Facebook Image TrustPeers Resource - TrustPeers Description Image
ARTICLE

What is a Tabletop Exercise and Why Do You Need it?

Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.

Author: TrustPeers team 10 Min read | August 29, 2021

If you are involved in cybersecurity, you are fully aware of the importance of preparedness. When an incident occurs, preparedness makes the difference between a minor event and a catastrophic breach. Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.

TableTop Part 1 Desktop ImageTableTop Part 1 Mobile Image

In the event of a fire, the difference between a building that holds regular fire drills and one that does not can be counted in lost lives. In the event of a cybersecurity breach, the difference between a company that regularly holds cyber incident response tabletop exercises and what that does not can be counted in up to billions of lost dollars due to data and IP loss, damage to brand name, compliance fines, legal damages, discontinuity in business and more.

In this series of blog posts, we will cover different aspects of cybersecurity incident response tabletop exercises:
what exactly is an incident response tabletop exercise?
What are typical incident response tabletop exercise scenarios?
What are tabletop exercises benefits?
Identification of incident response deficiencies:
  • Enhanced understanding and awareness of threats
  • Operational strategy refinement based on insights gathered through the tabletop exercise
  • Improved communication between departments
  • Increased clarity in data, endpoints, infrastructure, and environments architecture and access
  • Creation of a central communication hub and war room
What are the elements to take into consideration when selecting an incident response tabletop exercise?
  • Defining the goal of running a tabletop exercise
      Compliance: Data or IP protection: Minimizing downtime:
  • Selecting the right incident response tabletop exercises
      Selecting the scope of a tabletop exercise
    • The number and qualification breadth of participants
    • The number of incident response tabletop exercise scenarios and playbooks
  • Selecting the optimal tabletop exercise format
    • Paper and Pen:
    • In-house:
    • Through on-demand SaaS service:
    • On a dedicated IR platform:
      • Setting up the communication channels
      • Centralizing information
      • Playbook selection
      • Report generation
      • Lesson learned
How to manage an incident response tabletop exercise online?
  • Setting up the communication channels
  • Centralizing information
  • Playbook Selection
  • Report Generation
  • Lesson Learned
How to run an Incident Response TableTop Exercise with Hundreds Team Members
So, what exactly is an incident response tabletop exercise?

A cybersecurity incident response tabletop exercise is a simulation of a cyberattack. Ideally based on real-life scenarios repurposed to provide hands-on incident response drill experience to hone incident respondents’ skills in detecting, assessing, containing, and eradicating the simulated threat.

What are typical incident response tabletop exercise scenarios?
Typical incident response tabletop exercise scenarios focus on the most common threats faced by an organization such as:
  • Ransomware
  • Phishing
  • Spearphishing
  • Unauthorized Access
  • Man in the Middle
  • DDoS
  • Malware injection
  • Data exfiltration
  • Other

Ideally, tabletop exercises are run with advanced and updated interactive dynamic playbooks that incorporate the latest updated IoC list and recommendations from SANS, NIST, Mitre ATT&CK, and other cybersecurity best practices advisory institutions complemented with the latest information provided by an ML engine drawing information from its handling of active IR on TrustPeers platform.

What are tabletop exercises benefits?
The benefits of tabletop exercises can be categorized into a few subcategories.
  • Identification of incident response deficiencies:

    When running a tabletop exercise, the inadequacies of the existing response plan, if any, are brought to light and can be improved upon, increasing the efficiency of the incident response when a breach occurs in real-time.

  • Enhanced understanding and awareness of threats

    Every time your team runs an incident response tabletop, they get more insights into the mind of malicious actors. “Know that enemy” is always good advice, and understating how your enemy’s mind works enables your team to pre-empt their offensive move better.

  • Operational strategy refinement based on insights gathered through the tabletop exercise:

    Another benefit of tabletop exercises is the identification of structural weaknesses in the existing infrastructure and operational strategy. Insights gathered during the tabletop exercise post-mortem can be leveraged to identify existing weaknesses in the system and take steps to mitigate them, thus eliminating vulnerabilities and tightening the overall integrity of the system, and establishing alternative operational strategies to avoid downtime in case of breach.

  • Improved communication between departments:

    A holistic tabletop exercise should involve all concerned departments, not only the IT and SOC departments. When an incident occurs, involving legal, financial, PR, marketing and/or operational departments might be crucial to limit the impact of the attack on the organization’s brand reputation, the extent of damages that can be claimed, limiting the downtime, etc. Key players of all these departments also need to be ready to react rapidly and efficiently in case of breach.

  • Increased clarity in data, endpoints, infrastructure, and environments architecture and access:

    All tabletop exercises should include a 360° visibility of the organization’s entire infrastructure. That means all the databases, environments, endpoints, SaaS, connections with third-party suppliers, ideally including their own supply chain that might create invisible vulnerabilities (think Solarwind…) Every time a tabletop exercise is run is an opportunity to verify that no new potential attack vector has been added to the infrastructure and has escaped detection.

  • Creation of a central communication hub and war room:

    One of the critical advantages of running tabletop exercises is the creation of a centralized communication hub, where all respondents can effectively communicate without delay. Ideally, such a war room is secure, with multi-factor authentication factors and encrypted communication channels, and includes an array of interactive playbooks that can be accessed by the incident response manager to streamline the entire response process. Such playbooks should be dynamic and provide different alternative responses that can be tested in parallel war rooms to evaluate the most efficient response for a specific attack against that organization.


Meet TrustPeers

TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.

Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.

For more information contact us.

More Resources