Practice being punched in the face. The realities of incident response preparation

TL;DR

• Accept that you will get punched in the face
• Train hard. Regularly test incident response plans
• Build muscle memory
• Practice getting punched in the face

“Everyone has a plan until they get punched in the face.” This Mike Tyson boxing quote perfectly encapsulates the chaos of a cybersecurity breach.

In the world of Digital Forensics and Incident Response (DFIR), that punch in the face can take the form of ransomware encrypting your critical systems, threat actors exfiltrating sensitive data, or an insider exploiting gaps in your defences.

We regularly see first hand how even the most carefully laid plans can unravel in the heat of a cyber incident, unless they’ve been rigorously tested.

The problem with plans

Organisations often pride themselves on having an incident response (IR) plan in place. Yet too often, these plans exist as a document gathering dust on a shelf or an untested spreadsheet that only a handful of people have seen. When the punch comes in the form of a real-world breach, those plans frequently fall apart under the weight of panicked decision-making, unclear roles, and outdated assumptions.

In a cybersecurity crisis, plans are essential. But unless your organisation has practiced executing that plan under pressure, it will likely fail when it matters most. As Tyson reminds us, it’s not the plan that matters, it’s how well you can recover when that plan gets tested by real-world events.

Preparing to take the punch

IR preparation is not only about avoiding the punch, it’s also about building the resilience to take it, recover, and keep fighting. That’s why we emphasise practicing your response to incidents through simulations, tabletop exercises, and red team scenarios. Here’s how to start:

1. Test your IR plan

• Why it matters: An untested plan is as useful as no plan at all. Testing reveals gaps in your processes, personnel knowledge, and technical capabilities.
• How to do it: Run regular tabletop exercises where key stakeholders simulate responding to various attack scenarios, from phishing breaches to ransomware incidents. This not only identifies weaknesses but also fosters familiarity with roles and responsibilities under pressure.

2. Build muscle memory

• Why it matters: In the middle of a breach, there’s no time to read a manual or consult a flowchart. Your team needs to act decisively and instinctively.
• How to do it: Conduct live simulations that mimic the stress of a real breach. Use red teaming to simulate adversarial attacks on your environment, and follow up with blue team analysis to reinforce defence strategies.

3. Equip the right people

• Why it matters: Technology alone doesn’t win fights, people do. Your incident response team must be trained, empowered, and confident in their ability to act.
• How to do it: Invest in regular cybersecurity training for your team, particularly in areas like threat hunting, digital forensics, and containment strategies. Ensure all employees understand their role in preventing and responding to incidents.

4. Establish incident playbooks

• Why it matters: Breaches come in all shapes and sizes. One-size-fits-all plans rarely work.
• How to do it: Develop specific playbooks for common incidents, such as credential theft, DDoS attacks, and insider threats. Tailor these to your organisation’s unique risks and infrastructure.

5. Simulate the worst-case scenario

• Why it matters: Nobody wants to think about a catastrophic breach, but that’s precisely what makes it so critical to prepare for.
• How to do it: Practice crisis communication, legal compliance, and data recovery processes. Involve your executive team to ensure strategic decision-making aligns with operational responses.

Why practice matters

Tyson didn’t just rely on talent. He trained rigorously to build the endurance and reflexes to handle the unpredictability of a fight. Similarly, organisations that practice responding to incidents are better equipped to remain composed, make informed decisions, and mitigate damage during a breach.

For example, one of our clients was hit by a ransomware attack targeting their file servers. Thanks to their rehearsed response plan and prior incident simulations, they swiftly contained the attack, preserved forensic data, and initiated recovery without significant disruption. This was not luck, it was preparation.

From punch to opportunity

A cybersecurity breach is always a blow to the organisation. But it doesn’t have to be a knockout punch. With proper preparation, it becomes an opportunity to demonstrate resilience, protect stakeholders, and emerge stronger.

Organisations need help preparing for that punch. Through threat assessments, preventative testing, digital forensics expertise, incident response training, and proactive assessments, your team isn’t just standing when the fight ends, they’re winning.