Proper conditioning is of importance prior to any competition. Athletes, whether in individual competition or team events, understand the importance of training prior to competition. Competitive marksmen and trained sharpshooters continually fire their weapon system in hopes of improving target acquisition skills, breathing, and trigger squeeze. Special operations provide demanding and realistic training to test readiness, build their personnel’s confidence and improve overall team camaraderie while continually refining battle skills. Even the least competitive of folks understand that ‘practice makes perfect’ whether its on the golf course or jamming out on Rock Guitar! Cyber security and incident response activities can be likened to the competition between malicious actors (whether internal or external) and the defending home team. Given the consequences of a breach, I must ask “Why do some security practices refrain from participating in realistic training?”
Unfortunately for those in the information security community, a lack of rigor is not uncommon within 'team' development vice 'individual' certification. An outlined training program is often absent from thought unless its an annual HR-specific topic or individualized on an employee’s performance review. This is common within enterprises of all sizes as dedicated training resources can be austere unless purchased from and provided by a third-party. Two well publicized events that come to mind are the SANS Institute's NetWars and CyberCity interactive scenarios. Sadly, conference held events can become costly at scale due to ancillary travel expenses and entrance fees; whereas, an on-premise offering may be too expensive if the team has a small headcount. Plus, there is an impact (sometimes more so fear-driven than practical) of taking your personnel ‘out of action’ for an extended period of time. A less expensive option is to perform the ‘live’ training in-house. For brevity's sake, I have broken down the options into two simplistic options:
- Dedicated: A one-day plus training scenario that not only fits your practice's maturity model, but is team-oriented while allowing for individual achievement. I recommend adding the ‘plus’ to the dedicated training ’s duration in order to accommodate a more thorough lessons-learned debrief session following a period of reflection after tempers dissipate or following a good night’s rest. This type of activity is best suited when the moderator and his/her support team leads the scenario, yet retains the means and authority to allow for unscripted modifications in response to participants’ actions.
- Ad hoc: Reacting to an otherwise non-impact or routine event (i.e., a commodity malware infection or an intrusion detection alert) as you would to a significant breach. The goal is to gauge efficacy in the organization’s ticketing processes, notification plans, interdepartmental communication, policies and procedures. Success is defined by cross-organization participation, ticketing process times, and mean-time from detection to remediation including more labor intensive tasks (e.g., memory forensics, disk imaging, etc.).
The latter, impromptu method requires less overhead and is useful for either establishing a baseline of performance or identify procedural hurdles. A side benefit to ad hoc testing is this model can easily be reiterated whether quarterly or bi-annually. A dedicated scenario often requires additional support for role playing, scenario inject development, and mediation. This task could be managed by an outside consultant or as a result of an internal red and blue team mind-meld, which is often referred to as a "purple team" test. The only gotcha for either approach is that these activities are best executed when other, non-IT personnel are involved. For example, what are HR's, marketing and the legal department's roles during breach recovery? Monitoring social media for unexpected disclosures? What are the notification plans for law enforcement or cyber insurance? Press announcements? How do we get enough information to the CEO to brief share holders, etc.? These types of activities need to be outlined, assigned, and rehearsed before an incident occurs and subsequently, tested to identify modifications to your overall breach response plan. In conclusion, internal testing can serve as a low-cost alternative or a conditioning program to get your team ready for the main event!
No comments:
Post a Comment