A common question asked by boards, audit committees and senior executives is “Are we ready for a cyber incident (and what are we doing to prepare for it)?” The answer is multifaceted, as it must address key components supporting incident response capability, including people, processes and technology. While necessary technology may be implemented, processes defined and operating effectively, and qualified staff in place and ready to respond, it takes coordination, training and practice to ensure all components are working together to deliver effective and efficient cyber incident response capabilities.
How can an organization determine the level of preparedness to respond effectively? One of the key steps is the process of testing the incident response plan. Like testing business continuity and disaster recovery plans, cyber incident response testing can take different forms, including simulations of various levels of detail, cost and disruptiveness, with the most effective method being a tabletop exercise.
I have been facilitating tabletop exercises for years, from exercises that heavily focus on technical aspects of response to those that are prepared exclusively for senior management and everything in between. I’ve seen teams knocking these exercises out of the park and those who struggle with the basic concepts. Reflecting on those teams of incident response veterans and first-timers, heated arguments and funny moments, exercises completed in time for lunch and those that were pushed closer to dinner, I would like to share some of the key lessons learned and best practices that I and other facilitators in our practice have realized in working with clients. I hope this will help improve the effectiveness of incident response tests, enable you to gain greater value from tabletop exercises, and ultimately improve the cyber incident readiness of your organization.
Both Ben Franklin and Winston Churchill offered this sage advice: “He who fails to plan is planning to fail.” The success of tabletop exercises begins long before everybody sits down at the table. These considerations help make the experience valuable for everyone attending.
Setting expectations and goals
It is important to clearly define the exercise’s scope and learning objectives. Do not try to accomplish too much at the risk of finding participants overwhelmed or disengaged. If there is not sufficient relatable content, participants might find the exercise boring, or too simplistic to derive any value.
Another common question I hear from organizations is “Which topic, theme or scenario should we use as the basis of our tabletop exercise?” The answer will vary based on the objectives, scope and those who will be participating in the exercise. Consider these key points:
- Select an exercise topic after reviewing recent risk assessments, audit reports, risk registers or threat analysis results to identify the most pertinent threat risks to the organization. Consider reports of recent security breaches or newsworthy attacks against industry-specific organizations or those with similar risk profiles to explore how a similar scenario could unfold. These scenarios have been included in recent tabletop exercises:
- Ransomware attack: An external threat actor exfiltrated sensitive data from the organization and deployed ransomware to cover the tracks and extort a ransom from the organization.
- Zero-day vulnerability: A vulnerability without a patch available has been recently discovered on a critical component and is known to be actively exploited. System logs review indicates an unknown threat actor may have used this flaw to attack the environment several weeks ago.
- Social engineering attack: A well-meaning employee fell victim to a social engineering attack over the phone and disclosed sensitive company information to an unknown third party.
- A tabletop exercise may include more than one scenario, depending on the time resources are available for the exercise, how frequently tabletop exercises are performed, the number of participants/team size, etc.
- The topic should require participation by all attendees. Everyone who attends should have a meaningful role to play, actively participate and understand their role in the incident response process and how their role impacts the success of the response to a potential incident.
Several days before the planned tabletop exercise, it is good practice to send out the latest version of the incident response plan, any applicable playbooks and other materials that will help participants prepare and derive maximum value from the tabletop experience. Remind the participants about the importance of the incident response process, their responsibilities within it and what value they should derive from the exercise.
Participation planning and role assignments
It is imperative to think through who the attendees must be and their role within the immediate incident response team and extended team, which may include executive leadership and business owners. If tabletop exercises take place annually, it is a good practice to select one or more scenarios that will ensure participation from all personnel that may potentially be involved in the incident response. More frequent tabletops allow for various scenarios to be considered, so the attendee list could be more targeted. Depending on the scenario(s) chosen, representatives from these departments/teams commonly participate in cyber incident response: business owner representatives, legal, communications/public relations, cybersecurity and various IT teams that may need to support the incident response.
It is critical to ensure the business areas or functions that would be impacted by the hypothetical incident participate and will be able to articulate to the incident response team the implications of response decisions being made, as well as advise on key business decisions. Business perspective will allow the technical incident response team to fully understand the impacts of a cyber incident, including unplanned downtime, data loss, employee confusion/communication, lost productivity, legal and compliance implications, reputational toll, revenue impact and operational disruptions.
It is also important to decide whether any third parties will be involved in the tabletop exercise. The perspectives of managed hosting providers, managed security service providers, incident response support partners and providers of applications and infrastructure components may be very valuable. Organizations that have an established liaison with law enforcement agencies may consider involving that liaison to get an understanding of how an incident response process may unfold if their involvement is needed in an incident.
Also consider the presence of observers and notetakers. Observers and notetakers do not have an active role in the incident response team. Their roles are specifically to be scribes, so ensure they understand their specific function. It can be distracting to the overall exercise if someone who is observing or note-taking suddenly begins to interject into discussions as if they were a participant.
Virtual vs. in-person attendance
Consider whether the tabletop exercise should be conducted in person or virtually via collaboration software (Microsoft Teams, Zoom, etc.). Think about how the incident response will unfold in a real scenario. Are there team members at various sites that will need to collaborate during the incident? This may be also an opportunity to test alternative collaboration provisions in case collaboration methods normally used are disrupted by an incident. While it is good to keep the exercise as close to the real response experience as possible, there are benefits and drawbacks to each approach:
- Virtual – Works best for teams that are geographically dispersed, where there would be significant travel costs beyond the exercise’s budget. This can also simulate how the team would collaborate during an incident, particularly if the organization is remote/hybrid. The virtual format also makes it easier to involve any third parties in the exercise, as needed.
- In-person – Is useful for more substantive collaboration, meaningful engagement, crosstalk and interaction with the rest of the team. Being in person can help the team build rapport, particularly if the group does not get together often. It can also help focus everyone’s attention on the matter at hand, rather than ‘multitasking’ while sitting on a call.
While an in-person format typically delivers greater value due to better engagement and collaboration, a virtual format allows for expanded participation. In the current environment, most tabletop exercises leverage a hybrid approach to realize the benefits of both formats.
In part two, I will review the tabletop exercise itself and the all-important post-exercise reporting.