Perform unannounced operational exercises to demonstrate technical and procedural responses.
This practice requires a company to be able to plan and initiate an incident response exercise without the incident response team knowing it is going to happen. This is not about planning an IR test with all parties involved. The purpose of this practice is to test the IR team and the solutions, without a priori knowledge so the incident will help identify gaps in the current procedure or technical solutions. All findings should be used within a feedback loop to improve the IR procedures and to identify any technical shortfalls. This feedback will help the organization prioritize the changes towards future modification. Example 1 You are the CISO of the organization. You have been asked by the CIO to run a no notice event to test the incident response of the cyber defense and/or response team. You are not allowed to tell the team prior to the event starting. This request was made by the CIO for a realistic event. You bring in a couple of your internal red team members and work with them to plan a few local incidents to exercise the IR capabilities as created. After developing the plan, you authorize the red team to launch the tests at 7AM on a Monday morning. You have an employee sit (white cell) in with the DCO team and another with the red team right before the incident response tests are launched. Each member of the white cell is asked to take detailed notes on what is perceived at each location. This information is compiled and presented to the CISO and the CIO at some future point. The information helps identify areas of concern and build a prioritization for future modifications to the process. Example 2 You are the CISO of the organization. You have your red team borrow an admin account for a server in the data center, after the admins create an account for you. You have already worked with the red team and created a couple incidents that will help test the IR capability in a remote datacenter. This will help identify if the right tools and procedures are in place to handle a remote incident. You authorize the red team to launch the tests on a Friday evening when people are not typically at their desk. You have an employee sit (white cell) in with the DCO team (in this case, monitor their chat line) and another with the red team right before the incident response tests are launched. Each member of the white cell is asked to take detailed notes on what is perceived at each location. This information is compiled
An organization is stronger against a cyber-attack when the incident response capability is proven to be able to handle a live incident. Operational exercises require the use of the operational environment by the staffed, operational personnel they are not performed in a test environment. By performing this practice an organization is testing their incident response capabilities and procedures as outlined in the IR plan. These tests should be built specifically to launch the organization’s IR process. This will involve the cyber defenders walking through the procedures as well as using their technical solutions. Preparation for an operational exercise might include performing a tabletop exercise to walk through the process. This will help identify shortfalls in the process.
CIS Controls v7.1 19.7