Everything You Need to Know Before a Tabletop Exercise
It’s Friday afternoon, and someone tells you that they think they clicked a phishing link, given the staggering reality of over 3 billion phishing emails circulating daily. You have a plan for this particular emergency situation, right? But where is that incident response plan? And who should you reach out to next? And why is this query that you need to enter for the investigation suddenly slipping your mind?
Fortunately, most organizations have an Incident Response plan. Unfortunately, most don’t really know how they would react in an emergency. The only way to ensure you and your teammates are comfortable handling an incident is to practice, and the only way to practice without opening your system up to attackers, is through tabletop exercises.
What is an Incident Response Tabletop?
An incident response (IR) tabletop exercise is a walkthrough of an incident scenario with the Incident Response Team. Typically, there is one facilitator who will explain the scenario and give the team information as it would come up. The facilitator does not engage in the reaction, but rather the facilitator guides participants by asking questions, even if they know the answer. After the facilitator sets up the initial scenario, different team members meet to walk through how they would respond, who they would communicate with as first responders, and what gaps they are noticing. Most tabletop exercises are a paper exercise, meaning that there are no actual changes being made to any systems or investigations. Rather, a “discussion-based exercise” to explore what would happen in different scenarios. These discussion-based sessions can vary in technicality based on the audience as some are more focused on specific technical controls and tool usage while others are geared more towards crisis management and communication.
How do I prepare for a tabletop exercise?
Step 1: Create an Incident Response Plan
If you don’t already have one, the first step is to create an Incident Response Plan. This should broadly explain the steps and responsibilities for incident detection, analysis, containment, eradication, and recovery.
Step 2: Determine the facilitator
Next, determine who will be facilitating your tabletop exercise. If this is the first tabletop exercise for your organization, I recommend using an experienced outside group. This allows all security team members to fully participate while getting a new perspective on potential issues. If there is not a budget for external support, you can run your own tabletop exercise with an internal employee. If this is the case, the facilitator needs to fully remove themselves from answering questions and being a “participant.”
Step 3: Situation planning
Next, the facilitator will work with a security or IT stakeholder to determine the scenario and participants. If the facilitator has worked with your organization, they will likely have a good idea for the exercise and will just need some technical information to make it believable.
If potential security concerns have come up in the past, like a large number of employees falling for phishing emails or lack of mobile device management, bring this up in the planning stage so they can be addressed. The situation should be decided while taking into account the participants, ensuring that everyone included in the tabletop exercises will have a role.
Step 4: Schedule the event!
Now, it is time to spread the word to your team members! Try to find a 2 hour opening on everyone’s calendar. (This may be difficult, and you may have to plan far in advance, so sometimes this should be the first step for a full scale exercise). Give all team members an overview of tabletop exercises, the exercise objectives, and what they should expect to be doing.
The communication might look something like this:
On Friday, August 23 from 1-3pm we will be conducting an incident response tabletop, with the exercise objectives of testing our incident response preparedness. This will not require any technical changes or hands on analysis, just open discussion and participation from everyone. Attached is our incident response plan, which we will be referring to throughout the tabletop. Please review and let me know if you have any questions or concerns before Friday.
Tabletop best practices for facilitators
Don’t give everything away at once
In a real world emergency situation, the security team rarely has all the information to start. Let the incident discovery begin with something not necessarily related to security like a call to the IT help desk for a locked account or customer complaints due to functionality issues. This way, you can accurately gauge how information is communicated and escalated.
Involve different departments
Lots of stakeholders are needed during an emergency response, and the ones who rarely deal with security concerns are the ones who may need more practice. For example: you’ll need HR for insider threats and account compromise, legal to contact law enforcement or review contracts for SLAs, customer success to manage potential client issues, PR for broad communications, and compliance to ensure regulatory reporting needs are met.
