This is the third and penultimate blog of our series about managing incident response tabletop exercises. The previous posts were:
- What is a Tabletop Exercise
- What are the elements to take into consideration when selecting an incident response tabletop exercise?
The next post is:
- How to run an Incident Response TableTop Exercise with Hundreds of Team Members
How to manage an incident response tabletop exercise online? The main goals of any Incident Response (IR) tabletop exercise are to minimize MTTR (Mean Time to Resolution) and increase the IR team members’ level of preparedness. When planning an online tabletop exercise, there are a few things to keep in mind to organize it optimally and reap maximal results.
One of the main hurdles of running online incident response tabletop exercises is setting it up and then managing it from selecting the scenario and inviting team members to analyzing reports. In this post, we will examine every aspect of managing an online incident response tabletop exercise. The first step is to define the tabletop exercise topic and its scope. Both the rationale behind selecting one tabletop exercise scenario over another and about deciding on the tabletop exercise’s scope have been covered extensively in this series’ blog broaching the elements to take into consideration when selecting an incident response tabletop exercise.
Once both those decisions have been made, the complex work of organizing the online tabletop exercise begins. There are numerous aspects to keep into account:
Setting up the communication channels When running an online exercise, your team members could be anywhere in the world, so it is crucial to set up a unified communication channel, which requires tackling all its facets:
- Managing different types of communication channels: with the growing number of different communication channels - video, audio, chat, emails, WhatsApp, Telegram, Discord, Slack, and other work management apps - ensuring that communication from all different channels gets timely shared with all the relevant team members requires adapting the logistics. When working with participants from outside your organization, always check if some channels are banned by their own organization and integrate that limitation.
- Centralizing communication: with so many different channels, the best solution by far is to centralize communication. This can be done either by either:
- Strictly limiting the number of available channels - this is effective to a certain degree but fails to take into account that team members are humans. As such, they tend to prefer those they are used to, and barring some options increases the chances that they will communicate privately with select team members on their preferred channel. This limits the visibility into the entire incident response tabletop exercise flow and might lead to missing out on important information for the post-incident stage
- Directing all communication channels to a single communication hub. This requires integrating all communication channels into a single pane of glass interface or opting for an off-the-shelf solution either integrated with the incident response tabletop exercise or separate.
- Securing communication channels: Ideally, the incident response tabletop exercise will draw your attention to your organization’s defense weak points. Unfortunately, malicious actors are hungry for that information too! If they can find a hole in your communication channels during an incident response tabletop exercise, you would greatly facilitate their research work. This means that securing your communication channels is paramount to avoid unwittingly giving them information about your cyber defense deficiencies before you had the opportunity to patch them.
- Whitelisting IR team member access: Once our communication center is ready, you need to authorize access to each of your IR team members.
Centralizing information A crucial part of incident response management, whether in real-time or during a tabletop exercise, is gathering and managing information. That information includes access to your organization’s database and systems, Indicators of Compromise (IoCs), tasks assigned to team members, progress of these tasks completion, uncovered vulnerabilities, attack vector identification, and much more. This information emanates from multiple points, and need to be accessed by all team members with the access clearance for the required information, so the incident response tabletop exercise manager needs to practice:
- Creating a centralized information gathering point: ideally, this information gathering point should be integrated with a unified communication channel.
- Defining and enforcing access rules to information: limiting access to sensitive information to “need to know” only is as good a practice when running a tabletop exercise as it is for general cybersecurity hygiene.
Playbook selection Ideally, the IR tabletop exercise should have access to an array of up-to-date playbooks matching the type of attack used in the exercise. Once the team in training has identified the type of attack, it is time to select the optimal playbook based on:
- The attack vector
- The attacker’s ID, if available
- The size of the company
Depending on the support selected to run the incident response tabletop exercise, playbooks are brought in by the organization running the exercise or provided by the tabletop exercise service provider. Playbooks’ format varies greatly, from simple printed material to dynamic interactive programmable IR playbooks.
In a real-time IR scenario, reports to compliance officers, the organization’s management, legal, marketing & PR, financial and other departments, are required. They must be timely delivered and contain all the information relevant to the recipient.
Practicing report generation includes:
- Creating templates: having a dedicated template for each potential recipient that lists the type of information needed saves considerable time.
- Collecting the information: Having recipient-specific report templates has the added advantage of knowing ahead of time what information needs to be collected.
Ideally, the incident response tabletop exercise platform will be the same as the one used for actual incident response, so the templates will already be pre-generated when a breach needs to be tackled. This requires selecting an IR platform with a full IR lifecycle management.
Lesson learned Whether after an incident response tabletop exercise or real response, the steps to follow during the post-incident lesson learned stage remain the same
The usefulness of the lesson learned step is directly proportional to the meticulosity applied to each of these steps and is greatly facilitated when the incident response or tabletop exercise’s management has been recorded throughout on a single-pane-of-glass IR management interface.
- Identify and collect all comments and recommendations potentially useful for future incident response.
- Document all findings and share them with relevant stakeholders.
- Analyze and organize all documentation.
- Store documentation in a repository accessible to all relevant stakeholders.
- Retrieve documentation for use on current or future incidents.
So, depending on your organization’s size and on the complexity of your system, setting up an incident response tabletop exercise can be very simple or highly complex.