![\"Start](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2015\/05\/IDaaSchecklist.png\")
<\/figure><\/div>\n\n\nTable-top exercises aim to test incident response plans (IRPs); hence, the IRP is an essential and unavoidable element of TTX. If you plan to conduct a TTX and you don\u2019t have an IRP, go back and develop an IRP first. <\/p>\n\n\n\n
While you shouldn\u2019t conduct TTX without an IRP, thought exercises around incidents and how your organization might respond can help you build out your IRP. Additionally, smaller-scope TTX models can help you test out sections of your IRP. In fact, doing so is a great way to get the ball rolling in terms of fleshing out your plan. TTX helps identify holes in your plan, areas to edit, unexpected logistical issues, and more. <\/p>\n\n\n\n
Tabletop Exercise Basics<\/h2>\n\n\n\nWith a base plan in place, you can start testing. The main goal of TTX is to test your IRP\u2019s validity against a realistic threat. In addition, TTX should: <\/p>\n\n\n\n
\n- Set expectations for threat response and impact.<\/li>\n\n\n\n
- Present takeaways that help you improve your organization\u2019s IRP and response.<\/li>\n\n\n\n
- Familiarize teams with proper response procedures.<\/li>\n<\/ul>\n\n\n\n
TTX Scope<\/h3>\n\n\n\nTable-top exercises can vary in scope. The scope can be broken into three tiers, which can overlap. While a bit simplified, these tiers give a general idea of your TTX options: <\/p>\n\n\n\n
\n- Most limited scope: technical\/operational<\/strong>\n
\n- In this type of TTX, you\u2019re testing out continuity from an infrastructure perspective. For example, if one branch\u2019s server were compromised, how would your technology maintain uptime? These scenarios are concise and tend not to address branching issues that would arise.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Moderate scope: logistical\/tactical<\/strong>\n
\n- This level increases the scenario\u2019s realism by including the human element of incident response and the evolving\/cascading nature of real-time breaches. In these exercises, problems may cascade to other departments and participants may be put on the spot to practice working under pressure.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Most robust scope: severe breach<\/strong>\n
\n- This level is for scenarios with breaches severe enough to involve management and company leaders. Like moderate scope scenarios, these incidents should be allowed to spread and cascade as they would in a real situation, and they often come with stress factors that help participants practice under pressure. These scenarios can also involve public messaging, communication with authorities, and other large-scale ramifications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
TTX Objectives<\/h3>\n\n\n\n
Because you can\u2019t pass or fail TTX, outcomes are subjective. Goals of the exercise should be lessons learned and valuable team practice. Consider using the following objectives for your first exercise:<\/p>\n\n\n\n
\n- Identify strengths and weaknesses in the IRP.<\/strong>\n
\n- Next step: Improve the IRP where necessary.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Identify strengths and weaknesses in staff response.<\/strong>\n
\n- Next step: Implement staff training to address knowledge or performance gaps.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Familiarize staff with the IRP and a potential threat environment.<\/strong><\/li>\n\n\n\n
- Instill muscle memory in staff that will aid in real-life incident response.<\/strong><\/li>\n<\/ul>\n\n\n\n
Planning and Conducting the Exercise<\/strong><\/h2>\n\n\n\nSimulating the Incident<\/h3>\n\n\n\n
Most simulations start with a scenario brief outlining the initial indicator of compromise (IoC), scope of the exercise, and other pertinent information. Some scenarios include supporting props (like an image of a ransomware message on a computer screen), complicating factors (like the IT Director being out of office), and stressors (like time limits). These help mimic real-life scenarios in which teams must think on their feet.<\/p>\n\n\n\n
If constructing your own scenario feels daunting for your first exercise, there are pre-packaged scenarios available online for common incidents. Further, there are third-party TTX facilitators that can conduct the exercises for you; these are a good option for first-timers that don\u2019t have the bandwidth or expertise to build and conduct a scenario. Some third-party TTX providers even offer actors, staged news clips, simulated social media activity, and other aids. While these facilitate realisticness, they are not necessary; a simpler exercise can still generate valuable takeaways.<\/p>\n\n\n\n
If you\u2019re conducting your first TTX in-house, don\u2019t bite off more than you can chew. A simple scenario brief with key stakeholders in the room can be a highly effective first TTX. It will test your teams\u2019 readiness, help them practice working together to follow the IRP, and prepare them for more complex exercises down the road. <\/p>\n\n\n\n
Who to Include<\/h3>\n\n\n\n![\"who](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2018\/06\/connect-with-people-300x300.png\")
<\/figure><\/div>\n\n\n\n- Stakeholders.<\/strong> The IRP should outline the roles and responsibilities for different breaches; make sure all relevant stakeholders are included in the exercise. These may change based on the exercise\u2019s scope.<\/li>\n\n\n\n
