Author: TrustPeers team 10 Min read | August 29, 2021
Now that we have explored the generic nature and benefits of incident response tabletop exercises, it might be useful to dig deeper into the various approaches to running such tabletop exercises depending on the goal, resources, and budget that can be allocated.
Ideally, an incident response tabletop exercise program should be a holistic one involving all parties potentially affected and covering all aspects of every potential incident in maximum detail. Yet, that lofty goal is not always an applicable option, so there are intermediate approaches to consider.
Once the goal of the incident response tabletop exercise has been established, it is time to select the type of attack scenario.
To select the most suitable threat scenario, both the goal and the attack likelihood need to be taken into account. This partly depends on the potential attacker’s motivation. Ample literature exists today on the motivation behind cyberattacks, ranging from nation-state attacks - that can be designed to destabilize a country’s infrastructure or economy - and hacktivists’ protests attacks to criminal attacks motivated by financial greed or bankrolled by unsavory competitors.
Evaluating the attractiveness of your organization for a specific type of attacker can be done by a risk analyst or by targeted dark web listening, or by a combination of both. Once attackers’ potential motivation and risk factors have been established, IoC lists and other advisory institutions such as SANS, NIST, Mitre ATT&CK, and others can be leveraged to determine the most likely attack and the incident response tabletop exercise manager can select the optimal scenario.
As always, the scope of the exercise is dictated by the available resources in terms of time allocation and funding. Within those limitations, the choice of tabletop exercise needs to take into consideration two central elements:
At its most basic level, a cybersecurity tabletop exercise might consist of assembling concerned parties into a room, explaining the scenario in a step-by-step way, and let all participants explain verbally how they would act and react at each step. Participants take notes that are then used in the exercise’s post-mortem stage.
Now that we have a better idea of what is a cybersecurity tabletop exercise and what are the different approaches, we will dedicate the next post of this series to examining how to run an online tabletop exercise. In today’s world, especially when adapting to the post-pandemic hybrid work model that is becoming prevalent, providing incident response remotely with team members in different locations is increasingly the default option.
TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.
Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.
For more information contact us.