Red Team Exercise and Incident Response Preparedness
Author – Ondrej Krehel
Why would you be hacked tomorrow, and all your encrypted data targeted by the latest ransomware?
Reality is one out of three businesses believe that their information holds no value until it becomes inaccessible. Red team testing can provide some level of assurance in the accuracy of your cyber resilience program. Skilled white hackers will probe your network with stealthy precision, just as snipers would map out the best vantage points to effectively defend and strike intruders.
The key to any incident response is detection. The 6 core performance indicators that are valuable are:
1. How well red team engagement is uncovered and at what point in time does the internal team gain visibility to advanced attackers’ actions.
2. How stealthy can attacks present themselves to external and internal infrastructure.
3. Testing of indicators for compromise detections, and vectors of attack in threat management and an event correlation system.
4. Rapid response and internal team coherence in removing attackers from the systems.
5. Behavioral-based detection of unknown and potentially malicious events.
6. Mitigation and isolation strategies used after initial detection of compromise actors’ techniques, tools and procedures (TTP).
Staying in Sync.
Synchronization is important for the internal team via a secure communications platform, ensuring that attackers cannot intercept discussions or commands. And just as important is the execution of the internal incident response team. Having secure out-of-band channels for directing orders, reporting to management and executives, is a crucial part of the incident response preparedness exercise. Staying in communication and in sync can be critical to response and recovery.
Incident Response Readiness.
Incident response readiness is an assessment provided by many highly respected forensic firms, and can have multiple tenants involved. The more key stakeholders that are part of the exercise, the better. Never leave behind legal, compliance, risk or the audit teams. At the end, it is a team effort to take down bad actors and enemy actions that can potentially cripple an entire enterprise and systems.
While many live in an illusion of their cyber maturity preparedness and posture, it is only once they survive barbaric breachings and infected systems that they can share their true feelings about their plans being tested in a cyber battlefield. Never underestimate the impact on your organization. Far too often – bad moves to ugly and hypothetical scenarios become a reality – and far faster than expected. While only a few experience that moment of realization, the number is increasing on a daily basis with new technology and cyber advancements. It is better to be ready than to face reputational damage, fines and never ending conference room meetings on incident response, remediation and recovery.
To find out more about red team exercises and security incident response, contact Vaporstream for more information