- Facilitator.<\/strong> The exercise should have a facilitator who can answer questions, move the exercise along, and prompt the group when it gets stuck. Ideally, the facilitator should be someone from security or IT who is familiar with the IRP and comfortable with leading a group. If you\u2019re the one taking charge with planning your organization\u2019s TTX, you may be a great facilitator candidate.<\/li>\n\n\n\n
- Cross-Departmental Participants. <\/strong>Even in a limited-scope exercise, CISO Jordan M. Schroeder<\/a> recommends including at least one participant from another department. This diversifies the perspectives in the room, exposes more of the organization to threat response tactics, and encourages cross-departmental collaboration.\u00a0<\/li>\n\n\n\n
- Documentor.<\/strong> Someone should document what happens in the exercise for later review. Documenting is a valuable observation exercise, so this could be an opportunity for a trainee, security leader, or member of another department to learn how the organization might react during a real incident.<\/li>\n<\/ul>\n\n\n\n
What to Include<\/h3>\n\n\n\n
Participants should have a guide that outlines the threat brief and any other pertinent information. For your first exercise, you might choose to include the IRP for their reference; however, employees should know where to find it on their own during a real incident. The guide can also contain guiding questions or prompts to keep participants on track.<\/p>\n\n\n\n
The facilitator should also have a guide that includes the brief, IRP, and any other relevant information. The facilitator might choose to use slides that outline steps, stages, prompts, audio\/visual aids, or other material to support the exercise.<\/p>\n\n\n\n
What Scenario to Choose?<\/h3>\n\n\n\n
Different scenarios test different types of response. Because TTX tests your IRP, choose a threat that\u2019s outlined in the IRP. Additionally, choose a realistic threat to shore up your preparedness in a valuable area. Ransomware, malware, and DDoS attacks are common types of threats that make for worthwhile TTX scenarios.<\/p>\n\n\n\n
While you can\u2019t pass or fail a tabletop exercise, participants can leave feeling accomplished or defeated. To instill buy-in across the organization, your first exercise should feel accomplishable. Choose a scenario whose response is outlined in your IRP, and have your facilitator be willing to help or guide the team if they get sidetracked or stuck. <\/p>\n\n\n\n
Even a seemingly straightforward scenario can help identify holes in the IRP and iron out kinks, so this won\u2019t decrease the efficacy of the exercise. Further, TTX should be conducted regularly, so you can complicate scenarios over time to drill into weaker areas once your organization is used to the TTX process. The better prepared they are, the better they\u2019ll be able to work through more complex scenarios.<\/p>\n\n\n\n
TTX Procedure<\/h3>\n\n\n\nThe IRP should define response procedures, but first-timers might consider focusing on performance in the following areas to measure response efficacy. <\/p>\n\n\n\n
\n- Roles and responsibilities<\/strong>\n
\n- Who should be informed of incidents?\u00a0<\/li>\n\n\n\n
- Who is responsible for making which types of decisions?\u00a0<\/li>\n\n\n\n
- Are people aware of who fills these roles?\u00a0<\/li>\n\n\n\n
- Did people fulfill their roles and responsibilities?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Threat identification and reporting<\/strong>\n
\n- Who should be notified of a suspected threat?\u00a0<\/li>\n\n\n\n
- How long did it take for the event to be reported to the proper department?\u00a0<\/li>\n\n\n\n
- Did the department correctly identify it as a threat?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Triage<\/strong>\n
\n- Who is responsible for triage?\u00a0<\/li>\n\n\n\n
- Did the right people decide and communicate triage action?\u00a0<\/li>\n\n\n\n
- Was the threat assigned the correct level of priority?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Action: Containment and mitigation\u00a0<\/strong>\n
\n- How should employees work to stop or contain the breach while minimizing damages?\u00a0<\/li>\n\n\n\n
- Who decides and communicates these steps, and did they do so effectively?\u00a0<\/li>\n\n\n\n
- Did participants react appropriately according to the IRP?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Technology and operations<\/strong>\n
\n- What are the continuity plans when different equipment or software go down?\u00a0<\/li>\n\n\n\n
- Do they perform as expected?\u00a0<\/li>\n\n\n\n
- How do unexpected physical incidents affect continuity (like an IoT compromise that targets the thermostat, affecting the temperature of your server room)?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Communication flow<\/strong>\n
\n- How are instructions communicated?\u00a0<\/li>\n\n\n\n
- Through which channels?\u00a0<\/li>\n\n\n\n
- Are employees aware of these communication standards?\u00a0<\/li>\n\n\n\n
- Did departments effectively communicate the right information to one another?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- External communication and messaging<\/strong>\n
\n- Who should the company notify?\u00a0<\/li>\n\n\n\n
- How long should they wait to notify potential victims of a breach?\u00a0<\/li>\n\n\n\n
- Who handles external messaging?\u00a0<\/li>\n\n\n\n
- Should someone contact the police or authorities?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Compliance<\/strong>\n
