Cyberincident Response Planning

Posted by CaptainObviousII@reddit | sysadmin | View on Reddit | 3 comments

In the interests of preparing for a cyberincident, I am curious to know what others are doing to incorporate simulations into their response planning. I would like the simulation to be as realistic as possible but obviously not involve production equipment. Do you created a mirrored environment and just "pretend" the server has been locked? I would like to create a fully documented playbook for our environment so that if this was to occur, we would not be shooting from the hip. I appreciate any feedback.

Reply to Post

3 Comments

[-]

smc0881@reddit

Look into table top exercises.

[-]

CaptainObviousII@reddit (OP)

We have done plenty of tabletop exercises. I personally like CISA's different offerings. My issue is that it all seems somewhat hypothetical. I'd like to do something similar to a tabletop but as each phase rolls out, get a sense of the timing. Server restoration times, endpoint restoration, forensics, etc. Do we notify immediately or attempt to ascertain what the true damage is first etc. Thank you for the recommendation. Tabletops are definitely useful for the planning process.

[-]

smc0881@reddit

A lot of those questions come down to business decisions, amount of damage, current infrastructure setup, and how bad the bad guys destroy it and they will. If you have good EDR/XDR monitoring in place and configured properly you can start DFIR immediately. When my company gets hired we can utilize various EDR tools to collect triage and other relevant data for all end points we monitor and ingest them into a SIEM. Server restoration times vary depending on if your backup were trashed, you need to negotiate or buy something like decryptor, and other factors. I would think for you to do what you wish you would need to setup a test lan that is nearly identical to your setup. Then try turning off your domain controllers and seeing how you would resolve that. Pretend your backups got encrypted or destroyed along with your immutable backups (I hope exist). Things like that, which should be talked about in a table top hopefully.