Incident Response Testing for NIST SP 800-171 & CMMC 2.0

By testing your incident response capability, you identify any weaknesses in your incident response plan. This helps you improve your incident response plan in preparation for a real incident.

One method for testing your incident response plan is to use “tabletop exercises.” According to the NIST glossary, a tabletop is “a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.”

Download the workbook here.

John is a VP at ACME. The company prohibited the use of removable storage devices on all computers with the exception of a few employees who have a valid business need. One of the users with the exception was John. John is supposed to use an encrypted USB drive; however, John was recently using an unencrypted device to store company data. After a business trip, John noticed that he had lost his USB drive. John immediately reported the lost USB drive to ACME’s incident response team.

As the incident response team, what is the first action you would take?

What is our organization’s policy on removable storage devices?

What security controls do we have in place to restrict the use of removable storage devices?

What could have been done to prevent the incident involving John?

Adam received a phishing email asking him to reset his Microsoft 365 password. The email appeared to come from Microsoft. Adam clicked the link and entered his old and “new” password on the form. Adam later noticed that his “new” password was not working so he contacted IT and informed them that he had just reset his password. IT checked the password reset logs and discovered that the password was not recently reset. Adam explained that he received an email where he clicked a link and “reset” his password. IT informed Adam that it was a phishing attack.

As the incident response team, what actions would you take to contain and recover from this incident?

What actions can we take to prevent this incident from occurring again?

Sarah was entering the office using her keycard, behind her was a man carrying several boxes of donuts. He was not wearing a company provided badge. Sarah politely held the door open for him to enter the office. About 10 minutes later, the facility security officer noticed the man in the IT wiring closet. When asked who he was and why he was there, the man was unable to provide an adequate response and was escorted out of the building. Upon reviewing security camera footage, it was discovered that he entered the building using the piggybacking social engineering attack against Sarah.

As the incident response team, what actions would you take to respond to this incident?

How can we better prepare users for this type of attack?

How can we better prepare users for this type of attack?

Bill is the system administrator at ACME. This morning the helpdesk received a few requests to share OneDrive files externally. Currently, OneDrive files can only be shared with whitelisted domains. To “resolve” the tickets, Bill adjusted the SharePoint/OneDrive file sharing settings to allow file sharing with anyone. Upon reviewing various logs and reports, Doug, ACME’s cybersecurity analyst noticed that files were being shared with unauthorized external users.

What policy did Bill violate?

How should the incident be handled?

What should we do with Bill?

Do we have sufficient security controls in place to prevent these types of incidents?

James is working with a customer and needs to share a large company document with them. He tried to share it with them using his company OneDrive, but the customer’s domain is not whitelisted in SharePoint/OneDrive. James decides to upload the company document to his personal Google Drive and shares it with the customer.

What did James do wrong?

Do we have a policy preventing personnel from using unauthorized cloud storage?

How do we respond to this incident?

What can we do to prevent the incident from reoccurring?