What We Do
How We Do
Get Started

Incident Response Plans and Tabletop Exercises May Be a Waste of Time

BY Larry Gagnon

November 24, 2022 | 6 MINS READ

Incident Response

Cybersecurity Strategy

Want to learn more on how to achieve Cyber Resilience?


Suppose you have invested considerable time and money creating an Incident Response Plan (IRP) and delivering annual Tabletop Exercises (TTE) within your organization in the hopes that these efforts will drive an efficient and effective response when a breach occurs. If that is the entirety of your response strategy, you are going to be disappointed. Developing and delivering an IRP or TTE to improve the effectiveness of your incident response approach, in isolation, does not work. If your incident response preparation activity does not include some fundamental tactical actions, when the time comes and your house is on fire, your breach response will fail to meet your expectations, I promise.

In my 23 years of delivering incident response and digital forensics services to companies I’ve become fairly adept to at predicting how an incident response engagement will go, based on the first 10 minutes of an initial call with a client. Some clients are well prepared and able to chug through the incident process with our team and get back to routine operations in a couple of days. Other, less prepared clients are in for a painful experience that could drag on, consuming resources and dollars for more than two or three weeks. It is entirely how those clients prepared for the incident that makes the difference.

Unfortunately, most people with roles and responsibilities defined within your IRP will not remember exactly what they are supposed to do when a breach actually occurs. One-time or annual refresher training on IRP or TTE is insufficient to build the cyber resilience and effective response capabilities you seek. Ebbinghaus’ Curve of Forgetting hypothesizes that people forget up to 70 percent of new material they learned within two days. What are the chances people will recall their duties and responsibilities when the time comes 10 months after a drill? Does everyone remember where they placed their copy of the incident response manual? Will they truly understand what we need to do to combat the situation? Furthermore, experience tells us that often clients do not even pull out their IRP when in crisis. Instead, they call external resources and rely on their expertise and experience to guide them through the response.

Rather than counting on an IRP or TTE to come through and save the day when in crisis, concrete actions can be taken to ensure an incident response engagement is quick and effective. If you are creating an Incident Response Plan in the absence of your incident response provider, the value of the plan is greatly diminished. The same thing goes with the delivery of tabletop exercises. Take the time to research, find the right incident response provider, and build a relationship with them.

Selecting and partnering with an incident response provider before a breach occurs is by far the most effective means of building a high performing response strategy.

Take some time to meet your IR provider and walk them through your ecosystem so that they understand what date you manage, where it lies, and what forensic artifacts may be available to them during a response. A good IR provider will tell you precisely what you can expect and what the deliverables look like. That provider should also be able to assess your environment quickly and inform you about any gaps or weaknesses in log data or other critical forensic artifacts they will need when the time comes. This simple conversation will shave hours off the overall response times, improving cyber resiliency and time to value.

Above and beyond, most forensic providers will often have a tool set that needs to be deployed across the client's ecosystem. This tool set is usually designed to aid containment, facilitate the collection of forensic artifacts, and enable deep analysis of devices and processes. These days, there aren’t too many incident response firms that will travel on-site and take forensic images of computers. That is a costly and slow-moving process. Instead, most forensic firms will ask you to assist with installing an agent or multiple agents onto your network so they can connect and begin to do their work.

Consider this: have you ever tried to deploy software across your entire network? How long did that take? Did it go perfectly? Consider how tough it may be to deploy software across your network if your firewall is off, your domain controller is down, and your endpoints are encrypted. What about a virtualized environment or a cloud-based environment? How would you handle that? Forensic tool deployment takes days to complete in some damaged environments. Delays like that are not acceptable in a crisis where the company leadership or the Board of Directors expects to see continuous progress, regular updates, and meaningful findings every few hours. Additionally, the pressure from shareholders and regulatory reporting requirements can be overbearing on IT staff.

In almost every case, IT teams lack the resources to deploy forensic tools quickly. Typically, during an incident response, your IT staff is working 18-hour days. By day four, they have nothing left to give. Do you still think you have enough people to deploy forensic software during a response?

Pre-breach deployment of your IR Firm's response tools can reduce the time it takes to begin threat containment from potentially days to a matter of minutes.

This is the biggest thing you can do to optimize your incident response. I’ll give an example of what we often see in a typical breach response. It’s Sunday morning, and the IT manager gets a call from a user complaining that they cannot log into a particular server. The IT manager tries to remote in and finds they can’t. They drive into the office to see what’s wrong. At that point, they discover they have been hit with ransomware. The IT manager will often try to fix the problem themselves (some pride is involved here). After a few hours, they usually conclude they need to bring in experts. They will use their network of connections to find a reputable IR firm. The firm is contacted, and a scoping call takes place. The IR firm produces a statement of work, and it goes through an approval process that may or may not involve an insurer and an external privacy lawyer. Finally, once the statement of work is signed off, the IR firm initiates a kickoff call with the client. At that time, they begin to work with the client to deploy tools and work towards threat containment.

This is not an efficient process. In this scenario, from recognition of the breach to the time it takes for the IR provider to start delivering value, it can be 24 hours or more. On the other hand, if you had the pre-existing relationship with the IR provider and their toolset was ready, you should see value within an hour or two. Big difference between those two scenarios.

While IRP and TTE are great tools to get us thinking about the day when that breach is going to hit, to be truly effective, we need to pair those exercises with concrete actions such as onboarding an IR firm and working with them to prepare for what’s coming. Securing an IR vendor ahead of time, meeting with them to discuss your unique needs and pre-breach deployment of the IR provider toolset are the most effective actions in the overall reduction of downtime due to a breach.

Originally posted on law.com

Larry Gagnon
Larry Gagnon Senior Vice President, Security Services & Incident Response

As Senior Vice President, Security Services & Incident Response, Larry is responsible for shaping the eSentire Global Incident Response Program. He is a veteran of the digital forensics and incident response world, having accumulated over 21 years of experience leading the investigation of technology-based crimes.

Larry has completed many forensics training programs with the RCMP, OPP e-Crimes, FBI, National White-Collar Crime Committee and the International Association of Computer Investigative Specialists as well as with several technology vendors. Larry is a Certified Forensic Computer Examiner (IACIS 2001), and GIAC Certified Incident Handler. He has extensive experience testifying as a qualified expert in both criminal and civil matters.

Read the Latest from eSentire