Implementing Your First Cybersecurity Tabletop Exercise

It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back into the blog this month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional. 

Most cybersecurity experts encourage organizations to consider a cybersecurity incident an inevitability — not an if, but a when. And breach ramifications are often severe: the average cost of a data breach is $4.24 million. 

Because cybersecurity attacks are likely and costly, organizations need to know they can respond to an incident appropriately. This is where cybersecurity tabletop exercises (TTX) come in.

TTX is designed to test an organization’s incident response plan (IRP). The goal is to learn how your organization would react in a real breach, identify strengths and weaknesses in your plan, and promote response readiness within your organization. 

Despite its critical importance, however, TTX isn’t conducted nearly as often as it should be. Many organizations have trouble kicking exercises off, and setting up your first one can be daunting. Fortunately, however, each exercise tends to promote more buy-in among your organization, making the first exercise the biggest hurdle. 

This blog aims to help IT and security professionals overcome these challenges to running their first cybersecurity TTX. We’ll outline the basics to getting started, setting up and conducting the exercise, and solutions to common roadblocks with introducing TTX to your organization.

Step One: The Incident Response Plan

Table-top exercises aim to test incident response plans (IRPs); hence, the IRP is an essential and unavoidable element of TTX. If you plan to conduct a TTX and you don’t have an IRP, go back and develop an IRP first. 

While you shouldn’t conduct TTX without an IRP, thought exercises around incidents and how your organization might respond can help you build out your IRP. Additionally, smaller-scope TTX models can help you test out sections of your IRP. In fact, doing so is a great way to get the ball rolling in terms of fleshing out your plan. TTX helps identify holes in your plan, areas to edit, unexpected logistical issues, and more. 

Tabletop Exercise Basics

With a base plan in place, you can start testing. The main goal of TTX is to test your IRP’s validity against a realistic threat. In addition, TTX should: 

• Set expectations for threat response and impact.
• Present takeaways that help you improve your organization’s IRP and response.
• Familiarize teams with proper response procedures.

TTX Scope

Table-top exercises can vary in scope. The scope can be broken into three tiers, which can overlap. While a bit simplified, these tiers give a general idea of your TTX options: 

• Most limited scope: technical/operational
  • In this type of TTX, you’re testing out continuity from an infrastructure perspective. For example, if one branch’s server were compromised, how would your technology maintain uptime? These scenarios are concise and tend not to address branching issues that would arise.
• Moderate scope: logistical/tactical
  • This level increases the scenario’s realism by including the human element of incident response and the evolving/cascading nature of real-time breaches. In these exercises, problems may cascade to other departments and participants may be put on the spot to practice working under pressure. 
• Most robust scope: severe breach
  • This level is for scenarios with breaches severe enough to involve management and company leaders. Like moderate scope scenarios, these incidents should be allowed to spread and cascade as they would in a real situation, and they often come with stress factors that help participants practice under pressure. These scenarios can also involve public messaging, communication with authorities, and other large-scale ramifications.

TTX Objectives

Because you can’t pass or fail TTX, outcomes are subjective. Goals of the exercise should be lessons learned and valuable team practice. Consider using the following objectives for your first exercise:

• Identify strengths and weaknesses in the IRP.
  • Next step: Improve the IRP where necessary.
• Identify strengths and weaknesses in staff response.
  • Next step: Implement staff training to address knowledge or performance gaps.
• Familiarize staff with the IRP and a potential threat environment.
• Instill muscle memory in staff that will aid in real-life incident response.

Planning and Conducting the Exercise

Simulating the Incident

Most simulations start with a scenario brief outlining the initial indicator of compromise (IoC), scope of the exercise, and other pertinent information. Some scenarios include supporting props (like an image of a ransomware message on a computer screen), complicating factors (like the IT Director being out of office), and stressors (like time limits). These help mimic real-life scenarios in which teams must think on their feet.

If constructing your own scenario feels daunting for your first exercise, there are pre-packaged scenarios available online for common incidents. Further, there are third-party TTX facilitators that can conduct the exercises for you; these are a good option for first-timers that don’t have the bandwidth or expertise to build and conduct a scenario. Some third-party TTX providers even offer actors, staged news clips, simulated social media activity, and other aids. While these facilitate realisticness, they are not necessary; a simpler exercise can still generate valuable takeaways.