\n- What regulations does the incident threaten, if any?\u00a0<\/li>\n\n\n\n
- Who needs to be alerted to a potential compliance breach?\u00a0<\/li>\n\n\n\n
- What next steps need to be taken to mitigate compliance breaches?\u00a0<\/li>\n\n\n\n
- Did external messaging decisions align with compliance regulations (like alerting customers to breached data within a given time frame)?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Should You Add Pressure?<\/h3>\n\n\n\n
It\u2019s human nature to clam up under pressure. When stressed, people enter high-alert mode that increases focus \u2014 sometimes to the point of failing to notice new information<\/a> around them \u2014 and decreases fine motor skills, working memory, and decision making skills. Simulating pressure can help team members learn how to operate under pressure and instill muscle memory for response actions that can kick in during a real incident.<\/p>\n\n\n\n
Establish a Cadence<\/h3>\n\n\n\nCybersecurity TTX should be conducted at least once a year \u2014 ideally, quarterly. To set expectations, establish TTX as a recurring exercise from the outset. This will help promote buy-in and encourage participants to approach it as something to learn from and improve on rather than a one-time event.<\/p>\n\n\n\n
Overcoming Common TTX Implementation Barriers<\/strong><\/h2>\n\n\n\nTTX is critically important to an organization\u2019s cyber health; however, several common barriers prevent companies from carrying them out. Fortunately, once TTX becomes familiar to the organization, it\u2019ll be easier to make the session regular.<\/p>\n\n\n\n
Finding Time on Busy Calendars<\/h3>\n\n\n\n
While it may sound trivial, booking time can be a major barrier when working with leadership. Schedule well in advance, stress the meeting\u2019s importance, and treat it like an event: order coffee or lunch, book a room, send an agenda beforehand, and give the event a name that differentiates it from run-of-the-mill meetings (i.e., Q4 Cybersecurity Workshop). <\/p>\n\n\n\n
Also, note that not all TTX requires leadership\u2019s presence. Consider making your first TTX a small-scale exercise with fewer participants to get the process off the ground and establish it as a norm in your organization.<\/p>\n\n\n\n
Getting Buy-In<\/h3>\n\n\n\n![\"Establishing](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2017\/11\/Calendar-1-300x300.png\")
<\/figure><\/div>\n\n\nAnother barrier to getting TTX approved and recruiting participants is a lack of buy-in. CEOs won\u2019t want to book time on their calendar if they don\u2019t believe their presence is needed, and leaders may not approve a time-consuming exercise for their employees if they don\u2019t see how it will affect their bottom-line.<\/p>\n\n\n\n
But TTX is one of the most critical factors to a business\u2019 bottom line. Cyber incidents are arguably the most dangerous threat to businesses today. A lack of preparedness, therefore, can be a business\u2019s biggest liability.<\/p>\n\n\n\n
Communicate the utmost importance of TTX to the business\u2019s viability and assert the need for leadership\u2019s presence, where appropriate. <\/p>\n\n\n\n
Remote Environments<\/h3>\n\n\n\n
Many of the TTX resources out there are oriented toward in-person exercises, and it may be hard to know how to conduct an exercise if your team is remote or hybrid-remote<\/a>. However, if remote and hybrid-remote environments are a reality for your organization, your team will need to know how to follow an IRP in that environment. <\/p>\n\n\n\n
Pair TTX with Strong Cloud Security<\/strong><\/h2>\n\n\n\nThe best complement to strong incident response is strong threat protection. As businesses rely more and more heavily on the cloud, they need to ensure their security follows suit. The perimeter security model<\/a> that was designed for on-premise environments is giving way to Zero Trust<\/a>, a modern alternative that caters to a cloud-based, remote-first world.\u00a0<\/p>\n\n\n\n
New technologies like cloud-based directories<\/a> are emerging to meet these needs. JumpCloud\u00ae<\/sup><\/a>, the first fully cloud-based directory service, addresses this new risk environment by securely connecting users to all their resources \u2014 cloud or on-prem \u2014 with a Zero Trust methodology. JumpCloud\u2019s CISO recently spoke with VMWare\u2019s Head of Cybersecurity Strategy in a webinar on cloud security risks and how to combat them with Zero Trust. Watch the full webinar here.<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"
TTX Scope<\/h3>\n\n\n\nTable-top exercises can vary in scope. The scope can be broken into three tiers, which can overlap. While a bit simplified, these tiers give a general idea of your TTX options: <\/p>\n\n\n\n
\n- Most limited scope: technical\/operational<\/strong>\n
\n- In this type of TTX, you\u2019re testing out continuity from an infrastructure perspective. For example, if one branch\u2019s server were compromised, how would your technology maintain uptime? These scenarios are concise and tend not to address branching issues that would arise.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Moderate scope: logistical\/tactical<\/strong>\n
\n- This level increases the scenario\u2019s realism by including the human element of incident response and the evolving\/cascading nature of real-time breaches. In these exercises, problems may cascade to other departments and participants may be put on the spot to practice working under pressure.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Most robust scope: severe breach<\/strong>\n
