The Importance of Incident Response Tabletop Exercises
By Alexander Hernandez, IT Security Consulting Manager
Most organizations have incident response plans, but the question remains, how effective are they?
Organizations can find the answer to this question by regularly scheduling tabletop exercises that identify weak points in security plans and enable a proactive defense against cyber threats.
By simulating attacks during tabletop exercises, organizations efficiently test how they would respond - and continue functioning - during real-world incidents. The exercises, which are often led by outside cybersecurity experts, will improve the incident response team’s ability to quickly remove threats without significantly limiting business operations.
All organizations have disparate teams (e.g., senior management, legal, finance, marketing, HR, communications, customer service) working together to form an organized whole when an incident occurs. Mistakes by any one of these teams can threaten the entire organization’s response. The goal of the tabletop exercise is to improve both the incident response plan and the functioning of the teams, thereby strengthening the organization’s response to an incident.
What Are the Benefits of Tabletop Exercises?
It’s important to define objectives before designing the tabletop exercise. Is your goal to test people, processes, or technology? For example, do you want to test whether the plan covers newly deployed technology? Whether your response meets compliance requirements? Whether new team members know their roles? Or all the above?
Whatever your objective is, tabletop exercises will vastly increase your cyber preparedness. The benefits include:
- Validate Readiness – Tabletop exercises validate readiness by comparing recommended controls against implemented controls.
- Situational Awareness and Team Building – Tabletops establish and strengthen cross-departmental relationships needed for incident response efforts.
- Practical Defense Actions – Tabletops identify gaps in critical areas such as threat detection, data source collection, log correlation, and the communication of roles and responsibilities.
- Increase Critical Thinking Among Leaders – During an actual incident, your response team must function as a unit. Coming together to practice critical thinking and decision-making during a simulated incident will help your team act effectively when faced with a real-world threat.
- Clarify Roles and Responsibilities – Most people don’t have the time or headspace to reflect on procedure and, instead, tend to act on instinct. Tabletop exercises give clarity on who needs to do what in a stressful situation.
- Identify Flaws in The Plan – There is always room for improvement. Conducting tabletop exercises can help you identify what your organization needs to work on (e.g., ensuring proper documentation, identifying gaps in the communication).
- Return of Investment – A tabletop exercise can potentially save your organization thousands of dollars in recovery expenses. Knowing how to handle a cyber incident can help your employees take proper measures during an attack.
- Strengthen Preparedness – Carefully recorded observations combined with objectives-driven evaluation criteria are developed and presented in the after-action report. The report identifies weaknesses and offers recommendations for improvement in the incident response plan and the team’s response.
How Do Tabletop Exercises Play Out?
Before beginning a tabletop exercise, it is important to establish guidelines for participants, so they come prepared for the exercise and establish the proper mindset, including:
- Engage in open, no-fault discussions. There are no wrong questions to ask.
- Expect varying viewpoints and even disagreements.
- Respond to scenarios using your knowledge of current plans, policies, procedures, and your specific role. (Come prepared).
- View the exercise as an opportunity to discuss and analyze different viewpoints and learn more about your capabilities.
- Focus on providing solutions and on problem-solving. Identifying issues is not as valuable as providing suggestions.
Who Participates in Tabletop Exercises?
Tabletop exercises must involve the right participants to be effective, including:
Players – Players are individuals in the organization with a defined role in the incident response plan. Don’t limit this to members of the information security team. You must involve important business decision-makers and C-suite executives as part of the exercise. The players respond to the events as they occur, based on their understanding of their roles and responsibilities in the incident response plan.
Facilitator – The facilitator is often a cybersecurity professional from an outside firm. The facilitator specifies the exercise scenarios, and at various stages, introduces new events and communications from the “attackers” so that personnel respond accordingly to escalating events. The facilitator keeps the exercises on track and ensures they play out in a manner that thoroughly tests the scenario against the incident response plan.
Observer/Evaluator – The observer/evaluator takes notes of activities as they occur, noting strengths and areas for improvement. The observer/evaluator prepares a written after-action report.
How Do You Choose Scenarios for Tabletop Exercises?
A productive tabletop exercise requires a scenario that’s plausible and could cause grave damage to your organization. The scenario is usually based on industry type and likely threats. This could range from a basic phishing attack to an attack on critical systems. The scenario could involve ransomware, malware infection, cloud compromise, insider attack, spoofed emails, or anything else that could harm your organization’s reputation and ability to function, including a natural disaster.
All participants must be forced to think on their feet. Only then will you know if all participants understand their duties, understand how to react when an incident escalates, and understand how to communicate across business functions to stop the threat and keep the business going.
Importantly, in most cases, only the facilitator knows all the scenario details ahead of time. The facilitator releases those details throughout the exercise to guide the group’s discussion, as well as throw unexpected curveballs to help the group think and react to the unexpected.
For an effective tabletop exercise, the scenario must be as real as possible. By starting with a real-world scenario, you trigger the team’s imagination and engagement. This oftentimes leads to a detailed debate about the response process. You can quickly see if the team is on the same page or if they have different ideas about how to respond.
The Bottom Line
Your incident response plan is only as effective as the implementation behind it. An incident response tabletop exercise will enable your team to better respond to an incident and reduce your organization’s operational, legal, and reputational risk. Strongly consider hiring experienced, external experts to conduct the exercises, to leverage their knowledge of current threats, and gain insight from an objective, independent perspective.
If your organization needs a tabletop exercise, please contact Silka Gonzalez at [email protected] or at [email protected]
Alexander Hernandez is an Information Security Consultant Manager at ERMProtect Cybersecurity Solutions where he performs penetration tests, vulnerability assessments, and incident response. He holds a master's degree in Systems Engineering from Johns Hopkins University.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights