How will your organization respond to a malware incident?

Your organization has an incident response plan, and it’s updated regularly, at least annually, and when significant personnel changes occur within the organization. Key leaders, from technical to human resources, legal, and public affairs, know their responsibilities as part of the incident response team. Communication plans and protocols are in place. From a planning standpoint, your organization seems well-positioned to respond to a data breach. The challenge? Planning and executing are much different, especially when the pressure mounts, timely communication, decision making, and response are critical. The solution? Conduct cyber exercises to evaluate and validate your plan as well as the preparedness of your personnel.

Cyber exercises can be discussion- or operations-based, depending on the objectives. Discussion-based typically involves a table-top, a defined scenario, verbal inject of events by a facilitator, and responses from participants. Operations-based is usually a hands-on approach involving a simulation environment or cyber range. The former often provide the most realistic experience and outcomes. However, organizations must decide which is most appropriate depending on their cybersecurity program maturity.

Not sure where to start? The National Institute of Standards and Technology (NIST) guides in establishing an exercise program in Special Publication (SP) 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.” To be effective, executive leadership support and a dedicated exercise program lead are essential. Supporting policy should be created, roles and responsibilities established, and an overall schedule. The exercise team generally consists of subject-matter-experts across the business. This personnel becomes trusted advisors throughout the planning, development, and design process for the exercise. They commit to keeping the exercise details secret!

NIST SP 800-84 will walk your organization through determining a topic, scope, objectives, and coordination of logistics. There are sample scenarios to start the flow of ideas. A great additional resource for conducting cyber exercise is MITRE’s Cyber Exercises Playbook.

What should you evaluate? During a time when malware is prevalent and resulting in a business loss in the billions of dollars, developing a scenario for a malware attack should be given strong consideration. Email and phishing continue to be highly exploited attack vectors, and even with the advances in cyber defense capabilities, your organization’s security posture still relies heavily on end-user security awareness and training. In considering a malware attack scenario, examine recent events relevant to your industry (financial, healthcare, energy, government).

Research the malware involved. For example, Emotet, a trojan that can infect a computer and be used to steal sensitive and private information, targets the Financial Industry. The Department of Homeland Security identifies it as one of the most destructive and costly forms of malware. An additional resource to support planning efforts is NIST SP 800-83, “Guide to Malware Incident Prevention and Handling for Desktops and Laptops,” which provides recommendations for enhancing an organization’s existing incident response capability.

In summary, there is no substitute for experience. A documented and current incident response plan is a good start. However, your strategy should be continually evaluated through cyber exercises and enhanced as you discover gaps. Lessons learned should be captured after the training, highlight your priorities, translate into actions, and formalize as part of your risk management process. As your organization increases in maturity, increase the complexity of scenarios to ensure you appropriately the participants. Ultimately, your organization will become better prepared to address the ever-changing threat landscape, handle malware incidents, especially considering the implications of a wide-spread event.