If you’re conducting your first TTX in-house, don’t bite off more than you can chew. A simple scenario brief with key stakeholders in the room can be a highly effective first TTX. It will test your teams’ readiness, help them practice working together to follow the IRP, and prepare them for more complex exercises down the road. 

Who to Include

• Stakeholders. The IRP should outline the roles and responsibilities for different breaches; make sure all relevant stakeholders are included in the exercise. These may change based on the exercise’s scope.
• Facilitator. The exercise should have a facilitator who can answer questions, move the exercise along, and prompt the group when it gets stuck. Ideally, the facilitator should be someone from security or IT who is familiar with the IRP and comfortable with leading a group. If you’re the one taking charge with planning your organization’s TTX, you may be a great facilitator candidate.
• Cross-Departmental Participants. Even in a limited-scope exercise, CISO Jordan M. Schroeder recommends including at least one participant from another department. This diversifies the perspectives in the room, exposes more of the organization to threat response tactics, and encourages cross-departmental collaboration. 
• Documentor. Someone should document what happens in the exercise for later review. Documenting is a valuable observation exercise, so this could be an opportunity for a trainee, security leader, or member of another department to learn how the organization might react during a real incident.

What to Include

Participants should have a guide that outlines the threat brief and any other pertinent information. For your first exercise, you might choose to include the IRP for their reference; however, employees should know where to find it on their own during a real incident. The guide can also contain guiding questions or prompts to keep participants on track.

The facilitator should also have a guide that includes the brief, IRP, and any other relevant information. The facilitator might choose to use slides that outline steps, stages, prompts, audio/visual aids, or other material to support the exercise.

What Scenario to Choose?

Different scenarios test different types of response. Because TTX tests your IRP, choose a threat that’s outlined in the IRP. Additionally, choose a realistic threat to shore up your preparedness in a valuable area. Ransomware, malware, and DDoS attacks are common types of threats that make for worthwhile TTX scenarios.

While you can’t pass or fail a tabletop exercise, participants can leave feeling accomplished or defeated. To instill buy-in across the organization, your first exercise should feel accomplishable. Choose a scenario whose response is outlined in your IRP, and have your facilitator be willing to help or guide the team if they get sidetracked or stuck. 

Even a seemingly straightforward scenario can help identify holes in the IRP and iron out kinks, so this won’t decrease the efficacy of the exercise. Further, TTX should be conducted regularly, so you can complicate scenarios over time to drill into weaker areas once your organization is used to the TTX process. The better prepared they are, the better they’ll be able to work through more complex scenarios.

TTX Procedure

The IRP should define response procedures, but first-timers might consider focusing on performance in the following areas to measure response efficacy. 

• Roles and responsibilities
  • Who should be informed of incidents? 
  • Who is responsible for making which types of decisions? 
  • Are people aware of who fills these roles? 
  • Did people fulfill their roles and responsibilities?
• Threat identification and reporting
  • Who should be notified of a suspected threat? 
  • How long did it take for the event to be reported to the proper department? 
  • Did the department correctly identify it as a threat?
• Triage
  • Who is responsible for triage? 
  • Did the right people decide and communicate triage action? 
  • Was the threat assigned the correct level of priority? 
• Action: Containment and mitigation 
  • How should employees work to stop or contain the breach while minimizing damages? 
  • Who decides and communicates these steps, and did they do so effectively? 
  • Did participants react appropriately according to the IRP?
• Technology and operations
  • What are the continuity plans when different equipment or software go down? 
  • Do they perform as expected? 
  • How do unexpected physical incidents affect continuity (like an IoT compromise that targets the thermostat, affecting the temperature of your server room)?
• Communication flow
  • How are instructions communicated? 
  • Through which channels? 
  • Are employees aware of these communication standards? 
  • Did departments effectively communicate the right information to one another? 
• External communication and messaging
  • Who should the company notify? 
  • How long should they wait to notify potential victims of a breach? 
  • Who handles external messaging? 
  • Should someone contact the police or authorities? 
• Compliance
  • What regulations does the incident threaten, if any? 
  • Who needs to be alerted to a potential compliance breach? 
  • What next steps need to be taken to mitigate compliance breaches? 
  • Did external messaging decisions align with compliance regulations (like alerting customers to breached data within a given time frame)?

