Two people working at a desk with multiple computer monitors displaying code. The person on the right is typing on a keyboard, while the person on the left, wearing glasses, is looking closely at the screens. The dimly lit room creates a focused atmosphere reminiscent of advanced cybersecurity operations using Microsoft XDR.

The UK public sector is seemingly under constant attack from cyber criminals. With small teams, challenges around resources, often a lack of out-of-hours work, and a policy of not paying ransoms, incident response for the UK public sector can be uniquely challenging. 

What is Breach Simulation 

Breach Attack Simulation goes beyond hypothetical scenarios. They use scripts to draw on industry standards like MITRE ATT&CK to generate insights into your organisation’s vulnerabilities and emulate the impact of real threats that exist today. 

Based on real-life actual threat actor scenarios, simulations demonstrate the impact of a successful attack and allow the organisation to practice how it would. 

Why do Breach Simulation 

Anyone involved in incident response will tell you that it’s incredibly stressful. Other jobs that face stressful situations, such as the blue light services, have practised how to respond to the stress of critical incidents. Before they go into the incident, they know the plan and their role and have “muscle memory” of what they must do to respond effectively. 

This is rarely the same for cyber incidents, where the extent of preparing for a major incident is a written plan that has been put into the safe, ready to be deployed when needed. This plan often has not been reviewed or updated regularly. Breach simulation exercises are rare; therefore, people go into real-life incidents without fully knowing their role and how this impacts the response. 

Sometimes, we see internal tabletop exercises, which are more theoretical and do not practise the response. Often, they involve only senior management reviewing the plan without considering all the what-ifs that can happen in an incident. Having someone external who has lived through incidents to model an actual attack to play the role of an attacker enables the plan to be tested much more thoroughly. 

This lack of effective practice means that flaws in the plan are often picked up in the middle of an incident, which adds stress to the team and may cause a suboptimal response. 

Often, plans forget the human element of responding to an incident; for example, key people might be needed throughout the incident if it takes a few hours and they are not on leave. This is adequate, but it cannot be assumed. If an incident takes days to respond to, having provisions to ensure the plan includes human safeguards is essential. It goes to show why having not just IT involved in formulating the plan is critical. Functions such as HR, finance, PR, and comms should also be involved, as cyber incidents are not just IT problems but organisational problems. 

The Positive Outcomes from Simulation Exercises  

One of the significant advantages of conducting a breach simulation is that it not only gives essential practice but also shows where improvements can be made so that next time, the response is better often. These improvements are often process / procedural changes with zero cost and can significantly impact the response next time. Below are some typical improvements we see organisations make post-simulation: 

With attacks often timed to happen out of hours, how will your team contact those who need to be involved in the response? Teams are setting up WhatsApp groups for emergency use, including corporate and personal numbers. When implementing this, it is vital to ensure these channels are only used for IR purposes and not ignored. 

  • Incident response plans should be reviewed and updated at least every quarter, as they often include staff who have left or are in a new role. 
  • Do senior management members have paper copies of incident response plans at home? When an incident happens, you cannot be sure you can access the plans. 
  • Virtual war rooms are often needed to respond effectively, especially in the post-COVID hybrid world. It’s often assumed that everyone will just be able to jump on a team’s call, but what if teams have been taken offline or if it’s no longer a secure communication method due to the nature of the attack? Having an alternative conference call bridge available for Incident Response purposes is recommended. 
  • Understanding the cost of rebuilding the IT Infrastructure from scratch would ensure that if this option needed to be considered in the response, the total costs, benefits, and time to achieve this complete rebuild were known so it could be reviewed as an option. You don’t want to be pulling these costs together amid an incident. 
  • Ensure you have a list of organisations you can call on to help, e.g. NCSC, partner organisations and potentially an outside Incident Response organisation. 

How Sapphire can Help 

Our breach simulation service works with you to create a realistic incident simulation that engages with an expert who has lived through dealing with actual incidents. The simulation is performed in one day, and a full report is given after the event to enable improvements based on our recommendations.  

Get in contact to see how we can help you with an exercise. 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *