Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

5 Ways Security Testing Can Aid Incident Response

Organizations can focus on these key considerations to develop their cybersecurity testing programs sustainably.

5 Min Read
Ohio Cyber Reserve test their incident response skills; three women in red shirts, with a man and woman in suits in background
Source: Operation 2022 via Alamy Stock Photo

The importance for organizations to understand who their adversaries are and how they operate against their enterprise environments cannot be understated. An organization's approach to cybersecurity testing and resilience improvements in the face of an increasingly volatile threat landscape must be underpinned around this perspective.

The core elements of a well-designed cybersecurity testing program should help the organization identify and remediate vulnerabilities, continuously challenge detection and response capabilities, refine threat intelligence-gathering priorities, and enhance overall incident preparedness through continuous stress-testing of response plans. IBM's "Cost of a Data Breach 2022" report shows that organizations that regularly test their incident response plans save $2.66 million (circa £2 million), which is the cost of an average breach.

Although there is no one-size-fits-all solution, here are five key considerations that organizations can focus on while developing an overarching strategy to build and maintain a cybersecurity testing program.

1. Collaborate Across Teams

Collaboration is where the organization's strength lies, so security teams should focus on building out internal relationships with different groups. Security teams should remember that the human component is critical and define a clear process to effectively allow representatives from the security operations center (SOC), risk/compliance, vulnerability management (VM), cyber threat intelligence (CTI), and security testing functions to drive collaboration.

Where possible, encourage these teams to have in-person discussions. This will create an opportunity for cross-team rapport at a personal level and develop a sense of camaraderie that will go a long way in achieving a common goal.

Creating a governance framework that defines clear responsibilities and promotes transparent communications between these teams to share findings quickly will allow for better decision-making, faster incident response, and a well-rounded appreciation of the organization's cyber capabilities.

Collaboration allows for an enhanced appreciation of each other's techniques and methods, as well as the exchange of knowledge and expertise to improve threat detection and mitigation strategies.

2. Follow an Intelligence-Led and Risk-Based Approach to Scope Definition

A process to continuously curate threat intelligence should enable organizations to build and maintain a comprehensive, up-to-date library of baseline attack scenarios. First, determine which threat actor groups are likely motivated to target the organization. Overlaying this with established baseline scenarios will help define a comprehensive list of tactics, techniques, and procedures (TTPs).

Organizations often have several assets in their environments, which makes identifying risk points and assessing where and how much money should be spent on vulnerability identification and remediation difficult. It may not be realistic from a timing perspective to assess the full list of identified TTPs against all of the assets in scope.

A more risk-based approach is to carve out a plausible subset of TTP sequences and creatively mix-and-match infrastructure and software details, without being bound to an extensive checklist. This creates targeted sub-scenarios for the attack simulation team to initially focus on.

This approach will help CISOs more granularly measure the strength of practical mitigations that exist and identify high-priority areas across critical business services, while optimally using existing resources.

3. Perform Continuous Stress-Testing of Cyber-Defense Controls

Leverage the scenarios and prioritized list of TTPs defined to constantly exercise the organization's technical and business response. The scenarios subset should increase in complexity as the incident response program matures. Where the security team failed previously, these scenarios must be repeated so the organization can improve the process in the event of a real attack.

It is important to select "low-and-slow" tactics that the SOC can detect and the VM team can remediate — but don't make things too easy. Carefully selecting TTPs that are harder for the SOC to defend against encourages this team to constantly sharpen their technique, as well as push the organization to update response strategies.

The choice between complexity, stealth, and speed will be driven by the organization's risk profile and threat priorities that have contributed to shaping the specific scenario for testing.

4. Set Metrics for Shared Understanding and Improvement Tracking

Success criteria need to be defined and tracked to demonstrate overall risk reduction to organizational assets. Metrics such as reduced detection and/or response times, a decrease in successful attacks, and so on are useful to effectively articulate improvements to the board.