\n- This level is for scenarios with breaches severe enough to involve management and company leaders. Like moderate scope scenarios, these incidents should be allowed to spread and cascade as they would in a real situation, and they often come with stress factors that help participants practice under pressure. These scenarios can also involve public messaging, communication with authorities, and other large-scale ramifications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
TTX Objectives<\/h3>\n\n\n\n
Because you can\u2019t pass or fail TTX, outcomes are subjective. Goals of the exercise should be lessons learned and valuable team practice. Consider using the following objectives for your first exercise:<\/p>\n\n\n\n
\n- Identify strengths and weaknesses in the IRP.<\/strong>\n
\n- Next step: Improve the IRP where necessary.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Identify strengths and weaknesses in staff response.<\/strong>\n
\n- Next step: Implement staff training to address knowledge or performance gaps.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Familiarize staff with the IRP and a potential threat environment.<\/strong><\/li>\n\n\n\n
- Instill muscle memory in staff that will aid in real-life incident response.<\/strong><\/li>\n<\/ul>\n\n\n\n
Planning and Conducting the Exercise<\/strong><\/h2>\n\n\n\nSimulating the Incident<\/h3>\n\n\n\n
Most simulations start with a scenario brief outlining the initial indicator of compromise (IoC), scope of the exercise, and other pertinent information. Some scenarios include supporting props (like an image of a ransomware message on a computer screen), complicating factors (like the IT Director being out of office), and stressors (like time limits). These help mimic real-life scenarios in which teams must think on their feet.<\/p>\n\n\n\n
If constructing your own scenario feels daunting for your first exercise, there are pre-packaged scenarios available online for common incidents. Further, there are third-party TTX facilitators that can conduct the exercises for you; these are a good option for first-timers that don\u2019t have the bandwidth or expertise to build and conduct a scenario. Some third-party TTX providers even offer actors, staged news clips, simulated social media activity, and other aids. While these facilitate realisticness, they are not necessary; a simpler exercise can still generate valuable takeaways.<\/p>\n\n\n\n
If you\u2019re conducting your first TTX in-house, don\u2019t bite off more than you can chew. A simple scenario brief with key stakeholders in the room can be a highly effective first TTX. It will test your teams\u2019 readiness, help them practice working together to follow the IRP, and prepare them for more complex exercises down the road. <\/p>\n\n\n\n
- \n
- In this type of TTX, you\u2019re testing out continuity from an infrastructure perspective. For example, if one branch\u2019s server were compromised, how would your technology maintain uptime? These scenarios are concise and tend not to address branching issues that would arise.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Moderate scope: logistical\/tactical<\/strong>\n
- \n
- This level increases the scenario\u2019s realism by including the human element of incident response and the evolving\/cascading nature of real-time breaches. In these exercises, problems may cascade to other departments and participants may be put on the spot to practice working under pressure.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Most robust scope: severe breach<\/strong>\n
- \n
- This level is for scenarios with breaches severe enough to involve management and company leaders. Like moderate scope scenarios, these incidents should be allowed to spread and cascade as they would in a real situation, and they often come with stress factors that help participants practice under pressure. These scenarios can also involve public messaging, communication with authorities, and other large-scale ramifications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
TTX Objectives<\/h3>\n\n\n\n
Because you can\u2019t pass or fail TTX, outcomes are subjective. Goals of the exercise should be lessons learned and valuable team practice. Consider using the following objectives for your first exercise:<\/p>\n\n\n\n
- \n
- Identify strengths and weaknesses in the IRP.<\/strong>\n
- \n
- Next step: Improve the IRP where necessary.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Identify strengths and weaknesses in staff response.<\/strong>\n
- \n
- Next step: Implement staff training to address knowledge or performance gaps.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Familiarize staff with the IRP and a potential threat environment.<\/strong><\/li>\n\n\n\n
- Instill muscle memory in staff that will aid in real-life incident response.<\/strong><\/li>\n<\/ul>\n\n\n\n
Planning and Conducting the Exercise<\/strong><\/h2>\n\n\n\n
Simulating the Incident<\/h3>\n\n\n\n
Most simulations start with a scenario brief outlining the initial indicator of compromise (IoC), scope of the exercise, and other pertinent information. Some scenarios include supporting props (like an image of a ransomware message on a computer screen), complicating factors (like the IT Director being out of office), and stressors (like time limits). These help mimic real-life scenarios in which teams must think on their feet.<\/p>\n\n\n\n
