Reduce Stress With Tabletop Exercises
Reduce Stress With Tabletop Exercises
Many organizations are required to conduct an annual incident response tabletop exercise to meet compliance or audit requirements. In my experience, I’ve seen these requirements cause a great deal of fear or consternation within various organizations.
Many clients avoid tabletop exercises because they are worried about the types of issues that may be uncovered. Clients also worry about how their teams will perform during the exercise. They think, “What if we don’t get the right answers?” or “What if we don’t know how to respond to the situation or clues presented during the exercise?” These are all valid concerns; however, having an experienced third-party advisor develop and deliver your exercise should help address and eliminate these concerns early-on in the process. Here are three tabletop exercise tips that can help minimize your concerns.
First, start by working with an experienced advisor who will help assess you and your team’s cybersecurity and incident response maturity level. Armed with this knowledge, an advisor can work to develop an exercise scenario that will stretch, but not break you and your team.
I’m reminded of a time when I was working with a CISO from a medium-size business. The CISO wanted me to design an exercise scenario that involved an Advanced Persistent Threat (APT) using extremely complex attack and exfiltration methods (Note: this was their very first tabletop exercise!). I made the suggestion that this particular scenario was likely too complex for his team; I also suggested something more basic such as a ransomware exercise. After much discussion, the CISO stuck with his original decision for an APT scenario. I proceeded to build an exercise to his exact specifications and liking, keeping him involved in all the planning, so he would know every detail and fact long before the day of exercise delivery.
During the exercise, we paused at the half-way point to take a break. The CISO and I stepped into to hall where he admitted his team was “in over their head” with the exercise we had designed for them. Throughout the remainder of the exercise, I observed the participants become more and more uncomfortable, as it became clear they did not know the appropriate responses and reactions to fit the scenario. By the end, the team left the exercise disgruntled and frustrated, thinking “we are not very good or prepared.”
In my opinion, this team was no different than many other clients I have helped with similar levels of cybersecurity maturity. The problem was, they started off with a tabletop scenario that was simply too complex for their first exercise. Unfortunately, the pain and shame the team experienced resulted in the real travesty of this story: this client never wanted to conduct another tabletop exercise again.
Tabletop exercises should be designed to stretch a team so they can learn and grow — they should not be designed to break and bury them. To use a sports analogy, a successful tabletop exercise should feel like a successful football scrimmage. If you’ve chosen to play against another team that will challenge your perceived skill level, you shouldn’t find yourselves losing 100 to zero at halftime. Instead, you run plays you know and are comfortable with — possibly finding out along the way that the other team is a little bit better than yours.
My second tabletop exercise tip is to develop a scenario that is relevant and realistic, but also flexible. A good exercise should be built with the latest threat intelligence in mind. For example, there is no sense in developing an exercise that models Hive Ransomware if Hive Ransomware is no longer a major concern to your organization or industry. Additionally, a good exercise should be flexible enough to incorporate other factors into the scenario, such as relevant teaching or training opportunities.
For instance, the ransomware in your tabletop scenario could call out to a command-and-control node. Not all versions of ransomware have this feature, but this element can be incorporated into the exercise to help your team prepare and react to multiple variants of ransomware instead of just one type. I call this “bending” the scenario, and an experienced advisor can do this to help drive home specific teaching points that can help you and your team grow. The overall purpose of a good tabletop exercise is to help you prepare for a cybersecurity incident, not just one specific example.
My third and final tabletop exercise tip is to use the exercise to help achieve some of your agenda items. A great example of this was the time my company supported a CISO who wanted to implement multi-factor authentication (MFA) across his environment. The problem was the business leaders could not justify the cost or really understand the need for such an upgrade. So together, the CISO and I worked to develop a tabletop exercise based off real world threats, using the same tactics, techniques, and procedures a real threat actor would use. At the conclusion of the exercise, we revealed how the attack had occurred and highlighted that “if multi-factor authentication had been used, the attack would not have occurred.” When the exercise was complete and I was packing up to leave, the CISO approached to thank me profusely because the senior leadership in the room finally understood the relevant need and benefits for MFA implementation — and they were going to find the money needed to fund the upgrade after all.
I’ll end by saying, “Don’t fear tabletop exercises.” Work with your advisor to find ways to get the most out of them; whether that is improving your team’s readiness, better understanding your security gaps, or using the exercise to help achieve some of your desired agenda items. Following these tips and finding the right advisor can help you move past the fear and anxiety of conducting a tabletop exercise so your team and organization can achieve its goals and improve readiness.
Tom Schwab is a retired US Army Communications officer. He currently works for Kivu Consulting as the Director of Cyber Risk Management. He previously worked for Miter supporting various government agencies and Secureworks as a Proactive Incident Response Senior Consultant. Tom has personally delivered over one-hundred tabletop exercises. Tom has a Master’s of Science in Information Technology from the University of Maryland and holds the following certifications: CISSP, CEH, GCIH. He is currently studying for the OSCP.