Skip Navigation

Webinar

Incident Response Readiness & Tabletop Exercises

* Recorded live on Thursday, April 18, 2024. Please note since this recording, Covalence has been renamed Field Effect MDR.

The truth is organizations cannot reduce their cybersecurity risk to zero. Risk reduction is important, but so is being able to withstand the impact of a security incident when it happens.

That's where incident response (IR) readiness comes into play.

See what our cybersecurity experts, Thomas Dunne and Alyssa Parenteau, have to say as they explore how you can confidently prepare for a cybersecurity incident and:

  • Lower your recovery time
  • Minimize damage caused
  • Get back to normal faster

Watch this exclusive webinar and become better prepared!

Incident response readiness

When it comes to incident response, readiness is really about advanced preparation in a number of different areas. We’re going to dig into what it means to be ready for a cyber incident. We'll talk about the idea of readiness and how we can improve it.

You’ll find that we’ll get into two very important aspects of the discussion: preparation and practice. That includes planning, testing, reviewing, and repeating those efforts when it comes to improving incident response readiness.

As we move through the discussion today, we’ll also turn to some information about two of Field Effect’s professional services—first, our Incident Response Readiness service, and second, a Tabletop Exercise service.

So first, let’s broach this topic about the challenge of cyber incident response and what that means. According to the Canadian Centre for Cybersecurity, small and medium organizations are most likely to face cyber threat activity in the form of cybercrime that often has immediate financial or privacy implications.

In this kind of context, a lot of organizations—especially small and medium businesses—are faced with questions about what they should do strategically about cybersecurity and how they can protect themselves and their clients from harm. And in facing the prospect of a cyberattack, as common as that prospect is, how do we prepare for it?

Cyber incident realities

To set the stage, let’s lay out a few of what we call the realities of cyber incidents that we see in the work that we do in incident response and incident response readiness.

First, cyber incidents happen all the time. They’re most common at the end of the week, on weekends, and during holidays. That timing matters because they can happen when you’re least prepared or when staffing levels are low. Likely, that’s a conscious effort by threat actors—targeting victims when they’re least aware or least protected.

Second, threat actors target organizations of all sizes across various sectors. There isn’t really an area of immunity from a potential cyberattack. While that might mean you’re not alone in facing the risk, it also means we all have to be vigilant to defend against it.

Third, threat actors commonly extort money from victims or use an initial cyber compromise as a vector for further attacks. For example, an employee might fall victim to a phishing attack, but the compromise may not end there. We’ve seen cases where that’s just the first step in a wider effort to commit financial fraud—using that employee’s email to access financial or banking information for an organization, or to manipulate relationships with suppliers or financial institutions.

Fourth, the threats we see range in sophistication, even within specific threat actor groups. Those threats are constantly evolving, and as a result, our preparation must also evolve over time and be updated to reflect changes in the threat landscape. One way to think about that is there’s a kind of trickle-down effect when it comes to threat actors. 

You’ve probably heard stories about advanced persistent threats—some of the most significant cyber threat actors in the environment. But over time, as more has become known about those actors and the techniques they use, those same techniques have proliferated and spread to other threat actors as well. There’s now a wide range of sophistication and capabilities that threat actors bring to bear against their target sets. 

Lastly, threat actors will always try to take advantage of the weakest link in an organization’s cybersecurity controls and practices. That can mean targeting your people or exploiting weak security controls around authentication and access to networks—for example, whether employees are required to use multi-factor authentication. It can also mean targeting weak practices around vulnerability management, such as when an organization has outstanding software or operating system vulnerabilities that require patching and updates. 

All in all, the threat actors we observe and work to counter are consistent in their efforts. They will keep trying and trying to find that weakest link. 

Incident response is challenging

So, what kinds of incidents do we see in this space? And how can we describe some of the perspectives that make incident response so challenging? It’s helpful to look at some of the consistent patterns we see during cyber incidents that highlight the challenges of effective incident response.

