Functional Exercise

Functional Exercise ⫘

Service Overview ⫘

Secureworks offers both functional exercises and drills (explained below). These exercises and drills elevate the level of your readiness testing, allowing your incident response (IR) team members to practice their roles and responsibilities, and to execute processes in one or more functional areas of an IR plan. Each exercise can vary in complexity and scope, from validating specific aspects of a plan (a drill) to validating multiple aspects of a complete IR plan (a functional exercise).

Often, real-world issues that were overlooked during the design phase—such as traffic affecting analysts’ ability to travel to a specific location in a set amount of time or an investigator not having the necessary permissions to perform a task—can adversely affect the response process. Functional exercises allow your organization to validate its processes/procedures to ensure they work as expected, and to identify and address issues to ensure better execution of processes/procedures.

Service Methodology ⫘

Drills are brief exercises that test a specific IR capability. Examples of capabilities that IR drills can test are:

• How quickly can our on-call team activate our external IR provider?
• Can all team members rapidly triage an alert and isolate a compromised server?

Functional Exercises are wide-scope response scenarios with hands-on elements, conducted in realistic, real-time environments involving multiple functions. An example of such an exercise is: “Your tools show critical alerts that joebloggs@xxxxxxxx.com has been phished. Demonstrate how you follow your response process—from triaging the alerts, notifying the appropriate parties, and acquiring all relevant data, to conducting the technical investigation for understanding the root cause, identifying any data loss, and concluding the investigation.”

Drills and functional exercises may leverage technical or strategic functions to focus on different elements of your organization’s response. We work with your team to develop a list of processes/procedures to be validated. During these exercises, there are no changes made to the environment, but we may work with a “Trusted Insider” as part of the exercise to plant realistic data ‐ for example, create real network traffic to a Command and Control (C2) server that Secureworks controls. Participants leverage existing processes and their own tools to perform tasks.

Participants may be required to perform tasks that are part of a typical response such as (but not limited to) the following:

• Triage alerts using their own tools
• Conduct data capture and preservation
• Transfer and start analyzing large datasets
• Involve external vendors to help at the appropriate time
• Create draft public / internal statements
• Communicate with legal resources about regulatory risk factors
• Coordinate with your Human Resources team to determine relevant investigatory steps

Outcome ⫘

An after-action report that summarizes the activities observed with risk-prioritized findings and recommendations to improve IR processes, procedures, and practices will be provided. Participants are expected to have an improved set of skills after testing your documented processes/procedures with knowledgeable and highly experienced incident response experts, and from meeting the challenge of performing response tasks on real systems.

Scope and Service Units ⫘

Due to the custom nature of Functional Exercises and Drills, Secureworks requires a scoping session to better understand your organization’s requirements, constraints, and goals.

• Drill requires minimum of 8 Service Units
• Functional Exercise requires minimum of 16 Service Units