No security team—no matter how well-staffed or well-equipped it is—can hope to repel 100% of cyber attacks. That's why incident detection and response has become a priority for so many security programs. Your business must be proactive and prepared. Step one is putting an incident response plan in place. Step two is testing that plan with breach and attack simulation exercises.
These practices reveal opportunities to improve the fluidity, speed and effectiveness of incident response—and provide important learnings to enhance resilience for the future.
Organizations face many security challenges
One look at the threat landscape reveals why breach and attack simulation is increasingly popular among global organizations. Verizon's 2021 Data Breach Investigations Report found a third more confirmed breaches in 2021 than the previous year, with phishing (11%) and ransomware detections (6%) both increasing. One security vendor blocked almost 63 billion threats in 2020, according to Trend Micro, and many more are likely to have gone unreported.
The more sophisticated threats lie undetected for months, giving adversaries time to steal sensitive data, deploy malware and potentially trigger ransomware to lock down critical systems. Digital transformation and the advent of the distributed workforce have added to the headache for IT leaders by expanding the corporate attack surface and introducing dangerous blind spots in protection. Unfortunately, with security skills in short supply, according to an (ISC)2 report, response efforts can fall below par.
The bottom line is that the security mentality should not be a case of “if” but “when” your organization is attacked. That makes breach and attack simulation exercises vital to improving your ability to spot and stop threat actors before they can make a serious impact.
Why is breach and attack simulation essential?
The longer attackers are allowed to dwell inside networks undisturbed, the more expensive and disruptive the fallout. Serious security breaches could result in:
- Major operational outages.
- Damaged reputation and customer churn.
- Follow-on class action lawsuits.
- Productivity impact.
- Lost earning potential.
- IT support costs (remediation, cleanup and rebooting, etc.).
How to conduct a breach and attack simulation
Response is a key stage in the best practice NIST Cybersecurity Framework. But how can you test your capabilities in this area? The last thing you want to do is find out during a real incident that there are some critical gaps in your planning.
Tabletop exercises are a good start. These discussion-based workshops help to define roles and responsibilities and evaluate whether everyone knows what they should do during a breach incident. Similarly, paper testing exercises offer an opportunity to run through incident response plans and allow participants to make recommendations to improve it.
However, there's no substitute for the adrenaline rush of an interactive live exercise. You can customize these to introduce executives and operational staff to the pressure they'll face during a real-world incident. These usually last up to three hours or so and may include new and unexpected challenges designed to mimic the unpredictability of genuine incidents. During the exercise, incidents must be identified, triaged and contained before a root cause analysis and remediation.
Attacks could be designed to simulate multiple scenarios, such as:
- Theft of customer or employee data and/or trade secrets.
- Ransomware causing a serious operational outage.
- A malicious insider incident.
- Sabotage of industrial control or operational technology (OT) systems.
- Phishing and impersonation attacks targeting executives and employees.
Automated breach and attack simulation
Cloud-based services can perform automated breach and attack simulation, making them increasingly popular. As there are virtually no humans required to do the "attacking," they can save you significant time and money, and you can run exercises regularly to check how effective security controls are in various scenarios. This could include:
- Endpoint security.
- Email protection.
- Network security.
- Staff susceptibility to social engineering.
What can you learn from attack simulations?
One of the most important steps in the whole process is that which immediately follows any simulation exercise: debriefing those involved and reflecting on lessons learned. This information can be drawn up into practical recommendations for improving incident detection and response, from a people, process and technology perspective.
Some key learnings include:
- How competent incident responders are in making assessments and decisions during a crisis, and with potentially incomplete information.
- The quality of communication between various stakeholders and any relevant external parties (e.g., law enforcement, suppliers, media, etc.).
- Identification of gaps between an incident response plan and actual behavior.
- Where technical and staffing investments must be made going forward.
Building stronger security
The next step for security teams is to take the actionable insight gained from breach and attack simulations and improve resilience and incident response for the future. The growing range of automated tools on the market means you can run more tests more frequently and more cost effectively than before. This will help your organization gain a more accurate picture of your current security posture.
Another option is to outsource breach and attack simulation exercises to a third-party provider. Firms such as Verizon can leverage decades of industry expertise to test your incident response plans, make suggestions for improvements and augment rapid response efforts. If you want to free your security team to focus on higher value and more strategic projects, this may be a good option.
Discover more ways Verizon can help to enhance your incident response planning.