CISOs run the tabletop. Auditors read the report. But when a real incident hits at 2 AM, it is the infrastructure team that runs the actual commands. This guide covers what infra teams must test, prove, and fix — before a drill makes it a finding.
Tabletop exercises are designed by security teams and facilitated for management. The infrastructure team typically attends, agrees to action items, and then discovers during the next real incident that none of the technical sequencing was actually tested. The containment took 4 hours because the isolation procedure was never rehearsed. The DR failover took 90 minutes because the runbook hadn't been updated since last year's infrastructure migration. The volatile forensic evidence was gone because nobody had practised the RAM capture sequence before isolating the compromised host.
The infra team's obligation in a CyberDrill is not passive. It is to test, document, and prove technical readiness against three hard requirements: CERT-In's 13-log-source retention obligation, the sub-6-hour isolation and evidence preservation sequence, and the DR invocation RTO that appears in your SEBI CSCRF posture.
The first is log availability and extraction. Can your team extract 30 days of logs across all 13 CERT-In-mandated source types within 2 hours of an incident declaration? This is a hard technical test — not a policy question. The answer must be demonstrated in the drill, not assumed.
The second is evidence preservation before isolation. The sequence is: RAM dump, active session capture, then network isolation. Reversing this order destroys volatile evidence that is irreplaceable. The drill must include an explicit inject forcing this decision under time pressure, because under real pressure the team defaults to isolation first.
The third is DR failover to documented RTO. Not "DR is available" but "DR was activated and the target service was accessible within the documented RTO." The difference between a theoretical RTO and a tested RTO is typically 40–80 minutes of additional downtime in a real incident.
CERT-In's April 2022 Directions require organisations to maintain logs from 13 specific source types for 180 days, in a format that can be produced to CERT-In on demand. Most infra teams are aware of this requirement at a policy level. Fewer have actually tested whether they can produce a 30-day extract from all 13 sources within the time pressure of an active incident.
| Log Source | Retention | Common Gap | Drill Test |
|---|---|---|---|
| Firewall / NGFW | 180 days | Log rotation configured shorter | Extract 30-day sample in <15 min |
| Active Directory / LDAP | 180 days | Audit logging not enabled for all events | Confirm privileged access events logged |
| Web Proxy / DLP | 180 days | Large volume purged at 90 days | Storage capacity verified? |
| Email Gateway (MTA) | 180 days | Only delivery logs — attachment logs missing | Test attachment content logging |
| SIEM Aggregator | 180 days | Hot storage 30 days, cold archived separately | Cold archive retrieval tested? |
| VPN / Remote Access | 180 days | Auth logs retained, session logs overwritten | Session duration and data volume logged? |
| Endpoint (EDR/AV) | 180 days | Agent offline events not captured centrally | Offline endpoint gap is a common CERT-In finding |
| Database Audit | 180 days | Enabled only on production — not DR | DR DB audit logging tested? |
| Web Application (WAF) | 180 days | WAF logs in vendor cloud, not on-prem SIEM | Egress and retrieval process tested? |
| DNS Resolver | 180 days | Recursive query logs disabled for performance | DNS logging is frequently absent |
| NTP Server | 180 days | NTP sync logs not forwarded to SIEM | Timestamp consistency across all sources? |
| Cloud Infrastructure (if any) | 180 days | CloudTrail / Azure Monitor exported? | Cross-cloud log centralisation tested? |
| Physical Access / CCTV Metadata | 180 days | Separate system, no SIEM integration | Manual retrieval process documented? |
Under pressure, infra teams isolate compromised systems first. This is the natural instinct — stop the bleeding. It is also the action that destroys the volatile forensic evidence needed to understand what happened, confirm scope, and satisfy CERT-In's technical evidence requirements.
The correct sequence for a compromised host is non-negotiable: capture first, isolate second. This must be practised under drill conditions because instinct will reverse it in a real incident.
# Drill checklist — evidence capture before isolation # 1. RAM dump — winpmem (Windows) or LiME (Linux) winpmem_mini.exe memory.raw # or: sudo insmod lime.ko "path=/mnt/secure/memory.lime format=lime" # 2. Active sessions netstat -ano > connections_T0.txt tasklist /v > processes_T0.txt who -a > sessions_T0.txt # Linux # 3. Network capture (60-second window) tcpdump -i eth0 -w capture_T0.pcap -G 60 -W 1 # 4. Isolate ONLY after above complete # [firewall rule / VLAN change / physical disconnect]
SEBI CSCRF requires Qualified Regulated Entities to maintain documented Recovery Time Objectives for Tier 1 systems — and to demonstrate those RTOs are achievable. "Achievable" means tested. An untested RTO is not an RTO; it is an aspiration.
Most infra teams know their documented RTO. Fewer have activated the DR site and measured actual recovery time under conditions that simulate a real incident — where the production environment is unavailable, the failover runbook was last updated 18 months ago, and two key engineers are not available because it is 3 AM on a Saturday.
We had a documented RTO of 30 minutes. The drill took 78 minutes. The 48-minute gap came from three sources: the runbook referenced a backup server that was decommissioned 8 months ago, DNS cutover took 20 minutes because the TTL hadn't been pre-reduced, and the authorisation chain to invoke DR required the CTO to call the MD — who was unreachable for 15 minutes.
— Infrastructure Lead, Tier-2 Private Bank, Southern India
CERT-In's 2022 Directions explicitly require all ICT infrastructure to synchronise time with the National Informatics Centre (NIC) or NPL NTP servers. This requirement is overlooked by a surprisingly high proportion of BFSI infra teams — particularly for legacy systems, network devices, and recently-migrated cloud workloads.
The consequence is not merely regulatory: inconsistent timestamps across log sources make forensic reconstruction unreliable, correlation across SIEM impossible, and CERT-In evidence contestable. A 15-second timestamp discrepancy between your firewall and your Active Directory controller can obscure the entire attack sequence.
time.npl.res.in and samay1.nic.in as reference NTP servers.Run this 72 hours before any CyberDrill to validate technical readiness. Every item that fails is a finding before the drill begins — which means it can be fixed before the SEBI ID.5 report records it as a gap.
| Check | Validation Method | Target |
|---|---|---|
| CERT-In portal credentials valid | Test login at incident.cert-in.org.in | Active, MFA working |
| Log extraction <2 hours (all 13 sources) | Timed extraction exercise | <2 hours |
| NTP sync across all log sources | ntpq -p across 10 key hosts | <2 seconds delta |
| RAM capture tool staged on IR jump server | Verify binary present and runnable | winpmem / LiME ready |
| DR runbook — version dated this quarter | Check document metadata | Review if >90 days old |
| DR activation authorisation chain documented | Check runbook Section 1 | Named individuals + alternates |
| Forensic storage target available + accessible | Write test to secure share/SAN | Write speed adequate for disk image |
| IR team contacts verified (mobile numbers) | Call/SMS test at 8 PM | All reachable on first attempt |
| Backup integrity verified for last 3 snapshots | Hash validation on backup sets | All hashes match |
| Network segmentation — isolation VLAN available | Test isolation rule push to firewall | Isolation active in <5 min |
The drill report is owned by the CISO, but the technical evidence within it must come from the infra team. Specifically, the infra team must produce documentation of the following for each drill:
Practitioner Toolkit · CyberDrill Module
The CyberDrill module includes technical inject scenarios specifically designed for infra teams — log extraction drills, DR invocation sequences, evidence preservation tests, and CERT-In portal simulation. The technical findings from each inject are automatically captured into the structured SEBI ID.5 drill report.
Open Practitioner Toolkit →We use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy