IR and SimEx: Can and should they be standardized?

The National Cyber Security Centre (NCSC) intends to launch a new assurance scheme for incident response (IR) and simulated exercises (SimEx) in Q2 2022, which could become a real gamechanger for the security sector. This will effectively see the standardization of IR and SimEx across the board and extend the commercial reach, opening new markets to assured providers.

But is standardization necessary and how will it change things?

Previously, the NCSC only provided the Cyber Incident Response (CIR) Service – soon to be renamed CIR Level 1 – aimed at UK Central Government and large businesses with complex IT systems deemed to have networks of “national significance”. The new CIR service will extend that reach significantly to encompass local businesses, large businesses and SMEs while the new Cyber Incident Exercising Service will target large and medium organizations as well as central and regional UK Government. Such will be the scale of the endeavor that the NCSC intends to recruit Assured Scheme Partners to vet and onboard Assured Service Providers and to police the scheme.

Putting it into practice

It will be interesting to see how the NCSC intends to tailor the assurance scheme to accommodate these new target markets.

The government body is currently selecting its Assured Scheme Partners with whom it intends to work with to devise the operating model and to help determine how it will implement its technical standards across both services. But IR and SimEx are very different beasts. Whether undertaken pre- or post-attack, incident response typically requires the business to go through a prescribed set of steps to triage an incident, so it naturally lends itself to being incorporated into a framework. The same cannot be said of SimEx, which can vary enormously.

SimEx can range from entry level desktop exercises through to full-blown simulations and enable teams within the business to respond to a given attack scenario. They may take the form of a ransomware or phishing attack, DDoS simulation, or sensitive data being published on the dark web, for instance. Multiple actor roleplay then ensues which sees the tester perhaps simulate a call from the attacker demanding a ransom or pretend to be a member of the press enquiring about a breach. The best exercises, i.e., those that yield the most insight, are those that see the initial incident evolve to encompass other departments, so that the attack goes on to ensnare IT, security, and PR, and are designed to test how these teams work together.

The goal of a simulated exercise is to practice, evaluate or improve the IR plan so the real learning comes from how well the incident response process performs. How closely is the IR plan followed? Should the Information Commissioner’s Office be contacted and in which timeframes? Did the comms team know what they should when discussing a with press? Did the technical team remediate using due process? Was evidence safeguarded and protected? This will require the new assurance scheme to set specific tolerances to determine how well departments functioned.

An open market

Although it’s not yet known how the new Cyber Incident Exercising Service will accommodate this range of activities, the NCSC has stated that it will cover table-top and live-play formats. Presumably it will offer a sliding scale of increasingly complex services which should bring some much-needed transparency to the market. One of the chief issues with SimEx today is that once the business looks at testing its IR, costs can begin to spiral, so a formal structure with different methodologies will let teams know exactly what they’ve signed up for and how much bang they’re getting for their buck.

However, as we emerge from the pandemic, many cash-strapped businesses may still regard SimEx as too costly. Yet choosing not to test IR in this way could equally be seen as a false economy. This is because one of the biggest benefits associated with the process, which is that these exercises help steer investment.

Rather than the organization continuing to blindly invest in technology and assuming that its policies are being adhered to, these tests gauge the effectiveness of security measures by using attack scenarios that the organization is likely to face in the current threat landscape, informing the business of what is/isn’t working and where the gaps lie so that future spend becomes focused. Plus, these exercises can also be used to protect the business in other ways, by determining if third-party vendors are sticking to their service commitments and enabling the business to hold them to account, for example.

Adding the SimEx service alongside its IR service is a natural next step for the NCSC but a highly significant one for the security sector. The transparency which the NCSC scheme promises to create will help open the market and drive adoption, making standardization beneficial for business customers and service providers alike, with the latter able to get their IR and SimEx services ratified against the NCSC’s standards, providing them with a new route to market. And the more IR plans that are put through their paces, the better security will become, making standardization a win-win for everyone.