Due to the impacts of COVID-19, CompTIA exam vouchers expiration dates have been extended. CompTIA will be offering candidates the option of online certification testing starting on April 15, 2020. To learn more about voucher expiration extensions and online testing options click here.

Security Awareness Training: Incident Response Plans and War Gaming

Everyone should be prepared for a cyberattack. Developing an incident response plan and running a war gaming exercise gives employees the tools they need to respond quickly, mitigate the situation and return to business as usual.

A woman sees a suspicious email come through as part of security awareness trainingNo matter how solid your cybersecurity posture and how minimal risk your employees are, you need to be prepared for the day a cyberattack occurs. Developing an incident response plan and running a war gaming exercise gives your employees the tools they need to respond quickly, mitigate the situation and return to business as usual.

What Is War Gaming?

War gaming sounds intense because it is. Take your employees, in particular your first responders, through a breach incident exercise. A first responder could be defined as any employee whose primary function is to communicate with customers digitally in addition to those who are charged with remediating a breach incident. Common first responders are customer service reps, administrators, the finance team and IT technicians.

But the war games shouldn’t stop with entry-level employees: an effective war game exercise also involves the executive suite.

All of your employees are your weakest link when it comes to IT security, therefore, if you are leaving out a particular team in your war gaming exercise, you’re inadvertently creating a weak link in your organization.

Including executives in the exercise is critical as they will be the most frequent target of cyberattacks. In reality, many executives are not IT saavy nor do they possess security awareness.

What to Include in an Incident Response Plan

The purpose of the war gaming exercise is to demonstrate to all employees the severe gravity of a breach incident. Beforehand, create an incident response plan.

Templates for incident response plans can easily be located online and can be used as a starting point, but it’s best to find something specific to your environment. Ask your professional network to share their incident response plans with you. And ask your security vendors for their incident response plan. Compare multiple response plans and use them to inspire your own.

Here are some tips for incident response plans for specific employees.

Incident Response Plan for First Responders

As soon as they suspect an incident has occurred, before even communicating up that there is an issue, employees should know how to respond. Here are the steps they should take:

  1. Power Off: Make sure you segment and depower the machine in question. Don’t forget about the ethernet cord either! Power is also delivered via the ethernet cord, so unplug that and the power cord itself.
  2. Don’t Delete It: This is the hardest rule to follow because it goes against your instinct. If you delete the file that you believe is malicious, you will delete the trail that will allow a forensic investigator to determine the cause of the incident. This could have massive ramifications on a legal situation such as a lawsuit or an insurance claim. Segment and isolate the machine and power it down. What’s done is done. File deletion is not revenge, it’s just not very smart. Teach your first responders to respond logically, not emotionally. It’s not a first responder’s job to remediate the problem – it is their job to detect and protect further expansion of an incident.
  3. Communicate Up: First responders should have a structure in place of who is in the “need to know” chain about a possible breach. After communicating up, first responders need to be informed of their marching orders while the responding manager takes on communications with the rest of your employees. These people should be in the “need to know” chain:
    • Their direct manager
    • The IT leader
    • The owner of the company
    • Anyone involved in the physical security of the company – security guards, administrators, etc. Digital attacks can sometimes coincide with physical attacks. In some cases, building security (in a large multi-tenant building) should be notified as well to not accept visitors while breach response is active.

Incident Response Plan for Front Line Managers

Front line managers might need to know about a current investigation…or they might not. Most phishing attempts will force the issue, spamming the same illegitimate email message across the entire email domain, which will force the need to send a companywide email. If individual teams in the company are on separate VLANs, that can mitigate the reach across the domain. But one uneducated employee replying to a phishing attempt can expand the threat.

  • How to Manage Internal Teams: Should their team members continue working? Should they disconnect from the Wi-Fi? Do they have to turn off their machines? Do they sign out of their most important software? These answers should be communicated to the front line managers so they can respond appropriately and safely.
  • How to Manage Customers: If it was a phishing attempt, the entire address book of the user could have been contacted. Managers should have a templated email ready to send in case of an incident. Your company should decide if the email should be sent from the offending user or from an executive or the marketing department. The template message should be built and ready to go. All you need to add is what email address and subject line to watch out for, along with the instructions for the customer to immediately delete it.

Incident Response Plan for Marketing

Your marketing team should have a BREAK GLASS IN CASE OF EMERGENCY kit ready to go for a breach incident.

This emergency kit should include the following:

  • Social media posts around your knowledge of the issue and your intent to investigate and protect
  • An email draft for marketing or executives to inform your customers and supply chain of the incident
  • Email drafts for employees to personally send out to customers before the mass communication goes out – overcommunicating is not an issue so long as the information is consistent.
  • Shareholder email – if applicable
  • A schedule of how often your team is going to update their customers and supply chain network moving forward

Most importantly, set down the call to action and back away. Focus on the incident for now. I recently got an email from a supply chain organization that acknowledged it was experiencing a phishing attack. The call to action was to download an article about security…aaaand that piece of content was hidden behind a blind link. That’s not a great look to show people you’re learning from your mistakes. Feel free to disagree, but not all incidents or world events are worth capitalizing on with your marketing team.

Pro Tips for Running a War Game Exercise

Now that you have an incident response plan, it’s time to train and test your employees on how to use it. Follow these steps to run a war game exercise at your organization.

  • Train your first responders, front line managers, marketing team and executives on the points mentioned above.
  • Create a fake malicious email with a trackable link.
  • Send it to your employees only.
  • Once someone clicks on the link, it should trigger the email to replicate across the entire domain. There main be some distros or email addresses you want to protect, but since the email is benign, I think it’s best to expose all for the maximum learning impact.
  • Track your first responders:
    • Are they segmenting the attack (in this case, an email message and sender)?
    • How many first responders are aware, and how long does it take?
    • Do they communicate up the chain? And is the timing of that communication proper, meaning they followed the rules before responding?
  • Track your front line managers:
    • How are they instructing their teams to respond?
    • Which teams have no response? Try to diagnose why. Were they isolated, or did they ignore?
  • Track the full company response:
    • Marketing should be instructed to send out an email that this was a DRILL.
    • This communication plan should only go out to your employees – don’t confuse your customers by including them on internal exercises.
  • Investigate:
    • Collect the following metrics to analyze the response from first responders, front line managers and marketing:
      • Time to Respond: Measured in minutes and seconds, ideally
      • Quality of Response: Clear communication without emotion, need to know information, what this means for employees and what next communication to expect
    • Add other forensic investigation from your response plan, including auditing your IT logs on firewall, IDS/IPS, SAN, etc.
  • Debrief the executive team:
    • Analyze the response not only by the company, but also by the executive team. Did executives follow protocol? Be prepared to call out those who breached protocol.
  • Retrain staff:
    • Apply retraining as needed to those who did not execute to a high enough standard.


Put our security awareness training tips into action with the free guide7 Security Hacks to Use Now.

Check out the whole series on security awareness training:

Read More from the CompTIA Blog

Leave a Comment