If constructing your own scenario feels daunting for your first exercise, there are pre-packaged scenarios available online for common incidents. Further, there are third-party TTX facilitators that can conduct the exercises for you; these are a good option for first-timers that don\u2019t have the bandwidth or expertise to build and conduct a scenario. Some third-party TTX providers even offer actors, staged news clips, simulated social media activity, and other aids. While these facilitate realisticness, they are not necessary; a simpler exercise can still generate valuable takeaways.<\/p>\n\n\n\n
If you\u2019re conducting your first TTX in-house, don\u2019t bite off more than you can chew. A simple scenario brief with key stakeholders in the room can be a highly effective first TTX. It will test your teams\u2019 readiness, help them practice working together to follow the IRP, and prepare them for more complex exercises down the road. <\/p>\n\n\n\n
- Identify strengths and weaknesses in the IRP.<\/strong>\n
- This level is for scenarios with breaches severe enough to involve management and company leaders. Like moderate scope scenarios, these incidents should be allowed to spread and cascade as they would in a real situation, and they often come with stress factors that help participants practice under pressure. These scenarios can also involve public messaging, communication with authorities, and other large-scale ramifications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Who to Include<\/h3>\n\n\n\n<\/figure><\/div>\n\n\n\n- Stakeholders.<\/strong> The IRP should outline the roles and responsibilities for different breaches; make sure all relevant stakeholders are included in the exercise. These may change based on the exercise\u2019s scope.<\/li>\n\n\n\n
- Facilitator.<\/strong> The exercise should have a facilitator who can answer questions, move the exercise along, and prompt the group when it gets stuck. Ideally, the facilitator should be someone from security or IT who is familiar with the IRP and comfortable with leading a group. If you\u2019re the one taking charge with planning your organization\u2019s TTX, you may be a great facilitator candidate.<\/li>\n\n\n\n
- Cross-Departmental Participants. <\/strong>Even in a limited-scope exercise, CISO Jordan M. Schroeder<\/a> recommends including at least one participant from another department. This diversifies the perspectives in the room, exposes more of the organization to threat response tactics, and encourages cross-departmental collaboration.\u00a0<\/li>\n\n\n\n
- Documentor.<\/strong> Someone should document what happens in the exercise for later review. Documenting is a valuable observation exercise, so this could be an opportunity for a trainee, security leader, or member of another department to learn how the organization might react during a real incident.<\/li>\n<\/ul>\n\n\n\n
What to Include<\/h3>\n\n\n\n
Participants should have a guide that outlines the threat brief and any other pertinent information. For your first exercise, you might choose to include the IRP for their reference; however, employees should know where to find it on their own during a real incident. The guide can also contain guiding questions or prompts to keep participants on track.<\/p>\n\n\n\n
The facilitator should also have a guide that includes the brief, IRP, and any other relevant information. The facilitator might choose to use slides that outline steps, stages, prompts, audio\/visual aids, or other material to support the exercise.<\/p>\n\n\n\n
What Scenario to Choose?<\/h3>\n\n\n\n
Different scenarios test different types of response. Because TTX tests your IRP, choose a threat that\u2019s outlined in the IRP. Additionally, choose a realistic threat to shore up your preparedness in a valuable area. Ransomware, malware, and DDoS attacks are common types of threats that make for worthwhile TTX scenarios.<\/p>\n\n\n\n
While you can\u2019t pass or fail a tabletop exercise, participants can leave feeling accomplished or defeated. To instill buy-in across the organization, your first exercise should feel accomplishable. Choose a scenario whose response is outlined in your IRP, and have your facilitator be willing to help or guide the team if they get sidetracked or stuck. <\/p>\n\n\n\n
Even a seemingly straightforward scenario can help identify holes in the IRP and iron out kinks, so this won\u2019t decrease the efficacy of the exercise. Further, TTX should be conducted regularly, so you can complicate scenarios over time to drill into weaker areas once your organization is used to the TTX process. The better prepared they are, the better they\u2019ll be able to work through more complex scenarios.<\/p>\n\n\n\n
TTX Procedure<\/h3>\n\n\n\nThe IRP should define response procedures, but first-timers might consider focusing on performance in the following areas to measure response efficacy. <\/p>\n\n\n\n
\n- Roles and responsibilities<\/strong>\n
\n- Who should be informed of incidents?\u00a0<\/li>\n\n\n\n
- Who is responsible for making which types of decisions?\u00a0<\/li>\n\n\n\n
- Are people aware of who fills these roles?\u00a0<\/li>\n\n\n\n
- Did people fulfill their roles and responsibilities?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Threat identification and reporting<\/strong>\n
\n- Who should be notified of a suspected threat?\u00a0<\/li>\n\n\n\n
- How long did it take for the event to be reported to the proper department?\u00a0<\/li>\n\n\n\n
