An incident response tabletop exercise is the equivalent of a cybersecurity fire drill. In the digital era, it’s not a matter of if your organization will be a target of a cyber-attack, it’s a matter of when. CNBC reported that in 2018 cybercrime cost as much as $600 billion annually, approaching 1% of the world’s GDP. Cybercrime is a pandemic with repercussions that could drive organizations to early retirement.
Is your organization prepared?
A tabletop exercise is a framework an organization can use to determine their response readiness. When malware infects your organization, how does your IT team respond? When your 3rd party cloud provider is compromised, how does your management team respond? When payments are made to unknown and suspicious sources, how does your finance team respond? These are powerful scenarios and when facilitated by the right professionals, will give you an accurate current state of your response readiness.
What is Incident Response (IR) Planning?
Cyber resilience is a buzzword in corporate America, and for good reason. Having security firewalls and anti-virus systems are just the tip of the iceberg. Insider threats, offensive AI, and targeted spear-phishing attacks are forcing organizations to review their overall security posture. In a 2018 study, IBM reported that “77% of business leaders admitted that their organization didn’t have a formal cybersecurity incident response plan that’s applied consistently.”
An incident response plan (IRP) is a blueprint of the processes followed by an organization when an incident occurs. This plan details the steps to detect, respond to, and recover from security incidents. Most organizations have some incident response plans, but the question remains, how effective is that response? If you have a multiplying malware infection disrupting your organization’s operational efficiency, you need a swift, surgical response that removes the threat without limiting operations.
Many organizations are good at protecting high-value assets, but what about the weakest link in most environments, human error? When a phishing attack successfully compromises your SaaS environment, how does your organization respond? What if a disgruntled employee steals sensitive information with the intent of selling it to a competitor? These types of scenarios need to be discussed and debated to determine your organization’s security posture and related gaps.
Developing a comprehensive IR plan can be a painstaking task. At RSI Security, we help organizations, of all sizes and verticals, create effective IR plans based on our real-life, practical and extensive experience.
What is an Incident Tabletop Exercise?
An incident response tabletop exercise provides a platform for your security team to discuss, in a classroom-type setting, their roles in response to an incident. A trained expert facilitates the discussion through multiple scenarios to determine the team’s readiness or potential gaps. The output of this exercise is to understand your organization’s approach to identifying, analyzing, and resolving incidents and how these could be prevented in the future.
The tabletop exercise is often used to validate and/or improve an organization’s IR plan. These real-life scenarios put the response plan to the test, highlighting areas where your team excels and areas to be addressed. The tabletop exercise also ensures that everyone on your team knows their roles and responsibilities in the event of an attack. The tabletop exercise aligns everyone’s understanding of the due process and empowers the right action through hands-on experience.
How to perform a Security Incident Response Tabletop Exercise
To create an effective tabletop exercise, you first need to understand your organization’s most frequent and painful threats. Next, create a real-world and practical scenario of how that incident could infiltrate your environment. Finally, you must formulate a series of thought-provoking questions to stimulate debate within the team members. An example of some of the questions usually asked, include:
- What is your organization’s policy for this breach?
- What is your first reaction when the breach occurs?
- Who is responsible for what, when, how, and why?
- What roles will other departments/authorities play (i.e. legal, IT, finance, law enforcement…)?
- What resources are available when you need them?
Throughout the discussion, many ideas will be shared and solutions provided. At the end of the scenario, role-play and round-table debate, the facilitator will conclude on the IR readiness and highlight any flaws in the current response. The team will debate the best way forward and assign action items to implement a better response. This is how you run an effective tabletop exercise. At RSI Security, we help organizations facilitate tabletop exercises as well as implement more effective IR plans.
Case study example: The Out of Office Technician
For an effective tabletop exercise, you need to make the scenario as real as possible. By starting with a real-world scenario, you trigger the team’s imagination and engagement into the topic. This oftentimes leads to a detailed debate about the response process. You can quickly see if the team is on the same page or if they have different ideas about how to respond. For instance, what is the best approach when dealing with a critical patch update? Some might say that a quality control process is required, while others might argue that rigorous testing should suffice.
Let’s turn this example into a tabletop scenario.
“Tanya, your network administrator, has applied for leave weeks ago. Due to several late nights and plenty of overtime, she is exhausted and has earned some time off. Her trip will begin in Argentina and end in Brazil and she will be unreachable for 2 weeks. A day before her trip, she is tasked with deploying a critical patch. Due to a lack of focus and desire to go on vaca tion, she rushes through the deployment. A few days later, Jason, the on-call service administrator, receives multiple queries that the recent patch has caused the application to malfunction. He tries to call Tanya, but it goes straight to voicemail. She is not responding to email either. How does your team respond?”
Setting the scene in this way helps the team visualize the incident and encourages them to openly share their steps to respond. If the team is struggling to communicate their ideas, you can stimulate the conversation with some probing questions. Below are some questions you might use in this scenario;
- How should Jason respond in this scenario?
- Does Jason have the technical expertise to resolve this incident? If not, who can he escalate this to?
- When a new critical patch is installed, what is your organization’s change control policy?
- Who is responsible for communicating/training Jason to resolve future incidents?
- What disciplinary procedures are followed to ensure this will not happen again?
- Can Jason temporarily “rollback” the patch to resume normal operations until Tanya comes back from vacation?
- How will your organization respond to the employees affected by the disruption?
Once the team has successfully debated the response and come to an agreement, the facilitator will need to close the discussion with a summary of gaps and action items. The above scenario is testing the organization’s patch management and change control policies. If the response is inadequate it will affect the organization’s internal network.
The benefits of Incident Response Tabletop Exercises
A tabletop exercise simulates an actual crisis and is a low-risk approach to creating peace of mind that your IR plan will adequately deal with any eventuality. Other than determining your team’s readiness to respond, the tabletop exercise will benefit your team in these 3 additional ways.
1.Increase user awareness and understanding of threats
Common sense doesn’t result in common action. Everyone knows that you should not reuse passwords, click suspicious links, or share credit card information with an untrusted source… yet, many people fall into the ignorance trap. Reusing passwords because it’s impossible to remember more than two. Click a suspicious link because you might just win $1000. Sharing credit card information because the source called from your bank and seemed legitimate.
As common as most of these scenarios are, you will realize your team doesn’t necessarily respond commonly. Part of the tabletop exercise benefits is to educate your team on the threats, how they come about, and the best way to resolve them without disrupting the organization. Tabletop exercises help your team stay abreast of the current threat landscape and equip them to respond effectively.
2. Evaluate and identify defects in your response plan
Tabletop exercises are a practical and engaging way to determine the readiness of your team’s ability to respond to an incident. Any defects in your IR plan will be highlighted during the discussions. The exercise intends to bring your team together and increase their effectiveness in case an incident occurs.
The exercise will put your planning into practice. A tabletop exercise will find the holes in your plan so that you can patch them. The point of this exercise is not only to highlight weaknesses but also to celebrate strengths. Motivation is key to change management, and if your team feels like they have some positive points and potential areas to improve, they will feel confident to patch the gaps while maintaining their strengths in certain scenarios.
3. Clarify roles and responsibilities in the IR plan
Who is responsible? Accountable? These are exceedingly difficult questions to answer in a stressful situation. When a breach does occur, time is of the essence and the pressure is on. Most people don’t have the time or headspace to reflect on process and procedure, and tend to act on instinct. The value of a tabletop exercise is that it gives clarity on who needs to do what in a stressful situation.
Like a golf player who visualizes the shot hundreds of times before the big day, your team needs to plan and practice to be ready on game day. When the pressure is on, instinct kicks in, and if people are unsure about their roles and responsibilities in a situation, they will default to their autonomous behavior, which can be fuelled by fear and irrational decision making. A tabletop exercise will speed up your team’s response time by increasing their preparedness and proactivity to incidents.
Your IR plan is only as effective as the implementation behind it. Using an incident response tabletop exercise effectively will enable your team to surgically respond to an incident. Malware infections will be isolated. Cloud compromises will be dealt with swiftly. Unknown payments will be stopped and investigated to find the root cause. At RSI Security we help organizations refine and perfect their IR plans through effectively facilitated tabletop exercises.
Speak with a Cybersecurity expert today – Schedule a free consultation