TechGuard Blog

Why You Need to Utilize Incident Response Exercises

Professional athletes are constantly practicing their skills in order to get better at their sport. Moreover, they have practices where they scrimmage so that they can simulate a real game. This not only helps them to further improve the skills they already have but it also shows them where they need to improve and what steps to take in order to do so. In many ways, training for network defense or responding to an incident is similar. Companies often conduct what are known as incident response exercises that allow the Security Incident Response Team (SIRT) and related personnel to put their skills to the test in order to prepare for a real incident.

Tabletop exercises can be conducted in a variety of different ways. However, one of the common traits of all tabletop exercises is that they simulate a real attack. These simulated attacks are meant to prepare incident responders for various types of threat vectors and attack vectors. For example, many companies will utilize a tabletop exercise that consists of different attacks that simulate various attacker types such as Hacktivists, Advanced Persistent Threats, Insider Threat attacks, etc. One great free source of sample tabletop exercises is provided by the Center for Internet Security (CIS). CIS has a pdf that anyone can download from their website containing six different security incident scenarios. Each of these scenarios contains a description of the incident, discussion questions, and outlines what processes are being tested and what type of threat actor is conducting the attack. These scenarios will allow an organization to test the skills and knowledge of their incident responders and will show them where they need more improvement. These exercises are also useful because the organization can get a better idea of who they would need to contact if a real incident did occur (legal department, human resources, etc.).

While traditional tabletop exercises are extremely beneficial for all organizations, this process can be taken a step further by conducting red team vs. blue team exercises. The red team consists of penetration testers and other offensively driven roles. The blue team consists of everyone who is trying to defend the network such as SOC analysts, security engineers, SIRT members, etc. Red team vs. blue team exercises are conducted by having the red team attempt to exploit vulnerabilities within the organization’s network. The blue team would then be trying to counter the attacks from the red team and attempt to secure the network. Lastly, a white team consisting of security leadership would act as a referee and would keep track of both teams’ actions. These tests are great for hands-on, practical application and will test the technical skills of both teams.

Overall, tabletop exercises as well as red team vs. blue team exercises are crucial for assessing the technical and knowledge-based capability of your security department. Every organization needs to implement these exercises in order to discover areas of weakness within the incident response process and better the overall security posture of the organization.

Written by Blake Potter