Should You Add Pressure?

It’s human nature to clam up under pressure. When stressed, people enter high-alert mode that increases focus — sometimes to the point of failing to notice new information around them — and decreases fine motor skills, working memory, and decision making skills. Simulating pressure can help team members learn how to operate under pressure and instill muscle memory for response actions that can kick in during a real incident.

However, adding stress isn’t necessary. If you’ve had trouble achieving buy-in, adding too much stress to the first exercise may leave people with negative takeaways and an unwillingness to participate in the future. TTX shouldn’t be a one-and-done, so you’ll want to create an environment that shows participants the benefits of the exercise and makes them want to continue the exercises in the future.

Time limits, unannounced exercises, surprise complications, audio/visual aids, and including leadership are great ways to add pressure to an exercise. 

Note: Regardless of whether you announce the exercise ahead of time, always notify the team that it is a drill. Failing to do so can result in real downtime, harm to systems or infrastructure, and damaging external communications, like contacting customers or authorities.

Establish a Cadence

Cybersecurity TTX should be conducted at least once a year — ideally, quarterly. To set expectations, establish TTX as a recurring exercise from the outset. This will help promote buy-in and encourage participants to approach it as something to learn from and improve on rather than a one-time event.

Overcoming Common TTX Implementation Barriers

TTX is critically important to an organization’s cyber health; however, several common barriers prevent companies from carrying them out. Fortunately, once TTX becomes familiar to the organization, it’ll be easier to make the session regular.

Finding Time on Busy Calendars

While it may sound trivial, booking time can be a major barrier when working with leadership. Schedule well in advance, stress the meeting’s importance, and treat it like an event: order coffee or lunch, book a room, send an agenda beforehand, and give the event a name that differentiates it from run-of-the-mill meetings (i.e., Q4 Cybersecurity Workshop). 

Also, note that not all TTX requires leadership’s presence. Consider making your first TTX a small-scale exercise with fewer participants to get the process off the ground and establish it as a norm in your organization.

Getting Buy-In

Another barrier to getting TTX approved and recruiting participants is a lack of buy-in. CEOs won’t want to book time on their calendar if they don’t believe their presence is needed, and leaders may not approve a time-consuming exercise for their employees if they don’t see how it will affect their bottom-line.

But TTX is one of the most critical factors to a business’ bottom line. Cyber incidents are arguably the most dangerous threat to businesses today. A lack of preparedness, therefore, can be a business’s biggest liability.

Communicate the utmost importance of TTX to the business’s viability and assert the need for leadership’s presence, where appropriate. 

Remote Environments

Many of the TTX resources out there are oriented toward in-person exercises, and it may be hard to know how to conduct an exercise if your team is remote or hybrid-remote. However, if remote and hybrid-remote environments are a reality for your organization, your team will need to know how to follow an IRP in that environment. 

Plan TTX in your typical environment to make sure your IRP works. Streamlining communication with small tricks like using the “raise hand” button in your collaboration platform can go a long way for facilitating conversation. Additionally, for your first exercise, try creating and sharing slides for different steps in the process (reference your IRP for this) to help remote and in-office participants stay cohesive and follow along.

Pair TTX with Strong Cloud Security

The best complement to strong incident response is strong threat protection. As businesses rely more and more heavily on the cloud, they need to ensure their security follows suit. The perimeter security model that was designed for on-premise environments is giving way to Zero Trust, a modern alternative that caters to a cloud-based, remote-first world. 

New technologies like cloud-based directories are emerging to meet these needs. JumpCloud^®, the first fully cloud-based directory service, addresses this new risk environment by securely connecting users to all their resources — cloud or on-prem — with a Zero Trust methodology. JumpCloud’s CISO recently spoke with VMWare’s Head of Cybersecurity Strategy in a webinar on cloud security risks and how to combat them with Zero Trust. Watch the full webinar here.