Modern Workplace

Optimize incident response plans with smarter security tabletop exercises

Jun 06, 2022

Building your blueprint for incident response

Tabletop exercises (TTXs) are a great way to assess an organization’s incident response plan (IRP) for cybersecurity incidents. Because they tend to be relatively abstract in structure – carried out over a real or virtual table, as opposed to requiring access to security tools and management platforms – a TTX can be conducted in a short period and without significant effort to prepare.  

It doesn’t mean a TTX is lightweight in results. A good TTX will reveal whether an organization can handle a specific class of attack. Practicing critical decisions within the C-suite provides vital intel needed to optimize reactions to potential incidents. It’s better to debate response efforts when not in the middle of an attack.

A well-designed TTX can also be a precursor to carrying out more technical walkthroughs of an IRP, such as a functional exercise between the cyber and privacy teams (ideally considering any issues identified in a previous C-suite TTX).

The rub, however, lies in the phrase “well-designed.” TTX, like technical tools and business models, are not all created equal, and execution of an insufficiently designed TTX may only reveal a broken exercise – not whether the team is ready to handle an incident.

Consider recent attacks based on known vulnerabilities like Log4j. The Java library included in Apache Web server packages that, once compromised, could lead to the execution of arbitrary code on that server. Organizations may believe they have patched every instance of Log4j on every relevant server, everywhere in the infrastructure – both on-premises and in-cloud – but have they? What if an attack against a vulnerable server in a forgotten corner is successful? Is the team capable of responding quickly and efficiently to mitigate the effects? A TTX with the right scope can provide answers in this active type of exercise.

You can also use a TTX to consider different classes of attacks, like ransomware. The Lapsus$ ransomware group, for instance, has made headlines by successfully compromising organizations as well-known as Samsung and Nvidia. How would your team respond to being targeted by the group? Who would play what role?  Do you engage external legal counsel?  Do you pay the ransom?  What do you tell your customers?  When do you advise the CEO or the board?  When and how do you disclose the breach to a regulator?  Using real-world examples such as this can facilitate valuable debates within your executive team about how your company will prepare and respond to such difficult questions.

Follow best practices to get an excellent tabletop exercise 

Optimized responses demand an optimized TTX. That’s why it’s essential to understand TTX best practices before leading one. Though no two organizations have the same infrastructures, business models, strategies, culture, or team capabilities, these best practices broadly yield a tailored TTX capable of delivering results for nearly any organization.

It doesn’t take vast amounts of time and effort to build a good TTX outline. Creating one using a logical process that asks and answers key questions pertinent to the scenario is efficient. Consider these essential ingredients of a successful TTX:

  • Goals – A TTX is about testing an IRP (and assumes the existence of a plan in the first place). Align goals with the defined scope of the TTX. Determine what the exercise should accomplish and which questions need debate.
  • Efficiency – Is a timely response critical, given the nature of the threat? If so, consider the steps outlined and how well the participants understand them. Shorten or eliminate any inessential actions. Tracking the total time required for each reaction can help develop a hypothetical response timeline, which is helpful in technical/functional TTXs. While you’re not running tools and measuring actual tool query times, you can identify possible contributors to an inefficient response effort.
  • Scope – Is the TTX supposed to evaluate the plan in terms of technology, or rather individuals’ understanding of the plan and readiness to carry it out? Both? What are the possible cascading effects of the mock incident, and should they be discussed in the exercise? How much time should you allocate to each stage of the response?  Are you discussing how the C-suite expects cyber incidents to be handled or testing interactions between cyber teams and other functional areas such as legal, privacy, and IT?  
  • Leadership – Designate a TTX facilitator with experience in and understanding of the technical and procedural requirements at the outset. It’s also wise to designate an individual to observe and document the outcome of the TTX, assessing it for efficacy and taking note of perceived weaknesses or outright failures for later remediation.
  • Roles and responsibilities – The TTX must include everyone involved in the IRP (within the scope of the TTX), including cybersecurity team members, business managers, and any executives who may be affected. Each must understand their roles and requirements in fulfilling essential functions, including threat identification, assessment, reporting; escalation–if necessary; triage, containment, and resolution; and subsequent tasks like business impact evaluation, impact on regulation compliance, and communications. Don’t lose sight of the scope, however. A bloated participant list will result in many not actively participating.

Take people, not just process, into account

Everyone should understand that a TTX is not a test of technology or skills; it’s a means of assessing an IRP and key decision points within an incident response effort. The purpose of a TTX is not to assess blame. A TTX that doesn’t appear on the surface to go well can be seen as a success because it exposes problems team members can address before an actual gray sky event. 

Leaders should encourage participants to ask questions, whether they pertain to one’s job responsibilities or not. Questions might concern common issues like the relevant business assets, gaps in coverage, unexpected ramifications, the side effects of a particular class of threat, or something entirely different. The point is to foster an air of openness and inquiry, so participants have the chance to provide input or provide observations that serve the exercise. 

Implement corrective actions learned from the TTX

Designate a lead to create an after-action report complete with recommended next steps for refining the IRP. These items should address hiccups that arose during the TTX and prove them at the next scheduled exercise or actual IR, if necessary. Follow through and implement corrective actions. Don’t stop documenting the outcome.

Use these basic ingredients when initiating TTXs within your organization. But bear in mind that drilling your IRP frequently and thoughtfully will help in a significant way to reduce conflict when tough decisions need to be made during a live incident and maximize efficiency when handling a real-life incident within your organization.

Plan, practice, repeat!

What to read next

Ransomware incident response is a technical problem right? Wrong. It's also a project management problem

Increased cyber risk drives disclosure