Simulations Test Security Plans and Ensure Readiness for Live Incidents
“Our combined expertise positioned us to deliver exactly what the client was looking for out of this exercise.”
One of our large financial services clients, already mature in its approach to security, wanted to further optimise its performance.
The organisation had insourced a security function, and although it was well run, the Security Operations team asked us to help test and critique the security playbooks the function used to respond to incidents.
The team wanted to confirm if the playbooks themselves were up to date and accurately reflected how a security alert should be responded to and triaged. There was also a requirement to follow this with simulation testing to assess each playbook's effectiveness.
The client asked us to conduct this activity because of our strong relationship and mutual understanding, which ensured getting started was straightforward. We decided at the outset to also include one of our technical partners, who specialises in incident response. Our combined expertise positioned us to deliver exactly what the client was looking for out of this exercise.
To test the playbooks, we created scenarios that incorporated the latest Tactics, Techniques, and Procedures (TTPs) of potential threat actors. Understanding these TTPs enables organisations to discover, assess, and respond proactively to security threats. Dummy data was produced to make the simulation as realistic as possible.
The exercises took place on site with the required staff members. They worked through the simulations and tested the playbooks. Lasting two to three hours, the group talked through their actions in detail and even created dummy incidents in their system to capture all the activity.
Working with our technical partner, we produced several cyber threat simulations and ran through them to test the effectiveness of the client’s security playbooks. Going through the simulations was a practical method for reviewing specific steps and gave the staff involved some valuable experience of using them under full incident conditions.
Testing the playbooks also allowed us to upskill the team with some additional security education while working through the popular tactics that threat actors use today. Another benefit was providing the staff with an opportunity for team building – working together under pressure and demonstrating they could perform well.
The overall success of these playbook simulations has led to more of them being carried out over time. We continue to perform this activity for the client and are expanding our coverage to other incident response areas.