- Did the department correctly identify it as a threat?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Triage<\/strong>\n
\n- Who is responsible for triage?\u00a0<\/li>\n\n\n\n
- Did the right people decide and communicate triage action?\u00a0<\/li>\n\n\n\n
- Was the threat assigned the correct level of priority?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Action: Containment and mitigation\u00a0<\/strong>\n
\n- How should employees work to stop or contain the breach while minimizing damages?\u00a0<\/li>\n\n\n\n
- Who decides and communicates these steps, and did they do so effectively?\u00a0<\/li>\n\n\n\n
- Did participants react appropriately according to the IRP?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Technology and operations<\/strong>\n
\n- What are the continuity plans when different equipment or software go down?\u00a0<\/li>\n\n\n\n
- Do they perform as expected?\u00a0<\/li>\n\n\n\n
- How do unexpected physical incidents affect continuity (like an IoT compromise that targets the thermostat, affecting the temperature of your server room)?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Communication flow<\/strong>\n
\n- How are instructions communicated?\u00a0<\/li>\n\n\n\n
- Through which channels?\u00a0<\/li>\n\n\n\n
- Are employees aware of these communication standards?\u00a0<\/li>\n\n\n\n
- Did departments effectively communicate the right information to one another?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- External communication and messaging<\/strong>\n
\n- Who should the company notify?\u00a0<\/li>\n\n\n\n
- How long should they wait to notify potential victims of a breach?\u00a0<\/li>\n\n\n\n
- Who handles external messaging?\u00a0<\/li>\n\n\n\n
- Should someone contact the police or authorities?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Compliance<\/strong>\n
\n- What regulations does the incident threaten, if any?\u00a0<\/li>\n\n\n\n
- Who needs to be alerted to a potential compliance breach?\u00a0<\/li>\n\n\n\n
- What next steps need to be taken to mitigate compliance breaches?\u00a0<\/li>\n\n\n\n
- Did external messaging decisions align with compliance regulations (like alerting customers to breached data within a given time frame)?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Should You Add Pressure?<\/h3>\n\n\n\n
It\u2019s human nature to clam up under pressure. When stressed, people enter high-alert mode that increases focus \u2014 sometimes to the point of failing to notice new information<\/a> around them \u2014 and decreases fine motor skills, working memory, and decision making skills. Simulating pressure can help team members learn how to operate under pressure and instill muscle memory for response actions that can kick in during a real incident.<\/p>\n\n\n\n
Establish a Cadence<\/h3>\n\n\n\nCybersecurity TTX should be conducted at least once a year \u2014 ideally, quarterly. To set expectations, establish TTX as a recurring exercise from the outset. This will help promote buy-in and encourage participants to approach it as something to learn from and improve on rather than a one-time event.<\/p>\n\n\n\n
Overcoming Common TTX Implementation Barriers<\/strong><\/h2>\n\n\n\nTTX is critically important to an organization\u2019s cyber health; however, several common barriers prevent companies from carrying them out. Fortunately, once TTX becomes familiar to the organization, it\u2019ll be easier to make the session regular.<\/p>\n\n\n\n
Finding Time on Busy Calendars<\/h3>\n\n\n\n
While it may sound trivial, booking time can be a major barrier when working with leadership. Schedule well in advance, stress the meeting\u2019s importance, and treat it like an event: order coffee or lunch, book a room, send an agenda beforehand, and give the event a name that differentiates it from run-of-the-mill meetings (i.e., Q4 Cybersecurity Workshop). <\/p>\n\n\n\n
Also, note that not all TTX requires leadership\u2019s presence. Consider making your first TTX a small-scale exercise with fewer participants to get the process off the ground and establish it as a norm in your organization.<\/p>\n\n\n\n
Getting Buy-In<\/h3>\n\n\n\n<\/figure><\/div>\n\n\nAnother barrier to getting TTX approved and recruiting participants is a lack of buy-in. CEOs won\u2019t want to book time on their calendar if they don\u2019t believe their presence is needed, and leaders may not approve a time-consuming exercise for their employees if they don\u2019t see how it will affect their bottom-line.<\/p>\n\n\n\n
But TTX is one of the most critical factors to a business\u2019 bottom line. Cyber incidents are arguably the most dangerous threat to businesses today. A lack of preparedness, therefore, can be a business\u2019s biggest liability.<\/p>\n\n\n\n
Communicate the utmost importance of TTX to the business\u2019s viability and assert the need for leadership\u2019s presence, where appropriate. <\/p>\n\n\n\n
Remote Environments<\/h3>\n\n\n\n
Many of the TTX resources out there are oriented toward in-person exercises, and it may be hard to know how to conduct an exercise if your team is remote or hybrid-remote<\/a>. However, if remote and hybrid-remote environments are a reality for your organization, your team will need to know how to follow an IRP in that environment. <\/p>\n\n\n\n
Pair TTX with Strong Cloud Security<\/strong><\/h2>\n\n\n\nThe best complement to strong incident response is strong threat protection. As businesses rely more and more heavily on the cloud, they need to ensure their security follows suit. The perimeter security model<\/a> that was designed for on-premise environments is giving way to Zero Trust<\/a>, a modern alternative that caters to a cloud-based, remote-first world.\u00a0<\/p>\n\n\n\n
