Author: TrustPeers team 10 Min read | August 29, 2021
If you are involved in cybersecurity, you are fully aware of the importance of preparedness. When an incident occurs, preparedness makes the difference between a minor event and a catastrophic breach. Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.
In the event of a fire, the difference between a building that holds regular fire drills and one that does not can be counted in lost lives. In the event of a cybersecurity breach, the difference between a company that regularly holds cyber incident response tabletop exercises and what that does not can be counted in up to billions of lost dollars due to data and IP loss, damage to brand name, compliance fines, legal damages, discontinuity in business and more.
A cybersecurity incident response tabletop exercise is a simulation of a cyberattack. Ideally based on real-life scenarios repurposed to provide hands-on incident response drill experience to hone incident respondents’ skills in detecting, assessing, containing, and eradicating the simulated threat.
Ideally, tabletop exercises are run with advanced and updated interactive dynamic playbooks that incorporate the latest updated IoC list and recommendations from SANS, NIST, Mitre ATT&CK, and other cybersecurity best practices advisory institutions complemented with the latest information provided by an ML engine drawing information from its handling of active IR on TrustPeers platform.
When running a tabletop exercise, the inadequacies of the existing response plan, if any, are brought to light and can be improved upon, increasing the efficiency of the incident response when a breach occurs in real-time.
Every time your team runs an incident response tabletop, they get more insights into the mind of malicious actors. “Know that enemy” is always good advice, and understating how your enemy’s mind works enables your team to pre-empt their offensive move better.
Another benefit of tabletop exercises is the identification of structural weaknesses in the existing infrastructure and operational strategy. Insights gathered during the tabletop exercise post-mortem can be leveraged to identify existing weaknesses in the system and take steps to mitigate them, thus eliminating vulnerabilities and tightening the overall integrity of the system, and establishing alternative operational strategies to avoid downtime in case of breach.
A holistic tabletop exercise should involve all concerned departments, not only the IT and SOC departments. When an incident occurs, involving legal, financial, PR, marketing and/or operational departments might be crucial to limit the impact of the attack on the organization’s brand reputation, the extent of damages that can be claimed, limiting the downtime, etc. Key players of all these departments also need to be ready to react rapidly and efficiently in case of breach.
All tabletop exercises should include a 360° visibility of the organization’s entire infrastructure. That means all the databases, environments, endpoints, SaaS, connections with third-party suppliers, ideally including their own supply chain that might create invisible vulnerabilities (think Solarwind…) Every time a tabletop exercise is run is an opportunity to verify that no new potential attack vector has been added to the infrastructure and has escaped detection.
One of the critical advantages of running tabletop exercises is the creation of a centralized communication hub, where all respondents can effectively communicate without delay. Ideally, such a war room is secure, with multi-factor authentication factors and encrypted communication channels, and includes an array of interactive playbooks that can be accessed by the incident response manager to streamline the entire response process. Such playbooks should be dynamic and provide different alternative responses that can be tested in parallel war rooms to evaluate the most efficient response for a specific attack against that organization.
TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.
Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.For more information contact us.
Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.
An incident response tabletop exercise program should be a holistic one involving all parties potentially affected and covering all aspects of every potential incident in maximum detail. Yet, that lofty goal is not always an applicable option, so there are intermediate approaches to consider.
The main goals of any Incident Response (IR) tabletop exercise are to minimize MTTR (Mean Time to Resolution) and increase the IR team members’ level of preparedness. When planning an online tabletop exercise, there are a few things to keep in mind to organize it optimally and reap maximal results.
Applying the TTE principles delineated might be easy to achieve with a small team, but, when running Incident Response (IR) Tabletop Exercises (TTEs) for large organizations spread across continents and with thousands of employees, scaling up might seem insurmountable.