Facebook Image TrustPeers Resource - TrustPeers Description Image
ARTICLE

How to Run an Incident Response TableTop Exercise with Hundreds of Team Members

Applying the TTE principles delineated might be easy to achieve with a small team, but, when running Incident Response (IR) Tabletop Exercises (TTEs) for large organizations spread across continents and with thousands of employees, scaling up might seem insurmountable.

Author: TrustPeers team 4 Min read | August 29, 2021

This is the fourth and last blog of our series about managing incident response tabletop exercises. The previous posts were:
  • What is a Tabletop Exercise
  • What are the elements to take into consideration when selecting an incident response tabletop exercise?
How to manage an incident response tabletop exercise online?
TableTop Part 4 Desktop ImageTableTop Part 4 Mobile Image

Applying the principles delineated in these three posts might be easy to achieve with a small team, but, when running Incident Response (IR) Tabletop Exercises (TTEs) for large organizations spread across continents and with thousands of employees, scaling up might seem insurmountable.

As a result, large organizations may opt to run smaller scale IR TTEs by limiting them to office or even regional scale, but typically shirk away from running full-scale TTEs.

Even with network segmentation in place, this leaves them potentially open to an undetected lateral escalation. The authors of last year’s Fire Eye/Mandiant Security Effectiveness report found that:
  • 54% of the techniques and tactics used to execute testing of lateral movements were missed
  • 96% of lateral movement behaviors did not have a corresponding alert in the SIEM, leaving defenders blind in the face of an attack.
  • 97% of the behavior executed also lacked a corresponding SIEM alert.
  • 57% of the techniques and tactics used to execute testing of lateral movement are missed.

Large-scale IR TTE scenarios must therefore take into account the detection of lateral escalation across continents, environments, and infrastructures.

This means that meaningful IR TTEs should ideally be run at scale.

To achieve that, a few tools are indispensable.
  • A customizable, unified, secure and dynamic interface with fully encrypted centralized communication channel.
  • The ability to run multiple war-rooms concomitantly and with integrated multi war-room management. One way to divide the mass of team members into manageable smaller teams, each reporting to a centralized war-room. If needed, multiple centralized war-rooms can then report to a HeadQuarter war-room. The subdivision into smaller war-rooms can be based on
    • Regional division: Depending on the organization’s size, this could be organized on a per office, per city, per region, per state, per country or per continent basis, or any other geographical repartition that makes sense for the organization.
    • Departmental division: IR practices, like real-time responses, might - and should - take into account all the implications of an incident. This means legal, financial, operational, and reputational. All departments dealing with such implications should be included in the decision process and need to practice the range of options available.
        A ransomware TTE scenario, for example, should include the
      • operational department - as some part of the infrastructure might be disabled
      • financial department - as funds might need to be liberated and crypto-currencies purchased
      • Legal department - to check the legal implication both of paying and of not paying the ransom
      • PR/Marketing - to mitigate the negative impact on the company reputation, especially if a decision to refuse to pay the ransom leads to the attacker releasing users’ sensitive information
    • Division by Expertise: particularly if the type of TTE selected is directed primarily to the tech department, it might be useful to have dedicated war-rooms for Linux, Windows, and Ubuntu systems, or for cloud managers of AWS, Azure and Google Cloud or any other such repartition dictated by logic.
  • The ability to access a single interface to securely communicate, record interactions, and collect documentation. Especially when running large-scale TTEs, ensuring a unified channel of communication is key to prevent losing track of parts of the process, which would result in incomplete reporting and comparable loss of effectiveness and value for the exercise.
  • The availability of a variety of up-to-date customizable dynamic playbooks: Running a large scale IR TTE implies giving the IR Manager the appropriate tooling to:
    • Select the most appropriate playbooks.
    • Reorganize playbooks content to distribute the relevant chunks to the corresponding teams in their respective war-rooms while keeping updated in the HQ war-room and i each intermediary centralized war-rooms when applicable.
    • Evaluate at a glance the progress of each of the multi war-rooms involved.
    • Customize reports to select relevant information from each war-room in each war-room layer to automate report generation.
  • The capability of integrating vendors: running a TTE that does not take vendors into consideration is like checking a modern hotel security by verifying only the keys and locks, but ignoring the key cards. Cloud vendors are now beginning to integrate some level of automated IR into their services. For example, last May, AWS launched the Incident Manager capability, enabling AWS users to run an Incident Response (IR) directly from the AWS ecosystem, at least for the part of their activity hosted by Amazon. Organizations enabling such services need to integrate them into their IR TTE.

TrustPeers platform enables large organizations to access all these capabilities. Contact a TrustPeers’ specialist to get advice on how to run a large-scale IR TTE with minimal organization requirements and maximum efficiency and results’ transparency.


Meet TrustPeers

TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.

Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.

For more information contact us.

More Resources