The thought of the Rams going onto the field with the 49ers without first spending months practicing would be unheard of. And the same is true of responding to cyberattacks in a company. Firefighters do fire drills. Actors do dress rehearsals. And IT and security teams do tabletop exercises.
Tabletop exercises are a low-stress rehearsal of what might arise during an emergency situation. In this case, a cyberattack. Participants sit and discuss a scenario and their potential responses to it.
Part of any effective Incident Response (IR) plan is to ensure that it is sound. Tabletop exercises are the way to make sure it is.
In this article, we are going to look at what an incident response tabletop exercise looks like, what the value of a tabletop exercise is, and what types of tabletop exercises exist to make sure your IR plan is robust and actionable.
Tabletop exercises are carried out on a discussion basis in a classroom setting. As the exercise progresses, more and more potential scenarios can be introduced, escalating the scenario so that participants can learn how to deal effectively with a growing threat.
Although the tabletop exercise is a form of training, participants are expected to be familiar with IR plan by the time they get to the exercise, just as any actor is expected to know their lines by the time the dress rehearsal comes along.
Tabletop exercises typically last several hours although they can sometimes last an entire day depending on the complexity of the attack that is being drilled.
There are two types of tabletop exercises:
A technical tabletop exercise will test the ability of the tech team to respond to a wide variety of threat scenarios. This revolves around very specific technical actions needed depending on the type of threat being experienced.
For example, an attack based on a zero-day exploit might require scouring news and vendor websites for updated information on how to address that particular vulnerability, or for any patches that have been released. Whereas the response to a DDoS attack would likely be handled by initially blocking specific IP ranges.
IR is far from purely a technical subject. In certain types of attacks, leadership needs to be heavily involved because decisions can have significant legal and financial consequences. For example, leaders might guide technical teams to first address areas that are:
Leadership or executive tabletop exercises drill the decision-making process to make sure the executives know what their roles are. It helps them get familiar with the sort of decisions they will need to take and that they’ve thought them through before a real incident strikes.
Once both the technical and leadership teams have completed their respective exercises, a joint exercise can be held.
Let’s imagine a tabletop exercise where the attack vector was an email with a malicious link that prompted a drive-by download. The malicious download quickly paralyzed the company’s entire back office, and consumer data from a local database was exfiltrated.
Part of this imagined scenario is that the hackers are demanding $5 million in ransom within 48 hours or else they will release the unencrypted data to the internet, triggering fines that will be far in excess of the ransom demand.
Depending on the IR plan and playbooks in place, the approach to tabletop exercises often play play out like this:
The leadership team would need to make several decisions, and these would be taken up during the exercise as well. Some of these decisions would be intermingled with the tech steps above, guiding the tech team on each key step, and other decisions would be independent — such as the decision of whether or not to pay the ransom.
Some of the leadership steps might include:
Ransomware attacks are unique in that leadership roles are always heavily involved. There is also a PR factor, and public relations executives must work out the best way to inform the public of the breach.
The exercise should be kept realistic. Whoever is running the exercise should understand both offense and defense techniques so they can inject realistic factors into the exercise that escalate the situation and so train participants to the highest level possible.
It’s important to unpack the potential consequences of each decision, good and bad. The goal is that participants learn and understand as much as possible about the consequences, the attack itself, and the resolution so that they don’t need to think about these things on the day of an attack.
Effective tabletop exercises can help identify points of confusion that need to be clarified. There is no set rubric for the exercises. The key is to constantly bring in new challenging scenarios into the exercise and ask the participants how they would deal with those scenarios.
A great way to frame the exercises is to talk about potential losses and takeaways from them. This is more important from a leadership perspective because leadership functions are less defined than technical ones.
The tabletop exercise itself will either validate or invalidate the entire IR strategy. It helps identify areas of weakness in the IR plan that need to be improved and so provides a roadmap for future IR planning.
Cybersecurity tabletop exercises are necessary to establish if an IR plan is sound. They flush out weaknesses and areas of confusion that need to be clarified. More importantly, they ensure everyone accountable at the company is well prepared to act accordingly.
Because IR is a subject that requires a vast amount of technical skill, it is recommended to bring in an external IR partner that has invested in the necessary personnel and resources to successfully respond to any incident. When looking for such a partner, you should ensure that they include tabletop exercises as part of their service.
SolCyber has partnered with IR experts Surefire Cyber to provide turnkey cybersecurity solutions for SMEs, covering everything from initial incident response planning to full recovery and data restoration after an incident. Surefire Cyber designs tabletop exercises specifically aimed at IR plans in your business. They plan out these exercises with realistic scenarios and then recommend steps to improve your response.