In this interview with Help Net Security, Curtis Fechner, engineering fellow at Optiv Security, explains the function of incident response tabletop exercises and how they can help reduce an organization’s overall cyber risk by keeping it prepared for a real incident.
What do incident response tabletop exercises comprise?
Incident Response (IR) tabletop exercises challenge a group of people to describe the processes by which a theoretical cybersecurity incident would be responded to and managed, from detection through remediation. Traditionally these exercises would be conducted in a round table format, thus the name “tabletop exercise.” These exercises are generally less technical in nature, as there is no practical assessment of security controls, and the overall focus is on management of risk.
A big part of IR tabletop exercises is testing the organization’s IR Plan and establishing familiarity with the standards defined therein. The IR Plan is a critical component for exercises, as the plan should define things like roles and responsibilities for incident response, inform risk assessment and drive decision-making priorities. Having documented this information is important but training via exercises helps ensure participants understand their role and those of their peers so there is less confusion should a real-world incident occur. The intent behind these exercises is to validate participants’ knowledge of IR processes and helps to expose just how formal those processes might be within the organization.
Why are incident response tabletop exercises so low on a security team’s priority list?
Historically many organizations felt tabletop exercises lacked value because a real incident was unlikely to occur, which caused many security leaders to feel they shouldn’t be spending their time preparing for incidents which might not happen. Considering the highly visible risks posed by threats such as ransomware, as well as inevitable regulatory and insurance requirements, however, many leaders have started to rethink this approach.
Logistics continue to prove the greatest barrier to completing exercises. It can be hard to align schedules, especially for high-ranking executives, for example. There is a common desire among many executives for a ‘perfect’ exercise where every potential participant identified in the IR plan must be available for the exercise. COVID-19 remains a challenge as well, as there may be policies within the organization that conflict with desired outcomes, such as in-person exercises. Like a lot of preventive care, people are good at making creative excuses to delay for another day too.
The key to circumventing these issues lies in giving exercises the same deference and respect that should be given to a real-world incident. Key stakeholders are frequently unavailable during an incident, but the threat at hand will not wait for their availability before continuing to impact the organization. Tabletops should be approached with the same mindset – the scenario does not change based on participants and the organization must adapt to the problem by relying on their processes and procedures.
To ensure all stakeholders have an opportunity to participate, exercises should be a regular occurrence. An overly elaborate tabletop which consumes a whole day for the executive leadership team might be a once-per-year carefully planned affair conducted by an outside consultancy, but the in-house IR team defined in the plan should conduct exercises at least once per quarter to explore response processes for high-risk threat scenarios. A single scenario once per year should be regarded as the bare minimum from which the organization starts its preparation, rather than the target objective for promoting readiness.
Why are they important and why should they be an essential part of a security team’s plan?
Tabletop exercises are important because they promote readiness in the event a real-life incident takes place. Instead of security teams panicking in the heat of the moment at the onslaught of an incident and being overwhelmed by its scope, they will have already practiced similar scenarios, which makes for fewer surprises. Key stakeholders will already know what their role and responsibilities are, so the response will be more seamless. The more prepared a team is, the quicker and more efficient they can respond. This minimizes the overall risk posed by the threat and maximizes efficiency.
How do incident response tabletop exercises benefit an organization?
As previously mentioned, the exercises help promote a mindset of readiness, but it’s bigger than that. Tabletop exercises are an essential tool for organizations seeking to reduce business risk. Tabletop exercises challenge participants to think creatively and work as a team to solve a problem that is much bigger than any one of them can handle alone.
Exercises can establish interpersonal professional relationships that extend beyond the realm of only cybersecurity or incident response which fosters mutual understanding and support. Most organizations overestimate their readiness for a cybersecurity incident. A tabletop exercise may not be helpful for identifying gaps in technical controls, but they are the only way to meaningfully expose flaws in process or procedure outside of a real-world incident.
These exercises also enable the organization to extend testing to other plans, such as disaster recovery, business continuity, and crisis management. All these plans solve for certain aspects of problems and may have their own standards defined. Through a tabletop exercise the participants can understand how their actions may impact the actions of others, and also identify potential conflicts created through the execution of complementary plans in a way that can’t be emulated through simply reading the documents side by side.
What can organizations do to maximize their tabletop exercises?
The first thing organizations can do to maximize these exercises is making sure you give the exercise enough time to finish, so participants don’t have to rush through the scenarios. Trying to fit everything into an hour leaves little time to discuss anything in detail – and factoring in various distractions means there might only be about 20 minutes of actual discussion. Three to four hours is best for most exercises. Establish some ground rules for the exercises as well. Don’t allow the exercise to hinge on the participation of one or two key individuals. If they can’t participate then participants should treat them as if they’re unavailable for the duration of the instance.
Ensure participants understand these exercises are no-fault and low-stress; disagreements are best leveraged as an opportunity for discussion and future improvement. In keeping with the theme of tabletops as a problem-solving exercise, participants should be encouraged to present recommendations rather than simply identifying an issue. Good tabletop exercises should result in the identification of opportunities for improvement.
For facilitators, make sure you work the room, and get everybody to participate. Don’t force participants to fit into your own narrative goals. Instead, let the participants determine where the narrative goes based on the actions they describe. However, you should build a complete incident scenario, as being too open-ended can result in boredom and lack of audience engagement.
You don’t have to cover every detail but having that background data gives you far more latitude to steer the exercise as participants engage and make decisions. Additionally, for facilitators, it’s important to keep the overall exercise on-track – control the conversation, and when participants start to go off on tangents, pull them back to the reality of the scenario.