Forewarned might be forearmed, but, even if it is impossible to ignore that the threat landscape is fast worsening in both complexity and frequency of cyberattacks, action is needed to do the forearming part.
In other words, having incident response plans at hand to accelerate mitigation and recovery is now a must. Compliance regulators even include incident response-specific clauses, such as PCI DSS Requirements 10 (Implement Logging and Log Management) and 12 (Documentation and Risk Assessments) for example.
In this post, we look at incident response steps and at how BAS (Breach and Attack Simulation) and CART (Continuous Automated Red Teaming) can accelerate and enhance incident response readiness.
Recommended Incident Response Readiness Preparation Steps
Identify and Prioritize Critical Assets
Identifying and prioritizing critical assets is the process that lists sensitive data and mission-critical applications that, if compromised, would cause significant damage to the organization.
Design a realistic scenario that accurately reflects the potential cyber threats that an organization may face.
Establish Procedures and Policies
Planned procedures detail the role of operational and security staff, when and how to escalate the incident, internal and external communication protocols, and when to enlist help from third parties like consultants, legal, or PR.
Establish an Incident Response Team
Defining each incident response team member’s roles and responsibilities, and the scope of their role – i.e., full-time incident response or alongside a related role in IT operations or security – accelerates their response time in case of a breach.
Educate All Stakeholders About the Incident Response Plan
Alignment of all stakeholders – i.e., IT, software development, legal, HR, public relations, senior management, etc. – requires ensuring that they are informed of their individual roles in the response plan and of their expected interactions with other stakeholders.
Get Advanced Buy-In From Senior Management
When a response plan includes budgetary implications, such as hiring a consultant or external services, a pre-approved budget for contingency accelerates the response time.
Validating incident response plans’ adequacy requires holding regular tabletops exercise drills with relevant stakeholders.
Postmortem analysis following tabletop exercise is crucial to identify the security gaps that let the adversary gain an initial foothold and escalate their attack, spot stakeholders lacking the proper training, and define preemptive remediation measures.
The Role of BAS/CART in Incident Response
The problem with tabletop exercises is that they are costly, time-consuming, and disrupt daily operations.
A cursory look at even just a single one of CISA’s cybersecurity scenarios seems to imply that a tabletop exercise requires interrupting regular operations for a few days.
As such, like full-scale fire drills, they cannot be run often. Yet, the rapid pace of change in the threat landscape should be reflected in the regular update of response plans.
This is where BAS and CART technologies can be invaluable. Thanks to their automated attack simulations, the technical validation of incident response planning can be run regularly without requiring additional resources or disrupting routine operations.
How BAS/CART Improves IR Processes
The table below summarizes the main difference between
|Classic IR preparation||BAS/CART Assisted Preparation|
|TTEs||Pen and paper exercises requiring gathering stakeholders -interrupting daily routine – and running thought exercise-like TTEs
|Automated attack simulations of customizable scope, schedulable at will and running in a production environment, which enables testing stakeholders’ reactivity in real time.|
|Reporting||Manual reporting relying on manually recorded processes and interactions||Automated reporting that include all interactions and action taken.|
|Integrations||None||SIWM, SOAR, EDR, Email Gateways, Firewalls, WAFs, and DLP tools|
|Analysis||Manual based on manually collected data||Automatically generated, including details of the attack simulations’ success, the TTPs used, the attack routes, and the impact on the organization’s security controls.|
|Postmortem||Requires drafting mitigation guidance based on the expertise level of the people present and the quality of the manually generated report and analysis||Automatically generated mitigation guidance based on best practices by a team of experts|
Additional Benefits of Using BAS/CART to Drill Incident Response
Tool Stack Optimization
As BAS and CART technologies can integrate with the cybersecurity tool stack, it provides detailed information about the performance of each individual tool. Comparing the ratio of detected/stopped simulated attacks with the number of attacks launched gives a data-backed evaluation of each tool.
This evaluation can then be used to rationalize and optimize the tool stack by eliminating overlapping capabilities and identifying missing ones.
Attack Route Mapping
The attack route mapping capabilities of advanced BAS/CART technologies pinpoint exactly where security gaps enable the attack to progress, focusing mitigation efforts on where they have a high impact.
Easy to Scope
BAS/CART attack simulations are easy to scope and can focus on particularly sensitive, high-value, or corresponding to industry sectors, department areas of activity, geolocation, specific APT, or other relevant segmentation factors as needed.
No Business Disruptions
Unless running a full-scope IR exercise that involves downstream non-technical skills such as legal, PR, marketing etcetera
No Extra Cost
The main purpose of BAS/CART technologies is to validate security resilience. Running incident response exercises is just a welcome by-product accessible at no extra cost.
Thanks to its non-disruptive, no-cost, and easy-to-run characteristics, incident response exercises can be repeated as needed to evaluate progress and trends in MTTRs.
Limits of BAS/CART for Running IR Exercises
The full value of BAS/CART tun IR exercises applies to the cybersecurity and IT department and to some of the operational functions, such as email for example, but only inasmuch as they are connected to the digital infrastructure.
To include the entire human factor, factoring in the reaction time and efficacy of non-tech stakeholders, still require running including some manual operations.
However, drilling the reactions of legal, marketing, finance, HR, and other stakeholders can then be limited to a yearly exercise covering different types of attacks, i.e., ransomware, DDOS, data theft, etc., and defining the role of each for each specific attack type.
The benefits far outweigh the limits and have an immediate impact on a company’s resilience.