No matter how proactive a company’s approach is to its cybersecurity practices, chances are they will be the target of a cyber-attack. Statistics show that it’s not a question of if one occurs, but when. This is where Incident Response Tabletop exercises come in.
In 2018, over 1,200 cybersecurity breaches were reported by U.S. companies, leaving over 466 million records exposed to hackers. Cybercrime is estimated to have a global cost of around $600 billion which equals close to one percent of the world’s gross domestic product (GDP).
Along with monitoring and updating cybersecurity protocols, companies are also encouraged to create an Incident Response Plan (IR). This is the first step companies take to combat future cybersecurity breaches. By using incident response tabletop exercises, companies can train employees while preventing breaches, and improve its cyber maturity.
In this article, you’ll find comprehensive information on incident response exercises, along with how you can incorporate them into your company’s cybersecurity posture.
What is IR Planning
A company’s IR plan is a blueprint employees follow to identify, respond to, and recover from a cybersecurity incident. Tabletop exercises help validate your IR plan and it can also highlight any vulnerabilities in cybersecurity protocols that need to be addressed.
Before staff starts participating in tabletop exercises, an IR plan needs to be in place. It can be time-consuming and frustrating to develop a comprehensive incident response plan, but it is a crucial step in preventing cyber-attacks.
While every IR plan will vary to meet the cybersecurity needs of the business some factors should be included.
- Clearly defined roles and responsibilities for IR staff.
- A continuity plan for the business.
- A list of technologies, tools, and resources that must be implemented and maintained.
- A summary of network and data recovery processes.
- Internal and external communications.
Once the company has developed an IR plan, the staff can start practicing different exercises to ensure everyone understands their roles and responsibilities.
What is an Incident Response Tabletop Exercise
The definition of a tabletop exercise (TTX) is as follows,
“A security incident readiness activity that takes participants through the steps of handling a simulated incident scenario. It provides hands-on-training for staff and can highlight any areas that need improving.”
During the tabletop exercise team performance will be rated according to their responses – both verbal and physical – to the following questions.
- What occurs when a breach is encountered?
- Who is responsible for what, when, how, and why?
- What are the responsibilities of IT and marketing staff?
- Will legal, law enforcement, and company officers have roles to play?
- Who is leading the activities and is their authority defined?
- Are resources readily available as needed?
Benefits of Incident Response Exercises
If you’re still not sure if incident response exercises are really necessary, here are a few benefits companies see after performing them.
Better Understanding and Awareness of Threats
Cyber threats are constantly evolving and this means that your security must keep up. To do this effectively, you first have to be aware of and understand current and potential threats. Running tabletop exercises several times a year will not only keep your staff refreshed on the protocols, but you’ll also know if your current protocols are effective.
Evaluate Overall Incident Preparedness
Tabletop exercises bring the entire response team together. Depending on the size of the company and the IT department, this might only happen when an incident occurs. Companies want to know ahead of time if their staff can cohesively perform their roles and responsibilities or if they get in each other’s way.
Exercises not only give staff the practice they need, but it also helps to define their roles and responsibilities.
Identify Gaps in the IR Plan: Technical, Planning, and Procedural
One of the primary benefits of incident response tabletop exercises is that you can find vulnerabilities in the plan before hackers have a chance to exploit them. The exercises help validate your IR plan by highlighting its strengths and weaknesses.
The exercises can also enhance the overall incident response of staff and management so available tools and resources are maximized when a threat is identified.
Clarify Staff and Management Roles and Responsibilities
When a breach happens there cannot be any lag in response time. The faster a breach is contained and neutralized typically fewer network systems are compromised. Practicing with tabletop exercises will reduce response times since staff is becoming more familiar with their roles and responsibilities.
Tabletop exercises will also highlight how well the company meets its IR performance objectives. These can include,
- The organization has a strong approach to its data security program.
- The IT staff is qualified and takes a proactive approach to monitoring and protecting the system.
- The network is well—designed with proper segmentation and protections implemented.
- Staff is prepared for a cybersecurity incident and has a clear understanding of their roles and what communications are needed.
Validate IR Plan and Training
A company can have a strong IR plan but this won’t matter if your staff is unfamiliar with it. Performing tabletop exercises ensures that your IT team is prepared to manage a security breach.
Conducting the exercises several times a year, cybersecurity experts recommend quarterly, will help accomplish the following,
- Change perceptions and attitudes in staff and management towards the importance of having good cybersecurity practices in place.
- Enhances the cyber response posture and improves the decision-making process regarding cybersecurity protocols.
