Welcome to the ‘war games’

In my last post, I discussed the importance of implementing key elements to effectively and efficiently respond to cyber incidents. I want to use this post to drill down on one of those elements in particular: tabletop exercises (aka, tabletops). Regularly practicing tabletop exercises is an excellent way to train the organizational 'muscle memory' of processes and communications that are crucial when responding to a cyber incident.

Here is a useful definition:

"Tabletop exercises are discussion-based [or simulation-based] sessions where team members meet in an informal, classroom ['war room' or remote] setting to discuss [simulate, play] their roles during an emergency [for our purposes, a cyber incident] and their responses to a particular emergency situation."¹

Tabletop exercises for cyber incidents can be conducted in various forms with different goals and outcomes depending on what is being simulated. The ultimate goal of a tabletop exercise is to practice processes and communications for identified internal and external stakeholders/participants—but more importantly, to identify gaps and areas of improvement in those processes and communications.

When planning a tabletop exercise, it is important to specify the outcomes/goals you are trying to achieve. Maybe it is to test technical response capabilities and playbook processes for the internal cyber security and incident response team (CSIRT). Or maybe it is to see how senior leadership engages third parties in the response effort and how they communicate a cyber incident to external stakeholders. Either way, these practice outcomes will define the audience and the different ways a tabletop exercise might be delivered.

Below, I highlight a few different approaches to tabletop exercises and how each can benefit an organization in practicing and improving its cyber incident response capabilities for different audiences:

1. Technical: A technical tabletop is often delivered with paper or PowerPoint-based scenarios where the internal CSIRT 'plays along' and responds to injects (individual steps or occurrences of a scenario) so as to rehearse detection, containment and response processes in order to identify technology, resource and/or procedural gaps. A third-party incident response firm that often augments internal CSIRTs can be brought into such an exercise to test rules of engagement, the engagement process and any possible communication gaps between the two parties.
2. Executive- or communication-based: This type of exercise does not focus on the technical aspects of a cyber incident response scenario. Instead, leadership teams are presented with technical outputs and findings from the technical response stream and are required to make decisions based on that information. These decisions might include how and what to communicate to internal and external stakeholders about the cyber incident, or when and which third parties to bring in for support.
3. Interactive, multimedia-based: Here we focus on providing a more realistic scenario from the traditional paper/PowerPoint-based exercises. Injects are becoming more realistic through audio and visual cues. The ability to divide participants into different war rooms allows us to observe how they interact differently among themselves and with other participants. This can be extremely helpful to train teams that are organizationally and geographically disbursed and have to respond to a cyber incident remotely, especially during times of a pandemic such as COVID-19 where most, if not all, of the teams are required to work remotely.
4. Hands-on cyber range: Paper/PowerPoint-based tabletops are only simulations, even when audio and visual effects are included. A hands-on cyber range exercise allows CSIRTs to realistically respond and train for a cyber incident in a simulated environment that mimics the organization's actual environment. Teams will use technology stacks and response tools similar to the ones available to them during their day to day operations. This degree of practical exercise not only allows the CSIRT to practice their response processes and behaviours in a familiar environment but also allows observers to review how the teams respond together when trying to contain the incident. Putting the teams "through the trenches" like this in turn enhances a true spirit of teamwork.

No matter which tabletop approach an organization chooses (in some cases, the different approaches can be rotated for greater overall effectiveness), the key is to determine the outcome and the scope of the exercise so it can be most effective in training the participants.

It is often said that practice makes perfect. Unfortunately, cyber incidents come with many unknowns, which means there is no way to guarantee 100% preparedness. But processes, communications and other key components of incident response can be practiced—so that even if you can't achieve true perfection, you can call upon the training during times of crisis to improve outcomes and minimize negative impacts.

Looking to introduce tabletop exercises to your organization's cyber preparedness strategy? Send me a note—and let the games begin.

¹ Source: United States government, Ready Campaign, 2016.