Tabletop exercises are a way for organizations to understand how various teams and team members may respond to cybersecurity incidents. In tabletop exercises, key personnel from within the organization are gathered to observe how they respond to various simulated cybersecurity incident scenarios. Tabletop Exercises can reveal potential gaps not only in plans and policies, but also in team training and communication, and information availability. Moreover, a properly planned and executed exercise will result in lessons learned that are fed back to modify and improve the plans, policies, training, and information availability.
Tabletop exercises fall in the spectrum of various response and training exercises described by US Homeland Security Exercise Evaluation Program (HSEEP). Other exercise types in the spectrum are Walkthroughs (a basic training exercise designed to familiarize team members with incident response plans), Functional exercises (where team members perform their incident response roles and duties in a simulated operational environment to validate plans and readiness), and Full-scale exercises that are as close as possible to the real thing.
One note of caution: A tabletop exercise is not the forum to develop an incident response plan. It is also not the primary means of training the individual participants. To be clear, tabletop exercises are a way to test the efficacy of existing incident response plans and determine areas of improvement. If your organization does not have incident response plans, or the participants have not undergone formal or informal training on their role and responsibilities within the plans, then this type of exercise will not be informative.
Why?
Even before the tabletop exercise is planned, clear objectives should be determined. What are the organizational objectives for this exercise? What questions are you hoping to answer with this exercise? For example, a common technical objective is to determine if the levels of logging, availability of log data, and timely access to log data are adequate to understand and respond to the incident. Another common objective is to determine whether the team assembled to respond is sufficiently staffed or whether additional expertise (internal or outside help) is needed.
Who?
There are two basic considerations here. First, who will facilitate the tabletop exercise. Second, who needs to participate in the exercise.
VikingCloud facilitators work with organizational leaders to help determine which scenarios to test, help select the appropriate personnel for each exercise, present and facilitate each scenario, provide expert knowledge during the simulated incident, help draw conclusions, and distill the lessons learned.
Selection of personnel is dependent on each exercise scenario. There may be some key participants that are involved in each scenario while others may be asked to participate only in scenarios that pertain to their area of expertise. For example, personnel from information security may be involved in all scenarios while personnel from the legal team may be involved in ransomware scenarios. Typically, an effective incident response requires expertise from multiple areas that include information security, information technology, software development, legal, and communications.
What?
Scenario selection is an important decision. Scenario selection can be based on a combination of potential impact of the incidents, likelihood of occurrence of incidents, and even reoccurring incidents. However, the most valuable tool to aid in scenario selection is a properly conducted risk assessment (a topic for another day).
Commonly used scenarios include the following:
- Quick Fixes
- Malware Infections
- Ransomware
- Cloud Compromises (Google/AWS/Azure)
- Internal Financial Systems Targeting
- Natural Disaster
- DNS Attack
- Pandemic
- Physical Security Compromises
Learn
Recall that the purpose of these exercises is to understand and learn from the efficacy of current incident response plans and team members, to uncover gaps in the plans, in team knowledge or available information and then to feedback to improve the process. To that end, the output of the exercise ought to be the list of actions or changes that, when implemented, would improve the outcome, whether that intended outcome is reduction in response time, duration of incident, or containment of impact.
Conclusion
Tabletop exercises are an important tool to help reduce the risk faced by organizations.
Although not intended to be a training exercise, running a tabletop exercise serves as a refresher for participants on plans and processes. Exercising real-life scenarios clarifies roles and responsibilities, helping participants work more cohesively as a team while also improving decision-making and response times. More effective decision-making and faster response times mean that a security breach can be more quickly contained, resolved and recovered from.
Tabletop exercise can also highlight whether the organization and incident response team is making best or effective use of the incident response tools and resources available to them. The exercise may identify weaknesses or gaps but may also serve to improve understanding and maximize use of available tools and resources further enhancing the organization's incident response.
Take action now to measure and improve your organization's cyber incident response preparedness. Tabletop exercises can give you confidence in your incident response team and peace of mind for your organization that any security incident or cyberattack will be handled in an effective manner that mitigates further damage after an incident, and reduces the operational, financial and reputational impact.
Contact the VikingCloud team to discuss how to improve your organization's cyber incident response plan.