- Real-life scenarios teach the team how to react during an incident and reinforce the steps they need to take to minimize damage.
Tabletop exercises should be viewed as ‘dress rehearsals’ getting everyone ready to perform when an incident happens.
Assess Existing Resources
One thing companies should be looking for during tabletop exercises is how effectively staff uses the available IR tools and resources. The exercises will highlight whether improvements need to be made and if new procedures and resources need to be implemented.
Some resources that should be assessed during the exercise are,
- If management is a member of the Computer Incident Response Team (CIRT). CIRT members typically include someone from management that provides leadership, a person from information systems security to discover the source of the problem, along with IT staff and a technical auditor.
- Availability of IR training resources.
- Continuous monitoring systems to detect incidents.
- Secure backups and availability of computer forensics tools.
- Repositories for documents that include security policies, recording, reporting, and archiving critical data.
- Availability and security of communications in-house and outside the system/networks.
Get Feedback on Needed Cybersecurity Improvements
The reason companies run tabletop exercises is to determine the effectiveness of current cybersecurity protocols and to make improvements before the weakness is hacked. In most cases, feedback on performance will be handed out to all participants once the exercise is completed.
Some of the areas that companies often find need improvement are,
- Was the presented exercise scenario pertinent to the company’s current cybersecurity posture?
- Did the staff understand why particular employees were instructed to take part in the exercise?
- Is the response team familiar with the IR plan and capable of carrying it out?
- Can the IR team handle a crisis and adjust to changing scenarios, while utilizing the available tools and resources?
- Do various team members communicate well with each other and others outside?
- Is information delivered to the right personnel on time?
Improve Decision Response Time
Tabletop exercises improve the amount of time it takes management and the response team to make decisions regarding the incident. The length of time it takes for a decision to be made on how to respond is equal to the severity of the breach. Faster response times mean that the breach can be more quickly contained and neutralized.
How to Run an Incident Response Tabletop Exercise
Now that you know there are several benefits to running incident response tabletop exercises with your incident response team, it’s time to start planning one at your company. However, before you throw out a scenario for staff to resolve there are a few aspects to think about.
Here are a few tips on running an IR tabletop exercise.
Know Your Audience
It’s important to know who your audience is. For example, you wouldn’t want to give your executive team a technical scenario and the IT staff probably won’t fare well on an exercise that focuses on managerial oversight. However, this doesn’t mean that an exercise can’t have some overlap, only that the scenario must apply to the audience for the results to be valid.
There’s no reason to rate the IT staff on their ability to make executive decisions. It does not apply to their role in the company and only wastes time and money.
Define the Scenario
For the exercise to effectively highlight the strengths and weaknesses of your existing security protocols, the scenario must be realistic in its application to the company. It can be tempting to get creative, however, the result will likely be frustrated employees.
The staff has also cleared their schedules for the exercises, and the company should make it worth their time.
When you’re defining the scenario, look at the maturity of the current IR capabilities and the common threats to the cybersecurity network. You might have to run through a few possible situations in your mind before you find one that is appropriate.
Since it’s recommended that these exercises are done several times a year, you also want to keep the scenarios interesting. This way, the tabletop exercises won’t be viewed with dread by staff.
Scripting the Exercise
Once you know your audience and the scenario, it’s time to create the script. You do want to allow for flexibility since cybersecurity incidents are fluid and can rapidly change. You want to create an outline instead of having every action and response pre-mapped out. The goal of the exercise is to rate the team’s response to the incident.
Run the Exercise and Report the Results
When the scenario is ready and the participants are gathered, it’s time to run the exercise. While you don’t want to give feedback when the exercise is running, you should be prepared to do so shortly after it’s finished.
Don’t be afraid of hurting someone’s feelings if you feel some areas need improvements. This is the point of the exercise, to identify weaknesses and correct them. It’s hard for improvement to be made if no one knows it’s needed.
You want to keep the tabletop exercise assessment a summary, it does not need to be a fully documented event. Narrow it down to only specific facts. The goal is to get participants to read it, and they’re more likely to look over a brief assessment than a long multiple-page report.
Even the best IR plan can have flaws that might not be discovered until a cybersecurity breach occurs. However, running incident response tabletop exercises can identify weaknesses before they’re exploited by hackers.
There are a few aspects to remember before starting an exercise. Primarily, keep it relevant to the company’s IR plan and current operations.
Whether you are creating an IR plan or getting ready to run incident response exercises, the team at RSI Security is here to help whether you have questions or need assistance setting up the exercise.