First, a common thread is that organizations may lack in-house cybersecurity expertise. Without core cybersecurity and incident response skills, there’s often uncertainty or inertia about what to do when faced with an active incident and how to respond in the moment.

Second, victims often lack a documented and practiced incident response plan. They may also lack other forms of support—such as cyber insurance, legal counsel, or sufficient log management within their organization—that would help tell the story of what happened during an incident. When those absences are taken together, they compound to make an effective and efficient incident response much more difficult.

In our view, having an incident response plan is one of the most important things an organization can do to be prepared. It helps you prioritize response actions and provides critical guidance in a high-stress environment.

Third, we recognize that organizations face difficult decisions when trying to balance the continuation of their operations with incident response activities. There’s often a feeling that there’s a need to rush in order to keep operations going. Sorting and balancing decisions during an incident becomes even more complicated without an incident response plan.

Many organizations face competing internal priorities and may not have clearly documented steps for what to do first. Taken together, that can result in longer delays in fully responding to an incident and restoring operations to normal.

Lastly, on the topic of prioritization, many organizations tend to focus on restoration first—putting containment second—which can lead to longer response and recovery times. There are several reasons for this. In some cases, organizations begin restoration efforts without preserving data related to the incident. That makes it harder to identify how a threat actor gained access to the environment.

Without that kind of information or root cause analysis, it’s difficult to determine not only how to restore systems, but where to restore them, and whether the restoration will truly be clean—completely removing the threat actor from the environment.

When data about what happened during an incident is missing, it’s not possible to fully assess a threat actor’s impact. This can result in a situation where the threat actor regains access after the organization believes it has recovered.

These common challenges highlight the importance of planning and preparation ahead of an incident. With advanced readiness, organizations can greatly reduce the risks of repeated compromise and prolonged downtime.

Six types of cyber incidents

In our work in cyber defense and incident response, we categorize the types of activities we see into six main types of cyber incidents: 

  • Ransomware compromises 
  • Business email compromises 
  • Malware compromises 
  • Information theft 
  • Compromises of internet-facing services 
  • Unauthorized fund transfers 

In some cases, these incidents may overlap or be layered—they don’t always exist as clean, independent events. 

Ransomware compromises  

Ransomware, as you’re likely familiar with, is financially motivated cybercrime. The threat actor’s primary goal is to gain access to an organization, exfiltrate sensitive data—such as intellectual property or personally identifiable information—and deploy ransomware in the network to extort payment. This can be either for decrypting the data or for preventing its public release. 

Business email compromises

Business email compromise is also very common. This occurs when a threat actor gains unauthorized access to one or more email accounts. Typically, it begins with a phishing or social engineering attack designed to lure a victim to a fraudulent login page or trick them into providing credentials. In some cases, threat actors may also deploy malware through attachments or use the stolen credentials to access the victim’s account directly.

Malware compromises

Malware varies significantly in its function and purpose, but in all cases, it poses a major security threat. Threat actors often use it to abuse administrative accounts or privileges in order to gain access to sensitive data or to execute commands that allow them to do illegitimate activities and strengthen their presence within a network.

Information theft

Information theft can occur in a number of different contexts, including through business email compromise or a malware event. At its heart, it occurs when a threat actor exfiltrates or steals corporate data from your environment and then uses that data—usually for extortion and financially motivated cybercrime.

Compromises of incident-facing services

Compromises of internet-facing services—such as web applications, web servers, or email services—are prime areas of interest and targets for threat actors because they provide initial means of access into an environment.

Unauthorized fund transfer

Unauthorized fund transfers are, again, financially motivated cybercrime, often enabled through phishing and social engineering attacks, or some combination of them. The threat actor aims to lure a victim into performing a debit, credit, or bank transfer to an account under the attacker’s control.

