Testing IRPs and playbooks
Once you have created an IRP and playbooks for different scenarios, it's time to validate them. The plans will always look spectacular on paper, but it is very important to check them to make sure they work, and it is best to test them before an actual incident happens.
Additionally, it is advisable to carry out periodic evaluations to identify possible gaps and make the corresponding adjustments; remember that threats evolve very quickly, and you probably need to adjust how to respond to new techniques or tools used by attackers.
I recommend you consider using NIST Special Publication 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities to create a formal testing plan. You can download it from here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf.
This guide is structured into different phases, as follows:
- Establishing a Test, Training, and Exercise Program
- Training Sessions...
