We are far from a breach-free world. After all, even cybercriminals have shown their own form of resilience. For example, after a short hiatus, the ransomware group REvil came back in September 2021. Until the day we can leave our ‘cyber front door’ unlocked, any organizational resilience framework you employ needs to include a healthy dose of training and testing.

Training and testing may get the “nice, but don’t have time” treatment, or worse, the “this is fluff” eye roll, but both are vital to your resilience. What if you are wondering how to prioritize these tasks? The Dwight D. Eisenhower decision-making matrix, also known as the Urgent/Important Matrix, is useful for this.

In the matrix, training and testing fall into the ‘Important, Not Urgent’ (or top right) quadrant. When tasks fall into that quadrant, your job is to start scheduling. Sticking to a regular training and testing schedule is key to success.

Do Champions Win Without Training?

Regardless of which cybersecurity framework you end up using, a serious one includes training and testing. Training and testing build muscle memory, locate gaps and help people learn. To reference President Eisenhower again, as a general, he said: “In preparing for battle, I have always found that plans are useless, but planning is indispensable.”

Training is part of your incident response battle readiness. Be honest: have you ever seen any pro athlete win a championship without serious training? Does a trial lawyer walk into a courtroom without preparing and wing it? Has a successful entrepreneur ever had failures? There are a few people, outliers, that have incredible natural gifts. Even they, like the rest of us mere mortals, must practice to be successful.

And for all you chief information security officers out there, your tech skills might have gotten you the job, but those same skills won’t always help you keep it. Your success is a function of your team’s success, and really, the organization as a whole. That means you, or your delegate, need to drive the security-minded corporate culture change. That can only come through awareness and training.

There may be another eye roll after reading that. “More fluff talk” perhaps is coming to mind. Yes, like governance, training and testing may be more on the ‘soft side’ of organizational resilience issues. But they are probably also the hardest issues to tackle. This is more true nowadays where the line between professional and personal usage of devices is somewhere between thin and non-existent.

Organizational Resilience Lesson Planning 101

The ‘people don’t care’ excuse only gets you so far. From a management perspective, if training is not yielding those muscle memory results, your lesson planning needs a check. How much have you learned and retained from a poor teacher, apart from that they were a bad teacher?

No matter how well-configured or orchestrated your infrastructure is, your only hope for a successful resilience program and incident response rests solely on people knowing what to do before, during and after the boom. That means some serious organizational resilience lesson planning is required.

Four Tips for Good Testing and Training

Four takeaways for you:

  • Timing. Schedule training on a regular basis to build muscle memory.
  • Mindfulness. Be mindful of people’s time. We are looking for basic survival skills here, not a dissertation on network connections.
  • Literacy. Make sure your lesson plan is at a grade 4 literacy. This is absolutely not a knock on who you are training. It is simply that cybersecurity resilience is likely not their main job. Anything that is not clear will likely be forgotten shortly after the lesson. You are going for muscle memory.
  • Appeal. Training can be boring. Make it fun and try different techniques, such as gamification.

That all sounds obvious, right? So why are breaches still happening? Why are threat actors using old tricks and showing great success?

It’s because people aren’t performing the basics and security-minded culture doesn’t exist. Knowing which data center or region you are supposed to fall over to or knowing the technical details of how all that happens, is great and needed! But if you do not know who the application and data owners are, or have not immersed yourself in your crisis communication messaging, or you do not know what your contractual obligations are, your best-laid plans are set for failure.

You Don’t Have a Plan Until You Test a Plan

Once you are confident that your people have adequate training, time to put everything to the test.  There are a few types of tests you can go through. Test type and frequency for organizational resilience should be based on how critical each business process and asset is. Here are some pretty standard options:

  • Notification/Validation. Before any extensive testing, make sure you are talking to the right people and have the correct assets tagged. You do not want to perform a business process transfer only to find out the owner of that process left the company three months ago. This test is simply to make sure you have the correct information.
  • Walkthrough. Think of this as ‘test by script’ and even a great way to train and build up that muscle memory. This might be boring, but you need to know which routes you are running before you hit the field.
  • Tabletop. A controlled environment that makes you think. You are not exactly knocking stuff over on purpose yet, but you are thinking through the challenges. And, where possible, use an incident that represents what is going on in the world. If everyone is getting hit by malware, that meteor strike scenario may be right.
  • Functional. All right, let’s knock it over and see what happens. Are we actually meeting our Recovery Time/Point Objectives or are they just fantasies?

What Comes After Testing in Organizational Resilience??

Remember your lesson planning? Well, you need to capture and act on your findings after the exercise so you can tweak both your lessons and your resilience plans. The best place to capture those findings is in an after-action report. Think of it as an ongoing improvement cycle that helps you keep up with the latest threats while reducing your risk profile at the same time.

In the next piece, we’ll change gears a bit and focus on privacy.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…