Use table-top exercises and other security simulations to train the blue team, and to verify that they are preapred to respond to security incidents according to the corporate guildelines.
These experiential learning are crucial to build confidence and agility in the team (“learning by doing”)
Before your tabletop
Your exercise should include
The reality will likely vary from the playbook as is, so you have to be prepared to adapt to rare and unexpected situations, such as evation techniques and anti-forensics (such as altering the integration with the SIEM solutions so that activity in certain regions is not reported)
AWS offers a platform to simulate real-world scenarios that include security challenges for the blue team to respond, in a risk-free environment, as it’s on temporary AWS accounts provided by the platform.
Your teams can compete (Jam event) or you can learn individually (Jam journey) resolving the challenges by yourself (similar to a “capture the flag” challenge but for the defenders), you start from a bad situation such as “you received an abuse notification”
Participants will have to identify and remediate misconfigurations, compromised iam credentials, vulnerabilities, and restoring operatios, validating their skills in a controlled environment.
Learn more about AWS Jams here Access AWS Jams challenges here: AWS Jams with Security challenges
AWS Jams with Security challenges are available on the paid version of Skillbuilder or can be delivered as part of an AWS Training & Certification Course
If you have a skilled team that wants to simulate in your own sandbox environment (NOT in production!!), you can use AWS CloudSaga , a tool that runs in command line to simulate security events.
AWS CloudSaga is for customers who want to test their environment against documented security events from the AWS CIRT. Using AWS CloudSaga, simple scenarios that mimic actual security events can be run against a customer’s environment, testing the customer’s response plans and defenses when these events occur, and improve defenses of their AWS environment from the results.
AWS Offers a standardized service to help you in this task:
AWS Security Incident Response Simulation (SIRS) is designed to help customers validate, test, and confirm their security processes, roles, responsibilities, communication paths, security controls, and security response mechanisms. This is achieved using the SIRS Tabletop offering.
SIRS is also designed to validate roles, responsibilities, and communication paths across the organization and can be aimed at both technical and security teams as well as C-Level executives and business stakeholders.
The format used is a narrative-driven scenario where each participant plays their actual role in the company. Customers can choose from a number of different scenarios or build custom scenarios to validate and test their security controls in the AWS Cloud. The engagement is typically delivered as a series of meetings to prepare the scenario and a 2-day engagement simulating scenarios and providing feedback to improve your Incident Response Playbooks.
Please contact your AWS account team directly or request direct contact with AWS Professional Services
AWS Partners can help you plan and execute your incident response Tabletop, go to AWS Partners for security incident response to find partners such as Deloitte, Accenture, Atos, etc.
Access the complete AWS Security Incident Response whitepaper here