It is useful to compare results of previous and subsequent penetration tests, red-team exercises, and/or targeted attack simulations, focusing on the number of high-risk vulnerabilities identified and exploited, as well as the overall success rate for the testers.

Being able to analyze changes in the threat landscape and demonstrate an increased ability to mitigate current and evolving threats will help CISOs demonstrate improved risk reduction.

5. Establish Feedback Channels to Drive Process Improvements

Break down test observations against executed TTPs along with actionable mitigations identified along the attack chain. Test results will also provide an improved understanding of which vulnerabilities are most likely to be exploited and can help refine risk prioritization in the VM process.

Sharing these results in real time to the CTI team allows them to monitor for potential threats that may exploit vulnerabilities, improves theoretical understanding of documented threats, and provides insight into previously unknown vulnerabilities, as well as helps prioritize areas for further research and analysis.

A centralized dashboard to aggregate test outputs in real time from the field, which can provide the relevant SOC team stakeholders with gaps identified in security monitoring tools and alerting systems, is extremely useful.

Providing a training range to practice and validate incident response plans, and to identify areas where response times must be improved, is useful to improve overall incident preparedness.

The End Goal

The World Economic Forum's "Global Cybersecurity Outlook 2023" report states that 43% of business leaders believe that their organizations are likely to be hit by a major attack within the next two years. An all-encompassing change to cybersecurity testing, through increased collaboration and improved risk management processes, enhances resilience to cyberattacks.

About the Author(s)

David Dunn

Senior Managing Director and Head of EMEA Cybersecurity, FTI Consulting

David Dunn has more than 20 years of experience advising multinational corporations on risk and transactions in markets around the world and is an expert in data privacy and cybersecurity resilience, prevention, response, remediation, and recovery.

Mr. Dunn leads global teams that handle large and complex cybersecurity readiness engagements, advises both corporate and private equity merger and acquisition (M&A) sponsors on critical cybersecurity risks, and leads significant incident response and investigations matters, such as ransomware, data breaches, and nation-state intrusions. He has served as an interim CISO for clients on several occasions and frequently advises private equity firms, C-Suite, and board members on the specific cyber risks they face, as well as best security practices to implement.

Before joining FTI Consulting, Mr. Dunn was Head of Global Advisory Services and a member of the Executive Leadership Team at Eurasia Group, a risk consulting and advisory firm. Prior to that, Mr. Dunn spent 12 years working with and advising institutional investors and multinational corporations. He began his career at Donaldson, Lufkin and Jenrette and Credit Suisse First Boston in New York.

Nebu Varghese

Senior Director, FTI Consulting

Nebu Varghese is a Senior Director in FTI Consulting's Cybersecurity practice and is based in London. Mr. Varghese has more than 10 years of multifunctional experience, deep technical expertise, and strong academic credentials in the field of cybersecurity. He has worked in more than 23 countries, serving a wide range of global organizations spanning across multiple sectors, including critical national infrastructure, financial services, consumer products, private equity, telecom, and media.

Mr. Varghese specializes in executing and managing the delivery of offensive security testing (ethical hacking or penetration testing) engagements for organizations across the globe.

Prior to joining FTI Consulting, Mr. Varghese spent the last decade working with two of the Big 4 audit firms, leading on threat-driven offensive security engagements across network infrastructure (IT & OT) environments, cloud infrastructure, wireless infrastructure, physical security, and applications (Web & mobile), as well as social engineering assessments, malware analysis, and architecture design reviews.

In his previous role, he led the Next-Gen SecOps and Response (intelligence-led attack simulations, OT/IoT product security reviews, breach response, purple team testing and advisory, and scenario-based technical security assessments) capability where he helped drive development of the business and took responsibility to execute technically demanding engagements that focused on enhancing threat detection and response capabilities for large businesses.

Mr. Varghese holds several certifications including the CRTE, OSCP, CPSA, CRT, AZ-500, CCSK, CEH, CISA, and CHFI. He also holds an MSc in software and systems security from the University of Oxford, and a bachelor's in computer science engineering from the Vellore Institute of Technology (VITU).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights