Test Your Breach Plan Before the Event, Not During

In part 1 of this article, When a Breach Hits, the Best Defense Is a Good Offense, we examined what’s involved in creating a breach plan and why it’s so important. All plans are built with the best of intentions. The real development comes in the form of practical and frequent use of the plan to find the gaps, weak points, and opportunities for improvement.

Think about it this way: If you took a year to document all the ways you plan on learning to fly a plane, read all the books, and questioned the right pilots, would you be ready to fly that plane? How about in a storm? The point is that, when the real breach occurs, don’t take that situation as the sole opportunity to determine if the plan will work. Second, test the plan by including variables that are intentionally designed to stress out the teams during these real-time tabletop practices. Below are some creative variables to consider. Some of these, unfortunately, are real-life experiences during breaches, so it’s likely some of these examples will occur:

Your primary form of communication in your breach plan is email. The team is global and email is used every day. Why would you not communicate during a breach the same way you do daily? Well, in this variable, the primary assets under attack, suspected of full compromise, are the email servers. If you think coordinating a response against the adversary on lines of communication that cannot be trusted is a good bet, think again. Your plan should assume that most, if not all, systems of communication are no longer trusted or operational. Have an external, cloud-based instant messaging system ready for use during these trying times.

Company assets are part of the breach. So, you think you are good now with communications? Think again. This time, the attack is encryption that is spreading across all company assets. Every time employees log on, their machines are encrypted. What do you do? Have backup, cold laptops, and BYOD strategies. Not every employee is essential during a crisis. Identify essential staff and ensure they have spare IT assets or personal devices they can use in case your company assets are part of the breach.

Your communications production systems are impacted. Your communications team is prepared for the breach. They are ready to update the company website with the latest news to ensure customer confidence is managed. However, this latest breach affected your production systems. All non-essential web servers need to be removed from the network in case they are compromised. This, unfortunately, means that company website might not be operational. So, have a third-party hosted dark website. This website (aka “darksite”) is not tied to company networks or assets. It’s also not accessible to the general public unless you are in crisis mode. For example, mycompany.com is associated with your corporate daily web branding. Purchase and build a secondary website on a third-party hosting system, such as mycopmany.com/trust. This site has some canned contacts, key FAQs, and is ready to go live at a moment’s notice. During the crisis, you, of course, add content related to the specific situation. Also, don’t forget about social media and other forms of communication. Identify who is allowed to update Twitter, reporting about the latest facts about the breach.

The plan itself resides on an internal file server. This is one I love to add as a variable, and it’s related to the plan itself. The plan will have the steps (playbooks) with attempts to identify actions each part of the business will take. But again, where is this plan located? Often, in my simulations, I will attack SharePoint or some other form of internal file server management systems. This is because that is where all electronic documents are located. So, during a breach, if your file server needs to be taken down because it’s part of the breach, and the breach plans are no longer available, you are in trouble. In the past, I would often issue a USB stick to every essential staff member. In today’s cloud-based world, ensure that you have a dedicated cloud-based file server with all the mission-critical crisis documents in one location. Again, don’t tie it to your local company credentials; use a third party and local credentials because your Active Directory and all passwords will be offline. Having a third-party, off-site document repository is critical. Further, have mobile phones readily available and configured for rapid access to organization resources. Additional items you will want to store here include phone numbers for essential staff, law enforcement contacts, key executives in the company, investors, customers, etc.

In summary, the best plans are those that are tested as often as possible. Another tip in testing each quarter is to take a breach that has occurred, use that as the scenario for your internal breach, and test your plan against it. Without fail, every single new scenario identified a new opportunity for improvement. Most breach scenarios created no fewer than 10 significant findings and gaps in the plan. In some cases, the way the business operated was updated—and, in the end, that’s what’s important.