Security professionals are planners by nature. Our industry expects planning, legal and standards compliance requires it, and we drive ourselves toward it. However, the best plans fall out of date quickly. And as the adage commonly paraphrased as "no plan survives contact with the enemy" states, even properly maintained, up-to-date, and well-thought-out plans may fall apart during an incident.
What's the remedy? We certainly shouldn't throw out our plans. Instead, we should test and adjust our plans so that when the real enemy shows up, we might have a plan that survives, at least from a broad perspective. In short: security professional, hack thyself!
Self-hacking goes by many names. Penetration testing, security auditing, compliance testing, mock security drills... the list goes on. The testing can be against physical assets, information assets, or both. Whatever you call it, whatever you target, it is imperative to practice your incident response.
There are lots of penetration testing professionals out there. If you don't already have an external partner or internal testing team, get one now! It's too late during an incident to cobble together a group of people who have never worked together before, especially under duress in a stressful environment. Build cross-functional incident response teams from across the business and introduce them to one another. Establish a line of communication with law enforcement, legal representatives, and forensics experts before you test, involve them in plan testing, and solicit their feedback.
After your teams are built, consider a practical test. Care should be taken during any type of potentially disruptive testing. Adequate education and communication should be part of any event. And most importantly, contact your legal team! I am not a lawyer and can not vouch for the legality of any actions in your enterprise.
But where should you start testing? Have you identified weaknesses in policies and compliance in the past that your business would benefit from practicing? Not sure where your weaknesses may lie? Cisco offers security assessment services to identify potential weaknesses.
After a plan is approved with lawyers and management, testing can take many forms. One of the most basic areas to start your testing may be anti-virus systems. However, in testing, live malicious software should never be used! Instead, deploy EICAR files, distributed via e-mail to internal users. You could drop USB drives with EICAR files around the office to see who might pick those up and put them into end host machines. Ensure users know the proper avenues for reporting potential malicious software infections.
Spearphishing is another attack vector that is difficult to defend against and could benefit from testing and training. Initiate a phishing campaign against your own employees. Combine the effort with training and awareness notices.
Disaster recovery is another important area of testing. Weather or violent crime may be unthinkable tragedies but they could be mitigated through drill and practice. FEMA has resources for tabletop exercises and may be adopted into mock drills.
In many enterprises, incident response is practiced all too often. However, only certain parts of the business may be involved on a regular basis, mostly those incident managers whose job it is to take care of response. Bringing in other members of the organization is important for several reasons. Staged exercises can reach end users who, with training and awareness, can be allies in the security fight.
Employees without training and awareness of incident response policies, and lacking sufficient practice, may be unequipped or fearful in the event of an actual incident. An employee may be scared to report an incident, afraid that their job may be on the line. Employees may believe that reporting an incident may be someone else's responsibility. Or an employee may not know where to report an incident. Practicing incident scenarios will help employees become more comfortable about what to do in a crisis.
Whatever you do, don't just make your response plans and put them up on a shelf to gather dust. Bring in experts to go over them. Break them out and test them. Don't just involve the regular incident team but expose the entire enterprise. You may find that educating employees to report what they see can shorten time to recover from an incident and, in the long run, save money on costly recovery.