A prime example is when a victim receives a fraudulent email from a compromised email account requesting updated banking details for an outstanding payment—a very common attack vector. In that case, the victim is convinced to send payments to the attacker’s bank account.

What does it mean to be "ready" for an incident?

Let’s turn now to a different take on the conversation. Instead of just what we see in the environment, what does it mean to be ready for an incident? In a recent webinar, we talked about the defense-in-depth approach, of which incident response preparation and readiness is a big part.

Defense in depth is really about applying layers of protection—ideally making the bullseye on your organization as tiny as possible. No single intervention will be perfect at preventing a cyberattack, but multiple layers of protection improve defensive success.

The same is true within incident response and incident response readiness. It’s not just one thing; it’s also a layered approach and a critical aspect of improving your ability to withstand attempts at cyberattack. If an event should happen, the purpose is not to avoid it completely—which is unlikely—but to be able to withstand it if it does.

Readiness has many parts

When we speak with organizations about their current readiness, we ask questions like whether they currently have an incident response plan. Do they have a documented plan that identifies the actions or activities that need to be done in order to detect, respond to, and recover from an incident? Have they identified clear lines of decision-making during an incident? This ties closely to having accurate and clear documentation of roles and responsibilities within an organization.

We also work with clients to understand their investments in cybersecurity monitoring. That’s probably the most cost-effective way to protect your organization: invest in good monitoring.

We also ask whether the right people know what they need to do in case of an incident. Have responders within your organization been identified, and do they know what their responsibilities are when an event happens?

As mentioned earlier, some of this is about preparation, and some of it is about practice. We encourage clients to regularly test their plan and processes—ideally at least once a year. Testing your plan ensures you can identify gaps in your current processes and map out a mitigation plan to address them.

Lastly, we ask: do you know who you can call to get help? Many organizations aren’t in a position to detect and resolve a cyber incident entirely on their own. Having external support identified—with up-to-date contact information—makes the response process easier. Knowing who to call and when can go a long way toward reducing anxiety both before and during an incident.

What "well-prepared" looks like

Being well prepared for an incident means having a solid understanding across several layers: people, technology, and processes within your organization. Importantly, it’s not just about technology solutions. The people and processes are equally fundamental to readiness.

It’s about knowing when to do what and putting that understanding into practice—being able to call upon what you know during an incident. Recognizing your strengths and building from them is key to responding effectively.

The processes you have in place will be tested. Preparation in advance is like long, slow runs that someone does to train for a marathon—the more you prepare and practice ahead of time, the more you can reduce stress, panic, and anxiety during an incident.

Key areas we evaluate

We look at several key areas when evaluating readiness: 

  • Threat ecosystems: Understanding both your internal and external environments to identify how to reduce your threat surface. This means understanding the most common tactics threat actors use to exploit and compromise systems, and assessing your account management, software updates, and network design to find and mitigate vulnerabilities. 
  • Security solutions: Understanding the technologies that protect your environment and enable your business to run. 
  • Roles and responsibilities: Clearly defining and documenting who is responsible for what, and ensuring everyone understands their role. Clear lines of decision-making and authority are essential and must align closely with those responsibilities. 
  • High-value assets: Being well prepared involves knowing what’s most important to your business. So, what are the systems that keep your business running, and how can we ensure they’re identified and prioritized so they receive proper attention at the right times in the event of an incident? 
  • Backup management: To recover during an incident, we need to know that we have safe data to use—data that hasn’t been compromised by a threat actor’s presence. It’s also vital to confirm that backups can be safely and efficiently restored. That means testing recovery procedures from your existing backup data sources. We’ve seen many instances where organizations don’t test recovery from backup, leaving it unclear whether those procedures can be relied upon in an emergency.
  • Log management: I often describe incident response as a bit like a choose-your-own-adventure novel—each incident can go in many directions. When it comes to telling the story of what’s happened, effective log management lets you open those “chapters” and look back into the past. Logs are fundamental to understanding what happened during an incident. It’s critical for every organization to capture the right kinds of logs and retain them for sufficient periods of time. 
  • Recovery: Recovery is about ensuring your processes are clearly identified for restoring operations in the right order and at the right time. The extent to which an organization has identified its high-value assets and tested its backup procedures directly affects how efficient and effective recovery will be. A strong recovery plan helps ensure operations return to normal as quickly as possible. 

