How would you react if your company was hit by malware or ransomware?
Conduct tabletop exercises (TTX) as role-playing activities where players respond to presented scenarios.
Purpose of TTX: Use TTX to test preparedness.
Common Questions:
What steps do we need to take in response to a cyber incident?
Where is the incident response plan located?
Are team members aware of their roles in activating the cyber incident response plan?
Who should be informed about the incident?
What information needs to be disclosed internally and externally?
Benefits of TTX:
TTX brings relevant personnel together to discuss how to approach cyber risks holistically.
Helps teams understand their cyber response capabilities.
Identifies dependencies needed to execute cyber incident response plans.
Improves communication by pointing out discrepancies.
Identifies gaps in cybersecurity plans, processes, and procedures.
Builds strong relationships across teams, fostering a positive working environment.
Instills confidence in teams, resulting from successful tabletop exercises.
Developing Tabletop Exercises:
Set Clear Objectives: Determine what you want to achieve with the exercise.
Executive Support: Ensure backing from relevant personnel who will actively participate.
Consider Influencing Factors: Account for changes in your cyber incident response plan or organizational changes.
Understand Roles and Responsibilities: Ensure all relevant personnel understand their roles and the company’s cyber incident response plans.
Planning Tabletop Exercises:
Assess Resources: Identify who you need and how much time it will take, including third parties and global teams.
Evaluate Documentation: Ensure your organization has relevant documentation like cyber incident response plans and procedures.
Set Clear Objectives: Objectives should be SMART (Specific, Measurable, Achievable, Relevant, Time-bound).
Tailor Objectives: Objectives should suit participants from different departments and roles.
Outcome-Focused: Tie all objectives to the expected outcomes to ensure useful feedback.
Scope of the Exercise:
Define Scope: Determine the elements of your exercise, including participants and resources.
Tailor Participation: Different roles require different involvement levels (e.g., senior management may have shorter participation).
Consider IT Systems: Account for IT systems and geographical/time zone requirements, especially for global teams.
Rules of Engagement: Establish assumptions, conditions, and restrictions for participants to follow during the exercise.
Assembling the Tabletop Exercise Team:
Roles in the Team: Includes exercise lead (often the cybersecurity manager), facilitator, and evaluator.
Responsibilities: The team develops the situation manual, including the exercise scope, objectives, rules of engagement, and structure.
Logistics: The team decides on the venue (in-person or virtual) and prepares all necessary resources.
Facilitation and Evaluation: The lead facilitator engages participants with relevant questions, while the lead evaluator records notes and assesses performance.
Planning Timeline: The planning involves initial, check-in, and final meetings to finalize objectives, scenarios, and logistics.
Identifying Participants:
Balance of Attendees: Ensure a balanced number of participants; too many or too few can affect effectiveness.
Diverse Perspectives: Include both operational (IT and security teams) and strategic (senior management) perspectives.
Key Participants: Include board members, executive leaders, legal, HR, PR/media relations, and IT/security teams.
Role Flexibility: If certain roles are unavailable, identify personnel who can take on those responsibilities.
Determining the Scenario:
Tailor the Scenario: Base the scenario on your organization’s specific risks (e.g., ransomware).
Involve All Participants: Ensure all participants play a role and contribute to communication and coordination.
Align with NIST Lifecycle: The scenario should align with the NIST cyber incident response lifecycle (preparation, detection, containment, recovery, post-incident activity).
Balanced Approach: Make the scenario challenging but not overwhelming.
NIST Cyber Incident Response Lifecycle Example:
Preparation: Develop and implement an incident response plan, tools, and training.
Detection and Analysis: Identify and analyze potential security incidents.
Containment, Eradication, and Recovery: Contain the incident, eradicate the cause, and recover systems.
Post-Incident Activity: Review and learn from the incident to improve future responses. Example: Simulating a ransomware attack, including detection, isolation, and recovery, followed by a debrief for lessons learned.
Conducting the Tabletop Exercise – Part 1:
Preparation and Logistics: Ensure participants have details about the venue, date, time, and location. Adjust for absences as needed.
Introduction and Engagement: The lead explains the purpose, rules, and schedule, encouraging active participation.
Scenario Execution: Use a structured scenario to guide the exercise.
Facilitator’s Role: The facilitator monitors time, directs participants, and keeps the discussion on track.
Documentation: The evaluator documents responses and observations.
NIST Lifecycle Alignment: The scenario focuses on the detection phase.
Conducting the Tabletop Exercise – Part 2:
Scenario Injects: Introduce new incidents to escalate the scenario (e.g., ransomware to data theft).
Facilitator’s Role: Present new information and ask critical questions to guide decision-making.
Decision Points: Participants address decision points such as ransom payment and public relations.
NIST Lifecycle Progression: The scenario moves through containment, eradication, and recovery stages.
Evaluation: Tailor questions based on responses; evaluators assess against objectives.
Post-Exercise: Conclude with a debrief to review strengths and areas for improvement.
Debriefing After the Tabletop Exercise:
Hotwash Debrief: Immediately after the exercise, hold a debrief to discuss participants’ thoughts and performance.
Facilitator’s Role: Ensure discussions focus on exercise objectives and identify areas for improvement.
Relevant Questions: Ask, “What worked well?” “What gaps need addressing?” “Was the ransomware playbook utilized?”
Improvement Focus: Use the debrief to resolve gaps before issuing the final report.
Positive Feedback: Highlight and appreciate teams’ performances.
Feedback Collection: Provide feedback forms for participants to share comments.
Detailed Evaluation and Improvement Plan:
Evaluation Phase: The team meets to assess if objectives were met and identifies challenges.
Root Cause Analysis: Identify the root causes of any challenges.
After-Action Report: Include scenario details, participants, objectives, strengths, challenges, and conclusions.
Improvement Plan: Develop a plan with corrective actions, responsible teams, and completion dates.
Follow-Up: Periodically review corrective actions to ensure they are effective for future exercises.
