CSIRT GuardSight Quick Reaction Force Incident Response

Awesome Job!

  • You adopted a cybersecurity mindset as part of your corporate culture.
  • You deployed sophisticated cyber weaponry/tools to combat the cyber adversary.
  • You employed an adequate level of competent internal cybersecurity staff.
  • You hired a SECOPS threat detection and response company, like GuardSight, to engage the cyber enemy continuously.
  • You implemented best practices like the principles of least privilege and layered defense.

The above items are essential when readying your cybersecurity posture left of boom. Companies that implement proactive security measures as a steady state of readiness are more likely to prevent and limit the consequences of successful attacks than those that don’t. But, just like looking both ways before you cross the street doesn’t eliminate the risk of being hit by a vehicle, the risk of a successful cybersecurity attack is never eliminated for even the most disciplined practitioners and best prepared. The risk of a cyber-related compromise is always present. It’s what you do when it happens that matters most.

Ask yourself this question: What else can I do to improve my organization’s resiliency beyond what exists, be better prepared left of boom, and limit the damage when a successful attack occurs?

One answer: Conduct a Tabletop Exercise (TTX)! A TTX helps answer questions like:

  1. Who responds in the event of an attack?
  2. Which responders are trained and qualified to handle the attack?
  3. Which courses of action (COA) will contain the enemy’s advance?
  4. Who defines and prioritizes, communicates, and executes the COA?
  5. How do we prevent broader asset compromise?
  6. How do we communicate information to the C-Level during the response?
  7. How do we communicate information to employees during the response?
  8. Which external organizations must be involved in neutralizing the threat?
  9. Which external organizations will be involved after the threat is put down?

GuardSight Quick Reaction Force Incident Response (QRF/IR) teams often witness organizational dysfunction when critical asset compromise occurs due to a cyber attack. The tactical aspects of response may be top shelf, but any concept of muscle memory is nonexistent, and the collective reaction of the enterprise is in disarray. The following are activities performed during a TTX, led by GuardSight QRF/IR teams, that help transform dysfunction into functional containment, eradication, and recovery.

  1. Define Operational Roles
  2. Define Operational Choreography
  3. Review Tactics, Techniques, Procedures (TTP)
  4. Inventory Critical Containment Assets
  5. Discuss Incorporating IT Support Teams
  6. Discuss Preparing Business Stakeholders
  7. Discuss Fatigue Management
  8. Rehearse Attack Scenario*
  9. Identify, Review, and Plan Remediation of TTX Gaps
Contact us to learn more about purchasing a GuardSight TTX and help your team rewire for speed and embed long-term DNA to succeed in the cyber fight against the bad guys!
*Ask about our TTX-Enhanced, where the technical participants are put through a live fire cyber range as part of the exercise.
P.S. GuardSight private sector TTXs are similar to ones used by GuardSight Marine Corps Cyber Auxiliary (MCCA) team members during their involvement with the United States Marine Corps!