If you’re not already using crisis simulations as a key part of incident preparation and response, it’s time to start stress-testing personnel and protocols to help teams develop skills and readiness for difficult situations.
Mark Lance, vice president of DFIR and threat intelligence for GuidePoint Security, says, “We’re seeing more and more demand, as well as requirements established by boards, cyber insurance carriers, or other key stakeholders, to perform these simulations annually or more,” he says.
Not only do these exercises help employees understand their roles and responsibilities during an incident, they’re also a great way to educate people. As an example, most people don’t understand the intricacies involved during a ransomware incident, the multitude of third parties involved, and key decision points unless they’ve already been through that situation.
“A crisis simulation not only familiarizes them with their own incident response processes, but also builds awareness of relevant threats, the associated risks, and critical decisions,” Lance says.
In an era of constantly evolving cyber threats, crisis simulations offer organizations a vital testing ground for fortifying their cybersecurity defenses, arming teams with the skills and resilience to protect against a multitude of risks.
Types of Crisis Simulations
The simplest simulation is a “tabletop exercise” where an organization gathers the appropriate stakeholders, presents a disaster or attack scenario, has each stakeholder talk through their response, and surfaces strengths and weaknesses in dependencies through collaboration, says Casey Ellis, founder and CTO at Bugcrowd.
“A good example is a ransomware tabletop exercise simulating denial of production systems, failover systems, and the deletion of backups,” Ellis says. “The thought of disaster recovery being unavailable is a pretty counterintuitive one, and it’s a scenario that is better thought through beforehand versus on-the-fly.”
The objective of a tabletop is to create a “near-real” crisis condition and see how the team responds, says Erik Gaston, vice president of global executive engagement at Tanium. “This includes communications during a crisis and escalation,” he explains. “This helps not only uncover potential issues before they occur, but to ensure that the crisis and incident response plans do not have holes in them.”
These exercises also help verify that the teams, especially the blue team, are making good collaborative decisions and not operating in the traditional silos that many security organizations run in.
Alternately, organizations can use red-team penetration tests to simulate real-world attacks. This can be achieved by employing ethical hackers or an internal red team that attempts to breach an organization’s defenses.
“The objective is to identify vulnerabilities and assess the organization’s incident response capabilities,” explains Mike Walters, president and co-founder of Action1. “This approach provides valuable insights into an organization’s readiness to combat cyber threats.”
Bugcrowd’s Ellis says organizations could also consider a public bug bounty program as a type of “ongoing crisis simulation.”
He explains that creating the same types of incentives for white-hat hackers as those that exist for criminals unleashes the creativity of that community, and the vulnerabilities and risks that are surfaced are specific, actionable, and highly relevant.
“A bug bounty program focuses mostly on prevention,” he notes.
Improve Defense by Besting Simulation Challenges
The primary challenge organizations face when executing crisis simulations is determining the right level of difficulty, says Tanner Howell, director of solutions engineering at RangeForce.
“With threat actors ranging from script kiddies to nation-states, it’s vital to strike a balance of difficulty and relevance,” he says. “If the simulation is too simple, it won’t effectively test the playbooks. Too difficult, and team engagement may decrease.”
Walters says organizations should expand simulations beyond technical aspects to include regulatory compliance, public relations strategies, customer communications, and other critical areas.
“These measures will help ensure that crisis simulations are comprehensive and better prepare the organization for a wide range of cybersecurity scenarios,” he notes.
Taavi Must, CEO of RangeForce, says organizations can implement some key best practices to improve team collaboration, readiness, and defensive posture.
“Managers can perform business analysis to identify the most applicable threats to the organization,” he says. “This allows teams to focus their already precious time around what matters most to them.”
He adds that with crisis exercises, teams can test their skills in a live environment with real threats.
“This means having teams perform without pre-configured alerts, playbooks, and the guardrails of automation,” Must says. “This allows teams to truly understand the threat, without falling back on less challenging or passive habits.”
Teams can benchmark their performance in these simulations, allowing them to assess and quickly mitigate any gaps they find, he explains.
Train Like You Fight
With the threat landscape and attack surface for most companies expanding at a rapid rate, IT organizations can never take their eye off the ball.
“This extends to the greater organization, where people need to be vigilant and quickly identify specific types of attacks, like ransomware and even extortion, that can lead to very costly situations,” says Gaston.
From his perspective, dedicated teams are critical, as organizations must always be looking for signs of breach across both security and IT operations. The more quickly teams can respond, the better chance the company has of not ending up in the news — or worse. The key way to move from reactive to proactive is to “train like you fight” as often as possible, Gaston says.
“When you have your best players, tools, and a refined program, playbooks and processes being practiced and perfected every day, it ensures that the team stays in a preventative posture and maintains a high level of resiliency,” he adds. “Breaches will happen, but teams taking a preventative posture have far fewer breaches and bounce back much quicker when they do happen.”
Solicit Feedback, Apply Lessons
The lessons learned from simulations should be utilized to update and improve incident response plans.
Specialized facilitators leading these sessions “ensures you have the right involvement from all participants — both loud and quiet voices — drive the established timelines, exercise the critical discussion points, and can provide tangible feedback that will be required for improvements resulting from the session,” GuidePoint’s Lance notes.
It is also important to engage employees at all levels, ranging from entry-level staff to senior management, in these simulations.
“This inclusive approach ensures that everyone within the organization understands the importance of cyber resilience and their role in maintaining it,” Action1’s Walters explains.
In addition, collecting feedback from participants after each simulation is vital to identify areas that require improvement. Insights can then be used to make necessary adjustments for future simulations, according to Walters. He says he believes collaborating with cybersecurity experts and organizations in designing and conducting crisis simulations is highly recommended.
Walters adds, “Such partnerships enable the creation of simulations that closely reflect real-world threats.”