Enfuse 2016 Session Highlight by Parker Desborough
One of the panels I attended at Enfuse 2016 was called Red Team Blue Team Black Eye: A Case for Cyber Readiness Exercises and Continuity. This panel was presented by Joshua Chin and Steve Gabriel and offered an interesting look at the practice, or lack thereof, of actually testing an incident response plan before having to use it for real.
Although it would seem obvious that practicing the implementation of an incident response plan is important, the panel relayed that many companies forgo this process, feeling that having a plan in place would be enough. Mr. Chin addressed this issue by explaining that no matter how thorough and elaborate your response plan is, you will never truly know how effective it will be until you test it or have to use it for real.
The panel highlights that although many companies are now getting into the habit of performing penetration tests on their network, this step alone is not enough. The most effective way to test your response plan is to run simulated attacks in the “red team – blue team” format. In this way you can simulate a real attack on your network and see exactly how well your response plan holds up under conditions you would expect to see during a real attack.
Response plans should be fluid
The other overlooked point highlighted by the panel is ensuring that the response plan is kept up to date. As workers leave or switch positions, as equipment or polices change, the response plan must be updated to reflect these changes.
This is another reason why regular incident response practice is important so that new workers are on the same page as the rest of the company. The practice is good for the company as a whole as it keeps the plan fresh in their minds and will make responding to actual incidents easier. The panel pointed out that other fields often require practical experience in the field under supervision before you are allowed to work independently. For example, doctors have to undergo a residency program. Doctors have the residency program because it helps them to learn what they will have to do as a doctor before they are expected to be able to work on their own. In this same way performing red team simulations will allow a company’s employees with the knowledge they will need to deal with a real attack situation before they will have to deal with a real attack.
Training can highlight the skills and weaknesses of the workers who will be involved in responding to an attack. The example given in the panel was that you could have a critical role in the plan assigned to a worker only to find out that said worker does not perform well under the extreme pressures associated with an attack. If this issue is discovered in training it can be addressed or corrected before it is too late.
Conclusion
Overall this panel was an interesting look into how many companies handle their response plans and how they could improve those plans and their attack readiness. Chin and Gabriel showed just how important regular training can be and how in a real attack a well prepared and trained staff will likely outperform one that is viewing the response plan for the first time. Keep an eye out for my second blog post on my overall experience at Enfuse 2016!
-Parker Desborough