When it comes to the future of cybersecurity, an ounce of prevention is worth far more than a pound of cure. According to the Ponemon Institute and IBM Security’s 2020 Cost of a Data Breach Report, enterprises that designated an incident response (IR) team, developed a cybersecurity incident response plan (CSIRP) and tested their plan using tabletop exercises or simulations, saved an average of $2 million in data breach costs. These savings were compared to companies that didn’t take these preparatory steps. 

To improve preparedness — and bolster security teams’ confidence — it’s essential to move beyond creating flat, static incident response plans and instead use brief crisis simulation exercises that closely mimic what would take place in a real-world attack today. Here are five key ways to achieve this.

2020 Cybersecurity Trends

The future of cybersecurity brings with it a lot of changes, some of which we can predict today. Not all incident response planning and cyber crisis preparedness exercises are created equal, as a new Osterman Research study highlights. In fact, businesses tend not to be prepared for the most rapidly expanding threats, including ransomware. Ransomware’s prevalence increased by 365% between Q2 2018 and Q2 2019, and then grew by another 148% during the COVID-19 crisis. Teams also tend to work from too general of cybersecurity incident response plan templates, failing to include attack-specific playbooks, realistic simulations or multiple varied attack examples. 

It’s the nature of cybersecurity in 2020: attackers’ strategies and techniques change rapidly. According to IBM Security X-Force Incident Response, which has seen an explosive increase in ransomware attacks this year, particularly in Q2 of 2020, today’s attackers are very agile. Ransom demands are increasing by leaps and bounds while attackers narrow their focus to victims, such as manufacturers who can incur millions of dollars in losses from a day-long halt in work, and thus have little tolerance for downtime.

Threat actors are also blending new data theft-based extortion tactics into ransomware attacks, stealing sensitive company information and threatening to make it public if their victims don’t pay for the decryption key. These altered tactics demand revised incident response and crisis recovery plans, but many security teams aren’t keeping pace. 

There’s a widespread tendency to review, update and test enterprise-wide incident response plans slowly while the future of cybersecurity becomes now. Meanwhile, attackers evolve more quickly. This likely contributes to the lack of confidence displayed by the senior leaders surveyed in the Osterman Research report. Nearly 40% of respondents said they were not confident their teams would be able to handle a data breach if one were to occur that week.  

1. Build a Cybersecurity Incident Response Plan 

First of all, it is essential to have a formal plan. Among the IT and security professionals surveyed in IBM Security’s 2020 Cyber Resilient Organization Report, those designated as “high performing” were more than twice as likely as the average entity to have a cybersecurity incident response plan (CSIRP) for their whole enterprise. What’s notable about these high performers, though, is their plans were more likely to be applied the same across the entire company. They were also far more likely to have developed response plans for specific attacks than the average responder.

Consistent training across the business or other entity is a mark of buy-in from leadership on down to front-line employees. An effective security awareness training program can help to foster this mindset, as can a commitment from the C-suite to regularly plan, practice and improve cybersecurity crisis response procedures.

2. A CSIRP Is a ‘Living Document’

The 2020 Cyber Resilient Organization Report found that across industries, organizations that don’t review and update their CSIRPs often are more likely to face disruption to IT and business processes in case of a breach. Nonetheless, only 7% of participants in the survey review and update their CSIRPs on a quarterly basis. A significant number (40%) don’t have any set schedule at all for preparing for the future of cybersecurity in this way.

Because today’s threat landscape is evolving so quickly, the only way to prepare adequately for the specific attack types and vectors most likely to impact your individual enterprise is to incorporate threat modeling into your IR planning. In turn, this is impossible to do if you aren’t updating your plans frequently. Ransomware tactics — which have grown in prevalence by nearly 70% in recent years — are speedy and change fast.

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” says James Hadley, CEO of Immersive Labs. 

3. Thoroughly Test Any Plan 

According to the Osterman Research report, a majority of security leaders (61%) believe that having an IR plan in place is the single most effective method to prepare for a future attack. But as the Cost of a Data Breach Report reveals, practicing for a real-life crisis is equally if not more important. The average total cost of a data breach for companies that tested their IR plan using tabletop exercises or simulations was $2 million less than the average breach cost for groups that did not test their plans. 

Like updating the IR plan, running tabletop examples or other simulations tends to take place far too rarely to be as effective as they could be. More than one-third of groups surveyed by Osterman say they conduct tabletop exercises, fire drills or other training every one to two years. This simply isn’t enough to present realistic scenarios based on the techniques currently favored by attackers, not to mention those coming in the future of cybersecurity.

4. All Methods of IR Testing Are Not Created Equal

There are intrinsic problems with the nature and format of tabletop exercises. The most common method for conducting them (employed 65% of the time, according to Osterman Research) involves discussion and review of PowerPoint slides. Stakeholders tend to find these boring, and they often fail to convey the importance of psychological readiness for an attack. They also fail to generate increased buy-in from key stakeholders or raise awareness.

Many times, senior business leaders simply don’t show up for these sessions. In some cases (25% of the time, according to Osterman Research), even senior cybersecurity leadership fails to attend.

Despite that actual cybersecurity crises impact nearly every area of the business, with legal teams, marketing and PR and executive leadership having critical roles to play in responding. And, it’s difficult to assemble teams from across the enterprise for tabletop practice sessions, despite that an actual cybersecurity crisis impacts nearly every area of the business. 

Furthermore, there’s an inherent trade-off within tabletop exercise planning. The more detailed and specific the exercise, the more useful it is for getting people ready for a real-world incident. However, the more numerous, detailed and specific the cases covered within a tabletop exercise, the longer that exercise will take. A major time commitment makes it more difficult to schedule and more onerous to conduct. A key challenge is to balance frequency with depth. 

5. Try Online Crisis Simulation Training

There’s a great need for crisis training that’s more effective than what most providers currently have in place. One emerging product offering is providing brief, gamified crisis simulations online. These exercises are quick to complete, can be tailored to address an enterprises’ most pressing current risks and run on demand. Remote workers, who otherwise tend to be neglected during in-office simulations and larger scale practical training sessions, can access them. And they are less burdensome than conducting tabletop exercises. Therefore, online crisis examples may generate increased buy-in across the enterprise, even among non-technical staff.

Prepare for the Future of Cybersecurity

There’s no doubt that the future of cybersecurity will depend on new technologies. But not all of these technologies will involve collecting data, monitoring or controls on IT infrastructures. Some will instead assist in improving the way humans respond in a crisis. Blocking cyberattacks and preventing data breaches requires both technology and human buy-in.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…