The global threat profile continues to increase. Malicious attacks, exploited vulnerabilities, intrusion and data exfiltration can happen anytime to anyone. Organizations are aware of these threats and develop recovery plans to enable effective incident response. But how can we be sure that our plans are fit for purpose, mature enough and known by everyone?
Testing disaster response and recovery plans through simulated events is not new. Schools and commercial buildings routinely conduct fire drills, and civil protection organizations engage in periodic large-scale crisis simulations.
Similarly, cyber incident response must be practiced regularly. A common approach is to conduct a discussion-based simulation, a so-called Tabletop Exercise (TTX), to verify existing plans, eliminate gaps, and achieve and maintain a state of readiness.
Unfortunately, TTXs are often performed only once – and sometimes not at all. Under these circumstances, there’s no way to achieve and maintain incident response maturity. Technologies, processes and key players change. To make sure that incident response readiness remains at a high level, organizations should perform TTXs at least yearly, and more often when major changes happen.
What is a cybersecurity TTX?
A cybersecurity TTX takes participants through a simulated real-world cybersecurity incident. It is discussion-based and guided by one or more facilitators. TTXs are designed to assess, train and improve the team’s incident response preparedness for potential and exploited vulnerabilities, incidents and cyber threats. The scenarios used in TTXs are tailored for the objectives, scope, industry and specific risks of the participating organization.
Inside a TTX
TTXs are designed to do the following:
- Confirm response and recovery processes are fit for purpose. Having key processes in place is not enough. They must be familiar to all stakeholders, properly documented, kept up to date and readily accessible during an event.
- Exercise communication paths and cooperation among involved teams. Communication between technical teams and management, customers and stakeholders can be a challenge. Is the right information being shared at the right time with the right audience? Is information tailored and “translated” correctly for the various receivers? Are decisions made by the appropriate people, at the right time, and communicated clearly enough?
- Educate teams on incident response roles and responsibilities. It is crucial to understand the roles and responsibilities of all stakeholders. Identifying the teams involved in investigation and containment, and determining who runs analysis and who drives communication, are important aspects of a successful incident response.
- Establish a zero-blame environment. Everyone who has been involved in a real cybersecurity incident may remember the level of pressure, concern and uncertainty associated with it. Participants should be motivated to brainstorm, raise ideas and interact without concern. This will help participants stay calm and focused during the security incident, something that requires practice.
- Provide evidence of readiness and resilience of the IT community. Organizations seek assurance of comprehensive preparedness to swiftly and effectively manage incidents and security threats. Regular TTXs confirm maturity and commitment to optimal preparedness.
- Document lessons learned and suggested improvements. Constant control and improvement ensure processes stay up to date, knowledge is refreshed, and new tools and procedures are properly integrated into our plans.
- Be cost-effective in terms of time and resources. Compared to many other training approaches, TTXs are a low-budget initiative. Preparation and execution usually require a limited number of hours, and TTXs can be performed remotely.
Caveat: It’s not reality
A simulation can never represent the full complexity of reality. Since a TTX usually is a theoretical exercise, the ability to technically identify an incident, mitigate it and recover from the impact will not be verified in a TTX.
The true timescale for recovery activities — such as remediation and restore — cannot be reflected in such an exercise and might not be fully understood by the participants.
Since it is a simulation, participants may be quick to make drastic decisions and forget about real world constraints, business requirements and worst-case impacts of certain actions. Shutting down all infrastructure may stop a virus spread, but is this a feasible action considering the potential business impact?
Preparing for a successful TTX
Following are five steps for preparing for a successful TTX.
- Define scope, goals and objectives. Do we want to test a new process, train junior employees or verify cooperation among different teams? Objectives must be clearly agreed upon by the organization and the leader of the exercise.
- Develop a scenario that meets the objectives and fits the organization’s industry and risk landscape. It might be necessary to interview staff to understand the IT estate and relevant processes in order to tailor the exercise for them.
- Set bounds on complexity and stress to apply during the exercise. Tailor the complexity of the exercise according to the organization’s current level of maturity and experience. Exercises that are too easy will be boring and not drive learning. Conversely, exercises that are too complex may be frustrating and block constructive discussion about gaps and corrective actions.
- Agree on an approach for coordination and observation. A TTX can be performed on site with all participants gathered in one room, or using multiple breakout rooms. Also, a remote setup is possible. Moderating and observation are necessary for every breakout room, including virtual rooms. Rooms must be planned for and staffed wisely to support the progress of the exercise, and to enable open discussion and brainstorming among participants without them feeling shy or fearing failure.
- Select the right group of participants. Depending on the objectives of the exercise, the participants should be selected accordingly. Is the exercise planned for technical teams, managers, junior employees or a combination of these? The participants should be those that will most likely be involved in a real-world event. The number and roles of participants should be considered in the room setup and the development of the scenario.
Performing the TTX
To achieve the full benefits of a TTX, it is important to run the TTX in an encouraging and interactive way. The following tips help organizations get the most out of the exercise:
- Provide a “zero-blame” environment: Participants should feel comfortable to interact without being chastized or embarrassed. Mistakes help people learn and address improvements.
- Be flexible: A well-prepared scenario is essential, but there is still some flexibility required to dig into issues or assess alternatives. The facilitator should ask questions to keep the participants moving. The first response may not always sufficiently solve the issue. What if regular tools become unavailable? What if key players are on sick leave?
- Enjoy: A TTX can be fun. Working together as a team to save the organization and beat the villains is a great team-building activity. Why not incorporate some entertaining elements, such as social media posts from the attacker (and pointers on how to respond — or not) or fake television news talking about the incident to make the event extra impactful?
- Document: Detailed and holistic documentation is key to identify strengths and weaknesses of the participants’ responses, as well as develop and address actions to further increase cyber incident response maturity.
Feedback after the TTX
After the TTX is finished, the participants will be excited to hear feedback. A short “hot debrief” will provide them with a preliminary evaluation of the major strengths and gaps.
For the full feedback report, all findings from all moderators and observers must be consolidated in a combined evaluation, covering:
- Strengths: What was done well? Which tools and processes were successfully used and were beneficial to solve the incident? Best practices should be collected and documented for other teams and departments for cross-company learning.
- Weaknesses: What needs to be improved? All identified gaps should include actions and action owners to close the gaps. Identify procedures, tools and learning resources to address the gaps.
- Follow-up: Agree on when and how the agreed-upon actions will be followed up to verify if they have been addressed and completed.
- Next TTX: Be sure to plan for the next TTX to test the implementation of improvements and keep the team’s knowledge and experience on cyber incident response up to date.
- Improvements: Learning goes both ways. Collect feedback about the TTX itself. Was it appropriate and useful? Collect ideas for future events, new scenarios and additional challenges for your next cycle of TTXs.
Tabletop Exercises increase and maintain cyber incident response maturity, and keep teams aware of threats and up to date on the tools and processes to use in an event. When prepared and performed properly and regularly, TTXs are a successful and cost-effective learning initiative with many benefits.