New technologies like cloud-based directories<\/a> are emerging to meet these needs. JumpCloud\u00ae<\/sup><\/a>, the first fully cloud-based directory service, addresses this new risk environment by securely connecting users to all their resources \u2014 cloud or on-prem \u2014 with a Zero Trust methodology. JumpCloud\u2019s CISO recently spoke with VMWare\u2019s Head of Cybersecurity Strategy in a webinar on cloud security risks and how to combat them with Zero Trust. Watch the full webinar here.<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"
<\/figure><\/div>\n\n\n- \n
- Stakeholders.<\/strong> The IRP should outline the roles and responsibilities for different breaches; make sure all relevant stakeholders are included in the exercise. These may change based on the exercise\u2019s scope.<\/li>\n\n\n\n
- Facilitator.<\/strong> The exercise should have a facilitator who can answer questions, move the exercise along, and prompt the group when it gets stuck. Ideally, the facilitator should be someone from security or IT who is familiar with the IRP and comfortable with leading a group. If you\u2019re the one taking charge with planning your organization\u2019s TTX, you may be a great facilitator candidate.<\/li>\n\n\n\n
- Cross-Departmental Participants. <\/strong>Even in a limited-scope exercise, CISO Jordan M. Schroeder<\/a> recommends including at least one participant from another department. This diversifies the perspectives in the room, exposes more of the organization to threat response tactics, and encourages cross-departmental collaboration.\u00a0<\/li>\n\n\n\n
- Documentor.<\/strong> Someone should document what happens in the exercise for later review. Documenting is a valuable observation exercise, so this could be an opportunity for a trainee, security leader, or member of another department to learn how the organization might react during a real incident.<\/li>\n<\/ul>\n\n\n\n
What to Include<\/h3>\n\n\n\n
Participants should have a guide that outlines the threat brief and any other pertinent information. For your first exercise, you might choose to include the IRP for their reference; however, employees should know where to find it on their own during a real incident. The guide can also contain guiding questions or prompts to keep participants on track.<\/p>\n\n\n\n
The facilitator should also have a guide that includes the brief, IRP, and any other relevant information. The facilitator might choose to use slides that outline steps, stages, prompts, audio\/visual aids, or other material to support the exercise.<\/p>\n\n\n\n
What Scenario to Choose?<\/h3>\n\n\n\n
Different scenarios test different types of response. Because TTX tests your IRP, choose a threat that\u2019s outlined in the IRP. Additionally, choose a realistic threat to shore up your preparedness in a valuable area. Ransomware, malware, and DDoS attacks are common types of threats that make for worthwhile TTX scenarios.<\/p>\n\n\n\n
While you can\u2019t pass or fail a tabletop exercise, participants can leave feeling accomplished or defeated. To instill buy-in across the organization, your first exercise should feel accomplishable. Choose a scenario whose response is outlined in your IRP, and have your facilitator be willing to help or guide the team if they get sidetracked or stuck. <\/p>\n\n\n\n
Even a seemingly straightforward scenario can help identify holes in the IRP and iron out kinks, so this won\u2019t decrease the efficacy of the exercise. Further, TTX should be conducted regularly, so you can complicate scenarios over time to drill into weaker areas once your organization is used to the TTX process. The better prepared they are, the better they\u2019ll be able to work through more complex scenarios.<\/p>\n\n\n\n
TTX Procedure<\/h3>\n\n\n\n
The IRP should define response procedures, but first-timers might consider focusing on performance in the following areas to measure response efficacy. <\/p>\n\n\n\n
- \n
- Roles and responsibilities<\/strong>\n
- \n
- Who should be informed of incidents?\u00a0<\/li>\n\n\n\n
- Who is responsible for making which types of decisions?\u00a0<\/li>\n\n\n\n
- Are people aware of who fills these roles?\u00a0<\/li>\n\n\n\n
- Did people fulfill their roles and responsibilities?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Threat identification and reporting<\/strong>\n
- \n
- Who should be notified of a suspected threat?\u00a0<\/li>\n\n\n\n
- How long did it take for the event to be reported to the proper department?\u00a0<\/li>\n\n\n\n
- Did the department correctly identify it as a threat?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Triage<\/strong>\n
- \n
- Who is responsible for triage?\u00a0<\/li>\n\n\n\n
- Did the right people decide and communicate triage action?\u00a0<\/li>\n\n\n\n
- Was the threat assigned the correct level of priority?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Action: Containment and mitigation\u00a0<\/strong>\n
- \n
- How should employees work to stop or contain the breach while minimizing damages?\u00a0<\/li>\n\n\n\n
- Who decides and communicates these steps, and did they do so effectively?\u00a0<\/li>\n\n\n\n
- Did participants react appropriately according to the IRP?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Technology and operations<\/strong>\n
- \n
- What are the continuity plans when different equipment or software go down?\u00a0<\/li>\n\n\n\n
- Do they perform as expected?\u00a0<\/li>\n\n\n\n
- How do unexpected physical incidents affect continuity (like an IoT compromise that targets the thermostat, affecting the temperature of your server room)?<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Communication flow<\/strong>\n
- \n
- How are instructions communicated?\u00a0<\/li>\n\n\n\n
- Through which channels?\u00a0<\/li>\n\n\n\n
- Are employees aware of these communication standards?\u00a0<\/li>\n\n\n\n
- Did departments effectively communicate the right information to one another?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- External communication and messaging<\/strong>\n
- \n
- Who should the company notify?\u00a0<\/li>\n\n\n\n
- How long should they wait to notify potential victims of a breach?\u00a0<\/li>\n\n\n\n
- Who handles external messaging?\u00a0<\/li>\n\n\n\n
- Should someone contact the police or authorities?\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Compliance<\/strong>\n
- \n
- What regulations does the incident threaten, if any?\u00a0<\/li>\n\n\n\n
- Who needs to be alerted to a potential compliance breach?\u00a0<\/li>\n\n\n\n
- What next steps need to be taken to mitigate compliance breaches?\u00a0<\/li>\n\n\n\n
- Did external messaging decisions align with compliance regulations (like alerting customers to breached data within a given time frame)?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Should You Add Pressure?<\/h3>\n\n\n\n
It\u2019s human nature to clam up under pressure. When stressed, people enter high-alert mode that increases focus \u2014 sometimes to the point of failing to notice new information<\/a> around them \u2014 and decreases fine motor skills, working memory, and decision making skills. Simulating pressure can help team members learn how to operate under pressure and instill muscle memory for response actions that can kick in during a real incident.<\/p>\n\n\n\n
Establish a Cadence<\/h3>\n\n\n\n
Cybersecurity TTX should be conducted at least once a year \u2014 ideally, quarterly. To set expectations, establish TTX as a recurring exercise from the outset. This will help promote buy-in and encourage participants to approach it as something to learn from and improve on rather than a one-time event.<\/p>\n\n\n\n
Overcoming Common TTX Implementation Barriers<\/strong><\/h2>\n\n\n\n
TTX is critically important to an organization\u2019s cyber health; however, several common barriers prevent companies from carrying them out. Fortunately, once TTX becomes familiar to the organization, it\u2019ll be easier to make the session regular.<\/p>\n\n\n\n
Finding Time on Busy Calendars<\/h3>\n\n\n\n
While it may sound trivial, booking time can be a major barrier when working with leadership. Schedule well in advance, stress the meeting\u2019s importance, and treat it like an event: order coffee or lunch, book a room, send an agenda beforehand, and give the event a name that differentiates it from run-of-the-mill meetings (i.e., Q4 Cybersecurity Workshop). <\/p>\n\n\n\n
Also, note that not all TTX requires leadership\u2019s presence. Consider making your first TTX a small-scale exercise with fewer participants to get the process off the ground and establish it as a norm in your organization.<\/p>\n\n\n\n
Getting Buy-In<\/h3>\n\n\n
\n<\/figure><\/div>\n\n\nAnother barrier to getting TTX approved and recruiting participants is a lack of buy-in. CEOs won\u2019t want to book time on their calendar if they don\u2019t believe their presence is needed, and leaders may not approve a time-consuming exercise for their employees if they don\u2019t see how it will affect their bottom-line.<\/p>\n\n\n\n
But TTX is one of the most critical factors to a business\u2019 bottom line. Cyber incidents are arguably the most dangerous threat to businesses today. A lack of preparedness, therefore, can be a business\u2019s biggest liability.<\/p>\n\n\n\n
Communicate the utmost importance of TTX to the business\u2019s viability and assert the need for leadership\u2019s presence, where appropriate. <\/p>\n\n\n\n
Remote Environments<\/h3>\n\n\n\n
Many of the TTX resources out there are oriented toward in-person exercises, and it may be hard to know how to conduct an exercise if your team is remote or hybrid-remote<\/a>. However, if remote and hybrid-remote environments are a reality for your organization, your team will need to know how to follow an IRP in that environment. <\/p>\n\n\n\n
Pair TTX with Strong Cloud Security<\/strong><\/h2>\n\n\n\n
The best complement to strong incident response is strong threat protection. As businesses rely more and more heavily on the cloud, they need to ensure their security follows suit. The perimeter security model<\/a> that was designed for on-premise environments is giving way to Zero Trust<\/a>, a modern alternative that caters to a cloud-based, remote-first world.\u00a0<\/p>\n\n\n\n
New technologies like cloud-based directories<\/a> are emerging to meet these needs. JumpCloud\u00ae<\/sup><\/a>, the first fully cloud-based directory service, addresses this new risk environment by securely connecting users to all their resources \u2014 cloud or on-prem \u2014 with a Zero Trust methodology. JumpCloud\u2019s CISO recently spoke with VMWare\u2019s Head of Cybersecurity Strategy in a webinar on cloud security risks and how to combat them with Zero Trust. Watch the full webinar here.<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"
- Roles and responsibilities<\/strong>\n