Ensure everyone has a purpose – tabletop exercise examples
Getting multiple employees together for a 2+ hour meeting is difficult, so you may have to split up scenarios, which is okay. Each exercise can be on the same topic, but the discussions may go in different directions. Some tabletop exercise examples could include:
- A more technical version with details of a compromised account and how to review logs for pivoting, or data exfiltration, and elevation of privileges
- An executive level tabletop could focus on what next steps are taken if sensitive data was stolen or leaked
Both sides of the situation are important to review and essential for the business continuity in an emergency plan, but the head of customer success might get checked out if they have to spend the first 90 minutes listening to discussions about SIEM queries.
Look for single points of failure in the particular emergency situation
Pay close attention to who is speaking up the most. Many teams rely heavily on one person for security knowledge and responses, so if that person is sick or leaves the company, the team might be in trouble. The same can be said for security, ticketing, and communication tools. The team should be able to move through their incident response plan if there is an outage in one of their tools. In the first exercise, it’s important to take note of any person or tool that may be a single point of failure, and in the next tabletop exercise, the scenario can include that person on a plane with no WiFi or that tool has had a zero day vulnerability.
Repeat these three words: Is that documented?
If someone says they will send an email to customers explaining an outage, there should be a template. If someone mentions calling their teammate because Slack is down, there should be a phone tree that they are referring to. If an engineer is planning to run a query checking for all logins from certain geographical areas, that query should be documented or saved. Things happen fast during security incidents and people can easily forget seemingly “basic” knowledge in an emergency. The best way to avoid mistakes while under pressure is to have as much documentation as possible – pre-made resources to go along with emergency plans will save you time later on.
Best practices for participants
Speak up!
If you have a question, chances are someone else is wondering the same thing. If you disagree with someone, this is the best place to discuss the pros and cons of each side. Additionally, if the facilitator describes a scenario that would likely be caught by your existing security controls, explain those controls and guardrails. That being said…
Suspend your disbelief
If your mail filters would have likely quarantined that phishing email, it is good to point out. But, when the facilitator says something like “that setting was turned off after an update” or “this one somehow passed through”, don’t let yourself get checked out because it feels unbelievable. Tabletops are about testing the entire incident response plan start to finish, not just one or two technical controls. And just because the end situation (in this case, an account compromise) may not happen in this specific way, doesn’t mean it couldn’t happen at all.
Use detail
Use detail when answering questions. The more detail you’re able to provide, the better idea your entire team will have of what is missing from your current plan and toolset. For example- telling the facilitator that you will receive an alert is not nearly as helpful as telling them that this specific group will receive an alert in this specific manner from this specific tool. Even if the facilitator has extensive knowledge of your systems and procedures, using clear detail will ensure that everyone is on the same page.
Take notes!
It is very important for multiple people on the tabletop to be note takers. Because of the fast paced nature of tabletops, people may miss a key question or decision, and once the dust settles after the discussion based session tabletop is over, it will be nice to compare findings and the context of those findings. Additionally, there will need to be clear notes taken during any actual incident with decisions, next steps, and time stamps. Keeping accurate and up to date notes is a skill that your team will also be practicing.
Post-exercise follow up
After the tabletop, the facilitator should provide feedback including a list of lessons learned and action items, this may come in the form of an after action report. In the follow up, there needs to be a reliable way to track action items, communicate them with the larger team, and identify future roles and responsibilities in the case that a true emergency does occur.
The time to prepare is now for your own tabletop exercise
Practice makes perfect. Especially in a high stress situation like a security incident, you want to feel confident in your ability to respond effectively, without making procedural decisions on the fly. Regular Incident Response Tabletops are an effective training strategy to get out those emergency response jitters and collaborate on effective mitigation strategies in a controlled classroom setting, where your organization’s reputation is not on the line.
Resources for tabletop exercise guidance
For further guidance on testing, training, and tabletop exercise programs here are a few places to look:
- NIST – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
- CISA Tabletop exercise packages – Tools for stakeholders to conduct planning exercises on a wide range of threat scenarios.
Looking for a trusted partner for your tabletop exercises?
Is your organization wondering how to begin implementing your own tabletop exercise into part of your cybersecurity strategy? Here at Cyber Defense Group, we can help you conduct tabletop exercises on disaster recovery, business continuity, and incident response, enhancing organizational preparedness and response capabilities. Contact Cyber Defense Group today for a free consultation.