Benefits of being incident-ready

At a high level, the benefits of being ready and preparing in advance are significant.

The degree to which we prepare ahead of time has a direct correlation to reducing both the time and cost of recovery. Recent statistics show that organizations with a response plan in place experience recovery costs that are magnitudes lower than those without one. While exact figures vary, the difference can be substantial.

Preparation also improves returns on cybersecurity investments. Readiness helps prioritize where attention should be given, ensuring that investments are made in the right areas at the right times for maximum protection and value.

And finally, improving readiness has a strong connection to the human element—it reduces stress. Cyber incidents are stressful for employees and responders alike; no one likes going through them. The more we plan in advance and strengthen our readiness, the more we can reduce anxiety and stress for everyone involved. 

Resilience in incident response

There’s a clear cycle to developing resilience and effective incident response.

So a straightforward way to try and capture this is to consider five elements. First, secure your environment, ensuring that you have a security monitoring solution in place.

Second, preparation—readiness in advance, doing what you can to be ready before an incident happens. The primary focus here: developing an incident response plan.

Third, practice. This is about putting all of that advanced preparation into play, testing your plan and its presumptions and assumptions, validating ideas, answering questions ahead of time.

Fourth, review—taking a step back to consider how you’ve prepared and what you’ve learned in testing your presumptions. That’s going to help you identify what changes you might need to make and how you can adapt your preparation to make the execution more effective during a real event.

And lastly, repeating the process. Repetition is going to build muscle memory. It’s going to build confidence and assurance that, in the event of a real incident, the organization is going to perform well and mount an effective and efficient response. 

Field Effect's readiness services

I’m going to break down the preparation and practice elements by talking about two of Field Effect’s professional services: the Incident Response Readiness service—this is the “prepare” element—and the Tabletop Exercise, which is the “practice” element.

Incident Response Readiness service

This service is designed for clients who want to be prepared to respond to an incident. It’s for clients looking to have an incident response plan and develop incident response playbooks. When I talk about playbooks, think back to the types of incidents described earlier: ransomware compromises, malware compromises, information theft, and business email compromise. Playbooks in the Incident Response Readiness service are designed to provide guidance for each of those types of incidents. 

The service also helps clients make effective and efficient investments in their readiness. It clarifies where to begin. In our view, it’s not just an off-the-shelf incident response plan, because it’s developed based on our real-world cybersecurity experience and practical incident response cases. In all cases, the Incident Response Readiness service is led by a dedicated cybersecurity advisor—with plenty of human-to-human consultation and contact—and that person works with clients from start to finish. 

The service begins with a survey that allows clients to provide a detailed baseline of information about their current readiness posture. That survey information allows us to gain a thorough understanding of an organization’s threat surface. We dig into questions about security controls and practices, and align those questions to our knowledge of the most common threat actor approaches—phishing, social engineering, security controls like multifactor authentication, and questions about remote desktop solutions or how remote connectivity is managed within a network.

From there, your cybersecurity analyst will work with you to analyze your survey responses and prepare a detailed reporting package. It will outline our observations on your current posture and provide prioritized recommendations on how to improve it. The service includes regular consultation and check-ins from start to finish and wraps with a debrief Q&A session that allows us to highlight everything we’ve found.

The service is also accompanied by a two-month deployment of Field Effect’s Managed Detection and Response service. For this, your analyst will work with you to establish comprehensive monitoring to cover your network traffic, endpoints in your environment, and cloud solutions you may use. At a high level, this is what the service is—but importantly, it’s worthwhile because it prepares you in advance for faster, more effective response. 

Why do the Incident Response Readiness service?

If I had to answer this question in one sentence, I would say that investing in readiness and preparation in advance will save both time and money later on should an incident occur. The service helps you assess all the key aspects of your readiness, including critical activities and security controls related to your people, processes, and technologies. 

But it also includes a couple of critically important deliverables.

First, concise and easy-to-understand reporting. This includes a clear set of prioritized actions to improve your readiness program, along with rationales for why those recommendations are important.

These recommendations are also grouped to support multi-year planning. Some organizations may have a lot of work to do, while others less, but our goal is to tailor recommendations in a way that makes them achievable. In some instances, we may recommend addressing high-priority elements immediately—in the first year—and tackling lower-priority recommendations in later years.

The second deliverable is a tailored incident response plan and incident response playbooks. These are fill-in-the-blank style plans and playbooks that we customize with clients so they can quickly adapt and implement them. They’re right-sized for your organization and designed with your specific needs in mind. The playbooks are also customized for the six main types of cyber incidents described earlier.

So I’ll move on now at this point to turn to tabletop exercises. 

Tabletop Exercises

Here, we’re taking the theory and putting it to the test. The tabletop exercise service is designed for clients who want to ensure they are better prepared to respond to an incident. It’s about practicing, evaluating, and validating an organization’s incident response plan, and building the muscle memory ahead of an incident that proves most effective and valuable when a real event occurs.

The exercise also helps identify areas for improvement, but does so in a safe environment. When an incident happens, it’s often a trial by fire, but creating a controlled setting to test a plan in advance is a great way to find gaps in current procedures or practices and determine how to prioritize mitigation before an event happens.

As with the Readiness Service, the tabletop exercise is developed based on real-world incident response cases and threat actor tactics. The service is led by a dedicated cybersecurity advisor who acts much like a master of ceremonies. Your advisor works with you to design an exercise scenario tailored to your organization’s needs and environment. The goal is for the exercise to look and feel as real as possible for participants, which enhances engagement, outcomes, and overall value.

Your cybersecurity advisor facilitates both the planning and execution of the exercise, including running the live session on the day of the event.

Why do a Tabletop Exercise?

A tabletop exercise helps you practice and refine your incident response readiness. It allows you to explore and discuss possible response actions and considerations at each step of incident response. That includes evaluating the end-to-end aspects of the processes you have in place. In a guided, stress-free, and informal setting, the goal is to improve your ability to triage events as they happen, escalate decisions when necessary, and address critical and concurrent cybersecurity issues.

In exercises that we’ve done, the most meaningful aspects are often the spur-of-the-moment conversations and questions that members of an organization ask each other.

Your facilitators work with you to provide prompts based on the tailored scenario and to guide conversations to meaningful places.

As an example, participants often want to explore their organization's thresholds for decisions. That might include when to notify employees or stakeholders that an incident has occurred. It might also include discussing their common understanding or position on engaging with a cyber threat actor who has issued a ransom demand for their data.

Organizations also often want to dive deeper into considerations around communications—both internal and external. That includes communication with employees, the wider community, the public, or regulatory agencies, as required.

We often discuss with organizations the need to understand their legal obligations pertaining to personally identifiable information and data breaches. For some organizations, depending on their jurisdiction, their industry, or sector, they may be subject to different obligations or legal regimes in those kinds of areas.

One of the most positive aspects of tabletop exercises is that these sorts of questions can be explored in an open and collegial and stress-free environment. Our role in facilitating the exercises is ensuring that all of those kinds of questions, suggestions, reactions—that they’re all welcome from participants.

Join us in readiness

A few final comments about the cycle described: secure, prepare, practice, review, and repeat.

Securing your environment through security monitoring is one of the most cost-effective ways to protect your organization. Ensure that monitoring includes endpoints, network data, and cloud presence, as most organizations now operate heavily in the cloud.

Preparing means developing your incident response plan—having that plan and understanding that the more you plan, the more you save time, money, and stress before an incident occurs. A good plan should cover the key themes we discussed today: roles and responsibilities, identifying high-value assets, backup and recovery processes, and communication plans for an incident.

Practicing your plan builds the muscle memory that ensures a stronger response when an incident happens.

Reviewing and repeating are equally important. Review your security monitoring, your plan, and your testing. Together, these steps help identify areas for improvement and prioritize them appropriately. Reviewing also helps uncover and reinforce strengths in your current practices, ensuring you continue doing what works well.

Finally, begin again. The more we repeat these processes, the more we can embrace the journey in cybersecurity—knowing we’ve done everything possible in advance to be ready for any incident.

Q&A

Q: Do you create incident response (IR) plans for MSPs or MSSPs, as well as customized plans for each of their client organizations? 

The short answer is yes—we do that. We can help an MSP or MSSP with both their own environment and their clients’ environments. We’ve done this before, and in those cases, both organizations often collaborate closely.

With services like the Incident Response Readiness Service, there’s sometimes a need for both the MSP and their client to provide input—especially when answering survey questions and clarifying security controls and practices. It’s important to establish where responsibilities lie between the MSP and their clients to ensure clarity and an effective response plan.

At the end of the day, we recommend reaching out to us directly so we can have that conversation and determine the best approach for your organization.

Q: Who should be part of a tabletop exercise?

This is a great question and one we discuss at length with clients when planning their exercises.

The simplest answer is: include the individuals or groups whose reactions and processes you want to test. Exercises can also be designed to engage different groups within an organization. For example, some organizations want to test their executive team’s involvement, while others focus on their IT teams.

In many cases, IT is well-versed in handling the technical response, but challenges can arise as decisions move up through management or when coordination with other departments is needed. That’s where clarity around roles, responsibilities, and decision-making authority becomes vital.

The role of the cybersecurity advisor in designing the exercise is to ensure there’s a clear understanding of your objectives—both in terms of the type of event being simulated (for example, ransomware or data breach) and who should participate. The advisor ensures everyone’s engagement so the entire organization gains the most value from the exercise.

Q: Does Field Effect sell an incident response plan template?

Yes, the template is provided as part of the service. So we begin with a template and then work with clients to adapt it to be the most effective for their purposes. But we would recommend that certainly having a plan is important for all organizations, regardless of size. To summarize, we don’t necessarily sell a template on the side, but it is part of our services that we offer.

Q: Is the tabletop exercises sold standalone, or is the earlier IRP service required as a prerequisite?

There is no prerequisite. These products can be bundled together, but they can also be sold alone. And what we do suggest is contacting us and having the conversation, because we might be able to help you understand which one would be most beneficial to do first, depending on where you are in your cybersecurity journey.

We’ve had this kind of conversation with clients about which to consider doing first. And in some cases, organizations, for example, if they already had an incident response plan, they might want to test it, you know, before, you know, as an initial means to then, you know, enhancing it or improving it, and then doing a more comprehensive readiness service and the survey and consultations that accompany it.

Other organizations have been in the view that since they don't have an existing plan, they’ve started with the readiness service, and sort of gleaned a broad but comprehensive set of recommendations, you know, for their threat surface and improving their processes and procedures, and using all of that to develop, you know, their incident response plan, socializing that plan with their organization, and then testing it through an exercise.

Related Resources

Decorative Featured Image

Case Study

Welch LLP fuels strategic IT transformation with Field Effect MDR
Decorative Featured Image

Case Study

From Recovery to Resilience: The Town of St. Marys’ Cybersecurity Journey
Decorative Featured Image

Case Study

TELUS Business and Field Effect empower Clearwater Seafoods with 24/7 cybersecurity confidence