This is the second blog of our series about the different aspects managing incident response tabletop exercises The previous posts was
- What is a Tabletop Exercise
The next posts are:
- How to manage an incident response tabletop exercise online?
- How to run an Incident Response TableTop Exercise with Hundreds Team Members
Now that we have explored the generic nature and benefits of incident response tabletop exercises, it might be useful to dig deeper into the various approaches to running such tabletop exercises depending on the goal, resources, and budget that can be allocated.
Ideally, an incident response tabletop exercise program should be a holistic one involving all parties potentially affected and covering all aspects of every potential incident in maximum detail. Yet, that lofty goal is not always an applicable option, so there are intermediate approaches to consider.
In this blog, we will explore the following aspects of selecting the optimal incident response tabletop exercise approach depending on resources and goal:
Defining the goal of running a tabletop exercise
Though the obvious goal of any cybersecurity tabletop exercise is to minimize the MTTR (Mean Time to Resolution) in case of breach, there are secondary goals that might be prioritized based on your organization’s resources and considerations. Such priorities might be for example:
Compliance: With the growing level of IR planning required to satisfy compliance regulators, many organizations opt to run tabletop exercises with the sole aim of meeting regulators’ standards. This is an absolute minimum, and is typically insufficient to provide proper protection, but, sometimes, compliance might be the only affordable goal for running incident response tabletop exercises.
Data or IP protection: It goes without saying that both data and IP should be fully protected at all times, yet, when the organization’s priority is to protect the IP or the data, defining which element deserves the highest degree of protection is instrumental in selecting the most appropriate incident response tabletop exercise.
Minimizing downtime: Ideally, there should never be any downtime. But the priority of avoiding downtime over avoiding data or IP loss varies between organizations. Downtime in a health facility might endanger patients’ life for example. Even if protecting patients’ PHI confidentiality is crucial, preserving their life has a higher degree of priority, and prioritizing tabletop exercises that protect against downtime might take priority over protecting PHI and certainly over protecting other data.
Selecting the right incident response tabletop exercises:
Once the goal of the incident response tabletop exercise has been established, it is time to select the type of attack scenario.
To select the most suitable threat scenario, both the goal and the attack likelihood need to be taken into account. This partly depends on the potential attacker’s motivation. Ample literature exists today on the motivation behind cyberattacks, ranging from nation-state attacks - that can be designed to destabilize a country’s infrastructure or economy - and hacktivists’ protests attacks to criminal attacks motivated by financial greed or bankrolled by unsavory competitors.
Evaluating the attractiveness of your organization for a specific type of attacker can be done by a risk analyst or by targeted dark web listening, or by a combination of both. Once attackers’ potential motivation and risk factors have been established, IoC lists and other advisory institutions such as SANS, NIST, Mitre ATT&CK, and others can be leveraged to determine the most likely attack and the incident response tabletop exercise manager can select the optimal scenario.
Selecting the scope of a tabletop exercise:
As always, the scope of the exercise is dictated by the available resources in terms of time allocation and funding. Within those limitations, the choice of tabletop exercise needs to take into consideration two central elements:
- The number and qualification breadth of participants Depending on the organization’s size, the number of participants can vary from a team of two to a multi-departmental exercise involving dozens of participants. Ideally, a tabletop exercise should involve all potentially impacted players, including executives from legal, operational, financial, marketing, or PR departments as necessary. The possibility is dictated by the organizations’ resources, but the necessity of involving all potentially affected departments should be mitigated by logical factors. For example, if your organization already ran a multi-department ransomware incident response tabletop scenario, the communication channels and required type of decision making by non-IT or SOC departments have already been drilled with the relevant departments and do not need to be included in additional tabletop exercises design to drill the IT ability to react to different ransomware vectors. Running additional ransomware tabletop scenarios to drill the SOC or IT teams does not require implicating all the other departments again.
- The number of incident response tabletop exercise scenarios and playbooks There are multiple tabletop exercise scenarios for each type of attack and multiple playbooks for each attack. There are advantages to running tabletop exercises with a variety of each:
- With multiple scenarios for a single attack type: especially if your risk analysis indicates that your organization is especially susceptible to experience a specific attack type, running a variety of scenarios for that attack type hones the skills of your incident response team in understanding a wider scope of possible technique and strategies available to the attacker. As a result, they are better equipped with insights into the attacker’s mindset and better able to pre-empt even novel techniques.
- multiple playbooks for the same attack: playbooks are designed to guide the user through the IR process, but not to fit your specific organization. Running a variety of playbooks for a specific tabletop exercise scenario allows identifying the best scenario for your organization in terms of MTTR or other defined goals. When running tabletop exercises directly on an IR platform integrated with Machine Learning, the information gathered is processed by the ML that then recommends the best-performing playbooks for other scenarios or, most importantly, when responding to a real incident.
Selecting the optimal tabletop exercise format
From the most basic to the most advanced, there are various ways to run cybersecurity tabletop exercises. Each has pros and cons that we will examine below:
Paper and Pen:
At its most basic level, a cybersecurity tabletop exercise might consist of assembling concerned parties into a room, explaining the scenario in a step-by-step way, and let all participants explain verbally how they would act and react at each step. Participants take notes that are then used in the exercise’s post-mortem stage.
- Promotes communication and trust between participants as no technologies so far have replaced face-to-face contact.
- Highly secure
- Provides zero hands-on experience
- Remains very theoretical as disconnected from real-life data
- Limited scope
- Impractical for larger organizations
Another option is to simulate a tabletop exercise scenario in-house. This requires the IT or SOC team to either clone the infrastructure and run the simulation on the clone or run a partial simulation on the system.
- Trains incident responders on real organization systems and data
- Enables identifying existing vulnerabilities in the organization’s infrastructure and remediate them
- Cloning the entire infrastructure is resource-intensive and running the simulation on the actual infrastructure risks creating downtime and interfering with operational smooth functioning.
- In-house drills lack the fresh perspective of a third-party new set of eyes.
Through on-demand SaaS service:
There are multiple SaaS offering a variety of simulation options for tabletop exercises.
- Immediately available
- Variety of cybersecurity threat and attack scenarios
- Disconnected from the organization infrastructure, so the exercise is either run in a simulated environment or requires integrating parts of the organization only for exercises purposes.
- Trains the team but fails to identify existing vulnerabilities
- Off-the-shelf scenarios and corresponding playbooks are updated at intervals and might not reflect the latest best practices
On a dedicated IR platform:
A dedicated IR platform that also provides practice war rooms combines the best of all the above and more.
- Integration performed for the exercise remains available to run actual incident response, reducing MTTR in real-time attacks
- Playbooks are dynamically updated in real-time to reflect the latest best practices.
- Respondent team members onboarded and whitelisted for the exercise are already onboarded and whitelisted when a real attack occurs.
- Interactive IR platforms automate report generation, streamlining both communications with external bodies such as compliance officers or insurance companies and collecting data to use in the post-mortem. analysis.
Now that we have a better idea of what is a cybersecurity tabletop exercise and what are the different approaches, we will dedicate the next post of this series to examining how to run an online tabletop exercise. In today’s world, especially when adapting to the post-pandemic hybrid work model that is becoming prevalent, providing incident response remotely with team members in different locations is increasingly the default option.