Exercises

Exercises are a great way to practice realistic scenarios and improve your skills. Exercises are self-guided and can be conducted individually or in a group setting. An exercise includes the following core components: 

1. Scenario
2. Attendees
3. Skills
4. Retrospectives
5. Todos & Notes
6. Reporting

All exercises work through the same stages: 

1. Not Started — A scenario has been selected but not committed for exercising yet
2. In Progress — A scenario is currently being exercised

During this stage, you’ll move through the scenario and respond to various questions. You’ll note responses to each question, or take overall notes using the Exercise Notepad.

3. Exercised — A scenario has been exercised and is ready to be retrospected
4. Retrospecting — A completed exercise is being reviewed 

During this stage, you’ll record retrospective notes on each part of the exercise. From the Response maturity level dropdown, you will assess the maturity of your response using the COBIT-19 maturity scale and assign it a score.

5. Retrospected — A retrospective has been completed and an Exercise Report is available

If you would like Red Canary to facilitate an exercise with your team and conduct the retrospective, please reach out to your Customer Success Manager to learn more about Red Canary Facilitated Exercises.

Scenarios

Scenarios describe realistic situations you want to be ready for. They can be relevant to specific user personas, threat types, exercise durations, and categories. Each scenario has the following traits:

• Scenario Description
• Estimated Duration
• Category
  • Cybersecurity — Scenarios that help prepare your organization for top threats and types of security  incidents by exercising critical response skills, processes, and playbooks
  • Cybersecurity > Atomic Red Team (ATT&CK) — A subcategory of cybersecurity scenarios that are specifically focused on exercising atomic tests to validate and improve technical controls 
  • Business Continuity — Scenarios that map broadly to incidents and threats outside the realm of cybersecurity, but often impact cybersecurity or technical operations (i.e natural disasters, physical security breaches, pandemic disruptions, etc.)
• Attendee Personas or Roles that the scenario involves, including roles like Security Operations, Executive (CXO), Legal, Communications, and more
• Intelligence & Threat Mappings (ATT&CK, Adversary Profiles, etc.)
  

To further explore...

• Explore scenarios that you’d typically conduct as a tabletop with your larger team
• Explore scenarios that prepare you for real-world adversary groups that Red Canary saw trending during our most recent Threat Detection Report

Skills

Skills are the atomic building blocks that make up each scenario. Skills most often map to the National Institute of Standards and Technology (NIST)’s recommended incident response phases. The phase includes:  

1. Preparation
2. Detection & Analysis
3. Containment
4. Eradication & Recovery
5. Post-Incident Activity

Every skill includes a specific set of relevant discussion points. These discussion points are how you exercise, evaluate, and improve your capabilities to perform that specific skill. 

Retrospectives

Red Canary helps you conduct a great retrospective and continuously improve. The goal of every great retrospective is to ask:

• What worked well that we should repeat?
• What could we do more or less of?
• What action items will we prioritize?

You will be asked to record any notes you have about each topic in the scenario. It is preferable to request diverse feedback from the team on what went well and what did not.

You’ll also be asked to assess the maturity of your team’s response. Red Canary employs the COBIT-19 maturity scale, which provides a consistent method of determining your level of maturity. If you are unfamiliar with COBIT-19, don't be concerned if you give yourself many 3's — this is entirely normal! The assessment aims to help you understand where you might want to invest more in the future.

Todos

Todos and action items frequently arise during an exercise or its retrospective. Recording those todos and completing them is critical to improving your readiness. These todos are commonly associated with specific gaps or areas for improvement in your response processes that you identify when running the scenario. 

Learn more about creating and managing todos here.

Reporting

Once you have completed and retrospected an exercise, you can print or export the exercise’s report, similar to the information you’d get from a tabletop facilitator. This report will outline all critical details associated with the exercise. Click here to learn more about how to export a report.