What’s a tabletop exercise and why is it needed?

The thought of the Rams going onto the field with the 49ers without first spending months practicing would be unheard of. And the same is true of responding to cyberattacks in a company. Firefighters do fire drills. Actors do dress rehearsals. And IT and security teams do tabletop exercises.

Tabletop exercises are a low-stress rehearsal of what might arise during a cyberattack. Participants sit and discuss a scenario and their potential responses to it.

Part of any effective Incident Response (IR) plan is to ensure that it is sound. Tabletop exercises are the way to make sure it is.

In this article, we are going to look at what a tabletop exercise looks like, what the value of a tabletop exercise is, and what types of tabletop exercises exist to make sure your IR plan is robust and actionable.

What does a tabletop exercise look like?

Tabletop exercises are carried out on a discussion basis in a classroom setting. As the exercise progresses, more and more situations can be introduced, escalating the scenario so that participants can learn how to deal effectively with a growing threat.

Although the tabletop exercise is a form of training, participants are expected to be familiar with IR plan by the time they get to the exercise, just as any actor is expected to know their lines by the time the dress rehearsal comes along.

Tabletop exercises typically last several hours although they can sometimes last an entire day depending on the complexity of the attack that is being drilled.

There are two types of tabletop exercises:

1. Technical
2. Leadership\executive

Technical tabletop exercises

A technical tabletop exercise will test the ability of the tech team to respond to an incident. This revolves around very specific technical actions needed depending on the type of threat being experienced.

For example, an attack based on a zero-day exploit might require scouring news and vendor websites for updated information on how to address that particular vulnerability, or for any patches that have been released. Whereas the response to a DDoS attack would likely be handled by initially blocking specific IP ranges.

Leadership tabletop exercises

IR is far from purely a technical subject. In certain types of attacks, leadership needs to be heavily involved because decisions can have significant legal and financial consequences. For example, leaders might guide technical teams to first address areas that are:

• Causing heavy monetary loss
• Resulting in unacceptable reputational loss
• Most risky from a legal perspective.

Leadership or executive tabletop exercises drill the decision-making process to make sure the executives know what their roles are. It helps them get familiar with the sort of decisions they will need to take and that they’ve thought them through before a real incident strikes.

Once both the technical and leadership teams have completed their respective exercises, a joint exercise can be held.

Example of a tabletop exercise — ransomware attack

Let’s imagine a tabletop exercise where the attack vector was an email with a malicious link that prompted a drive-by download. The malicious download quickly paralyzed the company’s entire back office, and consumer data from a local database was exfiltrated.

Part of this imagined scenario is that the hackers are demanding $5 million in ransom within 48 hours or else they will release the unencrypted data to the internet, triggering fines that will be far in excess of the ransom demand.

Depending on the IR plan and playbooks in place, the various steps of the tech response might play out like this:

1. Understand the attack and how the attacker got in:

• What is the attack vector that led to a compromise?
• Did the malware exploit a flaw that escalated privileges, allowing an unsanctioned installation?
• Did the user account have more privileges than it should?
• What permissions do other users in the organization have?

2. Contain the attack:

• The tech team might immediately close off the organization’s public-facing internet connection while it investigates. As it could have significant impact to the business, it requires a quick decision from the leadership.

3. Prevent reinfection:

• This would certainly include hardening spam filters that allowed such a malicious email through, as well as checking browser settings that allowed the download of an executable.

4. Forensics to Identify the attacker

• A different tech team might serve an investigatory and detective purpose, following breadcrumbs that could lead to the identity of the hackers. This team would likely also work with any leadership roles that might be in touch with law enforcement.

The leadership team would need to make several decisions, and these would be taken up during the exercise as well. Some of these decisions would be intermingled with the tech steps above, guiding the tech team on each key step, and other decisions would be independent — such as the decision of whether or not to pay the ransom.

Some of the leadership steps might include:

• Making a call on whether to temporarily cut the organization’s internet access — this might have severe financial consequences.
• Other executives might break off separately to discuss the possibilities of paying the ransom and what consequences this could have. Likely, legal counsel would be involved in such a decision-making process.
• Leaders would need to identify stakeholders and inform those stakeholders of the potential consequences of the attack.
• Tech leadership would be on the ground, ready to react to any discoveries from the tech team about the attack.

Ransomware attacks are unique in that leadership roles are always heavily involved. There is also a PR factor, and public relations executives must work out the best way to inform the public of the breach.

The exercise should be kept realistic. Whoever is running the exercise should understand both offense and defense techniques so they can inject realistic factors into the exercise that escalate the situation and so train participants to the highest level possible.

It’s important to unpack the potential consequences of each decision, good and bad. The goal is that participants learn and understand as much as possible about the consequences, the attack itself, and the resolution so that they don’t need to think about these things on the day of an attack.

How tabletop exercises help

Tabletop exercises can help identify points of confusion that need to be clarified. There is no set rubric for the exercises. The key is to constantly bring in new scenarios into the exercise and ask the participants how they would deal with those scenarios.

A great way to frame the exercises is to talk about potential losses and takeaways from them. This is more important from a leadership perspective because leadership functions are less defined than technical ones.

The tabletop exercise itself will either validate or invalidate the entire IR strategy. It helps identify areas of weakness in the IR plan that need to be improved and so provides a roadmap for future IR planning.

Conclusion

Tabletop exercises are necessary to establish if an IR plan is sound. They flush out weaknesses and areas of confusion that need to be clarified.  More importantly, they ensure everyone accountable at the company is well prepared to act accordingly.

Because IR is a subject that requires a vast amount of technical skill, it is recommended to bring in an external IR partner that has invested in the necessary personnel and resources to successfully respond to any incident. When looking for such a partner, you should ensure that they include tabletop exercises as part of their service.

SolCyber has partnered with IR experts Surefire Cyber to provide turnkey cybersecurity solutions for SMEs, covering everything from initial incident response planning to full recovery and data restoration after an incident. Surefire Cyber designs tabletop exercises specifically aimed at IR plans in your business. They plan out these exercises with realistic scenarios and then recommend steps to improve your response.

To learn more about how SolCyber can help you with your IR plan, contact us today for a no-obligation conversation.