compliance tasks, we take a different approach by transforming them into building blocks for stronger security programs. By creating specially designed sessions and replicating real-world scenarios, we help organizations thoroughly test Incident Response (IR) plans against realistic tactics, techniques, and procedures used by modern attackers. Conducting separate in-depth sessions for both technical and non-technical teams ensures that every team member is genuinely prepared to execute the IR plans when called to action.

Objective: Establishing Successful Incident Response Programs

Establishing robust and effective cybersecurity IR policies is pivotal in the current digital landscape. Organizations must plan for ‘when’ and not ‘if’ a cyberattack will occur. Our experience in facilitating tabletop exercises has uncovered a critical gap—many IR teams attempt to handle incidents without a concrete plan in place. Or, for those who do have a plan in place, too often it's outdated. 

The goal of tabletop exercises is to examine the current plan and improve security procedures by eliminating impromptu decision-making, reducing feedback and escalation timeframes, and establishing swift and impactful IR and recovery. Utilizing a tabletop exercise without current IR policies sets a team up for potential failure with minimal ROI because there is nothing substantial to pressure test against real-world scenarios.

Preparation: Creating Resilient Plans and Policies

Before enlisting the help of offensive security professionals with tabletop exercises, a few key steps need to take place:

1. Set up an IR team. This team collaborates closely with various departments and stakeholders to craft, manage, and maintain IR plans and policies.
2. Draft policies and plans for IR. We don’t recommend purchasing prewritten plans. Companies should begin the process by assessing the existing infrastructure, identifying potential threats, and establishing communication channels that are unique to the actual digital footprint and attack surface. This forms the foundation for drafting comprehensive IR policies tailored to an organization’s individual needs.
3. Moving forward, the IR team continuously updates and refines these plans to ensure their relevance is on par with the evolving threat landscape.

Tabletop Exercise: Successful Outcomes Begin with Proper Preparation

Preparing to engage in a tabletop exercise is as vital as preparing for the possibility of a real cyber incident. Conducting these exercises solely to test an organization’s technical readiness or to develop an initial IR plan is counterproductive and yields minimal ROI. In fact, this approach can frustrate IR teams and lead to divisiveness.

Instead, tabletop exercises should validate existing plans, processes, and procedures, ensuring that all IR personnel are ready to execute their roles effectively once the plans and escalation pathways are established.

Detection and Analysis: Bishop Fox's Unique Approach

The Bishop Fox Red Team challenges the conventional view of tabletop exercises as mundane compliance tasks. We take a dynamic and engaging approach, utilizing Red Team-themed adversarial tabletop exercise scenarios to foster learning, growth, and enhanced cross-departmental communication. Crafting scenarios that mirror real-world cyber threats enables participants to actively engage and respond to various incidents in a safe and controlled environment. Most importantly, organizations gain insights into areas where the current plans and policies are effective and, conversely, where gaps still exist that need to be fortified.

While some tabletop exercises may focus solely on the technical aspects of the IR plan, we stress the importance of active participation from both technical and non-technical personnel, allowing everyone to understand their roles and responsibilities when a cyber-related event occurs. The hypothetical nature of the exercise allows for separate sessions accommodating both technical and non-technical participants. Technical teams can deep dive into the complexities of their digital environment, while the non-technical team members receive a facilitation of the same incident with minimized technical information in an engaging and story-based version of the same scenario, informed by the technical tabletop exercise that preceded it.

By identifying strengths and weaknesses, allowing time to explore process improvement, and facilitating active discussions between teams and departments involved in the incident response, Bishop Fox tabletop exercises offer invaluable insights, providing opportunities for refining IR plans.

Containment and Eradication: Participation is Vital to Post-Event Activity

Bishop Fox clients have achieved higher Cyber IR Resilience Scores, by investing in two main factors:

1. Preparation
2. Participation

Crafting scenarios that intrigue participants and creating a puzzle to solve creates the most engaging participant experience. This also gives the incident response team the opportunity to fully exercise their IR plans, processes, and procedures.

In one example, the Bishop Fox assessment team collaborated with the client to develop an insider threat exercise. The IR team participated in the tabletop exercise with no prior knowledge of the scenario and worked together to resolve the cyber event as if it were unfolding as a real-time event. Reading like a movie script, the scenario progressed from one injection to the next like a classic whodunit, breaking down the events of the day into four main scenes, or phases of the exercise.

• Phase I: Server Outage
• Phase II: Malicious File Discovery
• Phase III: Unreliable Backups
• Phase IV: Attacker Identification and Recovery

Later, participants would remark that having such an advanced attacker and the inability to examine any actual log data had been incredibly frustrating, but the attacker had been that good. They had essentially managed to cover all their tracks causing small clusters of server outages without leaving any breadcrumbs for the IR team to follow.

During the tabletop exercise, the IR team was able to bring the cyber event to a successful resolution. One participant even remarked that he had been through the entire gamut of emotions from laughing, to crying, to frustration and anger, to the overwhelming sense of accomplishment. Upon figuring out the attack path, another participant leapt out of his chair and to his feet in the conference room exclaiming that he had the solution to the mystery that had been plaguing the team for several hours. He then enthusiastically shared the attack method with the group. The attacker turned out to be a disgruntled former employee who had gone to work for another company and just happened to have their data center in the same collocated building as the client, giving the attacker full access to their server hardware. The fact that someone could hypothetically achieve physical access to the hardware in the data center had not been considered by the IR team as a viable attack path up until that point.

Along the way they discovered multiple areas for improvement and the need for additional resources and support for the IR program. Findings included in the report were designed to give the IR team the validation necessary to drive future investment in the IR program and ensure that the team would be prepared for any real future events.

These include:

1. Create physical copies of the incident response plan.
   1. Store these securely but ensure they are available to the IR team if digital copies are not available.
2. Maintain up to date vendor and partner lists for IR resources.
   1. Ensure that IR plans and procedures reflect the current software and vendors in use for incident response and related services.
3. Ensure that IR plans address every aspect of the incident response lifecycle.
   1. Plans should include processes and procedures for:
      1. Preparation
      2. Detection and Analysis
      3. Containment
      4. Eradication
      5. Recovery
      6. Post-Event Activity
4. Create evidence collection and retention procedures.

By working as a partner, Bishop Fox was able to help the technical IR team demonstrate the need for preparation, additional resources, an IR retainer, and proper escalation pathways to be established for an efficient and effective IR.

Post Event Activity: Conclusion

In today's cybersecurity landscape, the ability to respond effectively to incidents is a critical element of organizational resilience. Establishing and continuously refining IR plans is not just a box to check; it's a proactive measure that can potentially save organizations from significant damage. Working with offensive security experts like Bishop Fox and adopting a comprehensive approach to tabletop exercises strengthens IR capabilities and an organization's ability to combat the unpredictable nature of cyber threats.