How to Design and Run a Cybersecurity Tabletop Exercise
Cybersecurity is a complicated topic, but you can demystify it for your entire team and improve future outcomes with cybersecurity tabletop exercises.
When Memorial Health Systems, a not-for-profit healthcare network, experienced a ransomware cyberattack, almost all their systems were impacted, from their MRI machines to their cafeteria cash registers. Their digital records quickly became useless as they transitioned to ready-made paper backup forms. And yet, Memorial was able to keep business going and ultimately recover from the cyberattack quickly. How?
Lori Price, an emergency management coordinator with Memorial, described in an episode of The Employee Safety Podcast, that despite the attack, Memorial was prepared for exactly this eventuality because of their tabletop exercise training.
Just a few months before this incident, “All department directors had walked through the process of thinking about what they would do in their department if we had a cyberattack and had those types of problems. So, I think that we were able to circumvent that initial shock,” said Lori. They performed a cybersecurity tabletop exercise, also known as a cybersecurity incident response tabletop exercise, which familiarized employees and stakeholders with the challenges that a cyberattack could present, as well as methods to remedy the situation.
Despite the success of organizations like Memorial when it comes to defending against cyber threats, about one-third of organizations don’t offer cybersecurity training even though one-half of those employees have access to critical data. Today we’ll explain the purpose of cybersecurity tabletop exercises and how to perform them.
Download Our Tabletop Exercise Template
What Is a Cybersecurity Tabletop Exercise?
A cybersecurity tabletop exercise is a session where a group of employees is prompted to consider a hypothetical cyber threat situation, such as a phishing attack, and talk through the process by which they could respond to and fix the problem. You can think of a tabletop exercise (TTX) as a drill that takes place entirely in the minds and conversation of the participants—from the safety and security of a conference room, hence why they’re called “tabletop” exercises.
These tabletop exercises are meant to give everyone an opportunity to examine their organization’s cybersecurity preparedness measures and raise questions or concerns. Then, those concerns are rolled up into a report that is used to make material and procedural changes to existing cyber incident response plans used by your incident response team.
Tabletop exercises are easy, cost-efficient, and informative and should be a part of every company’s cybersecurity planning effort.
How to Run a Cybersecurity Tabletop Exercise
Any organization can easily run a tabletop exercise with the right planning. Here are the steps you need to follow to create one of your own from scratch:
1. Assemble your team
Tabletop exercises are group activities, and people within that group will take on various roles to help keep the exercise moving.
This will be the largest cohort within your group. Exercise participants are meant to engage with the scenario presented to them and critically examine its consequences from their own point of view. That is, how would such a hypothetical scenario impact their job? How would they recognize the threat? What would mitigation look like? Drawing on their on-the-job experiences, participants are encouraged to discuss, ask questions, and be active contributors to the session.
Participants shouldn’t be from your IT team alone; rather, they should represent a cross-section of your company.
You can think of your facilitator as akin to a moderator in a debate. They ultimately hold the reins guiding the session as a whole but ideally won’t have to talk too much other than to kick things off. They begin sessions by presenting the hypothetical situation to the entire group, occasionally chiming in to ensure the discussion moves forward to meet the exercise objectives.
This role is not actively involved as the exercise unfolds. The evaluator’s purpose is to simply watch, noting what goes well and what could be improved for next time. They keep this to themselves during the session to allow for unfettered conversation, but then they document their observations and reflections, which can be used to improve the session for next time. Most organizations opt for at least two evaluators to give them a better chance to capture all the details.
Finally, there’s the observer. Like the evaluator, they take a backseat during the session, but unlike the evaluator, they’re allowed to pipe up with their own recommendations or answer questions from the group. Because of this responsibility, observers should be experts in the particular scenario in play. In the case of a cybersecurity tabletop exercise, that person would likely be a senior IT leader at the company or someone with similar expertise, such as your Chief Information Security Officer (CISO).
2. Design the scenario
If you’ve performed a business threat assessment, specifically a cyber threat assessment, you’ll have pre-identified a set of digital threats that your organization might be vulnerable to. Compile a diverse list of these that you think might make good foundations for a tabletop exercise scenario.
Choose a couple of these scenarios, but keep in mind that most tabletop exercises are only 60–90 minutes, and quality matters more than quantity in the conversation. You’ll also want to imagine one or two curveball details that you can throw at your participants to keep them on their toes.
Not sure what scenarios to use? We have a few ready-made ones below to help get you started.
3. Run the experiment
Here’s where the fun begins! (You think safety exercises are fun, right?) Gather your team members in a quiet room, separate from the rest of your workplace, so you can focus. The facilitator will then describe the selected scenario to the participants and ask them to talk through how they would go about responding to and remedying the incident. Remind participants that they’re welcome to ask questions and to maintain a relaxed, open environment so everyone is as comfortable as possible when talking about potentially disconcerting topics.
After the session is over, your evaluators will convene on their own to conduct a hot wash and prepare an after-action report describing what the session did well, ways it fell short, and suggestions to improve for next time. This report should be shared with all key stakeholders so everyone is on the same page.
Then, the takeaways learned here are applied to your cybersecurity and recovery plans. From there, go back to step 1, and the cycle begins anew.
Cybersecurity Tabletop Exercise Scenarios
Cyber threats come in many shapes and sizes, and depending on your organization’s size, industry, and digital footprint, some of these scenarios will be more applicable to you than others. You always need to exercise judgment about which would be the best fit for your people and your organization. In any case, here are some that you can run yourself, either with modifications or out-of-the-box, including twists to mix things up, sort of like discussion questions.
If you’re looking for even more scenarios, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a number of them for free on their site.
The most headline-grabbing type of cyber threat is malicious software (malware) intrusion. This is where an unauthorized actor injects foreign code into your system, often rendering software unusable and encrypting your own data. Some of these attacks demand that the target pay a ransom to the hacker in return for unlocking this data, in which case the attack is known as “ransomware.” Here’s a scenario you can present to your people:
You open your work computer one Monday morning and find that when you try to log in, you are greeted by an unfamiliar message demanding that you send a sum of money in cryptocurrency to an unknown party, who in exchange will unlock your devices and data.
After finishing your first run of this ransomware tabletop exercise, try adding in the following complication: You receive the same ransom message, but you and your team are currently attending a conference in another state, and on top of that, your email service is compromised so you can’t use it. How does this change your plan?
Converged security breach
Converged security is the concept of the intersection between information security and physical security. Often, digital vulnerabilities are exploited using physical means, or vice versa. Test your team’s readiness for a converged threat with this prompt:
Joe, a new employee, saw a USB drive in the parking lot on the way to work. It was labeled “LEAKED TAYLOR SWIFT SONG,” so naturally, he picked it up. Unbeknownst to him, he just fell for one of the oldest cyber tricks in the book, and the USB drive actually contains vicious malware (Taylor’s Version). How would your people respond? What if Joe already plugged in the infected drive?
What if the USB was somehow already in Joe’s computer that he keeps at work when he arrived at the office one day? What implications would that have for your organization’s physical security as well?
Customer data breach
Most companies keep digital business records of their clients and customers, some of which are very sensitive like payment information and personal details like addresses. This data is often very attractive to cyber threat actors because they can sell it for profit, use it for identity theft, or any number of nefarious purposes—which is why it’s important that you practice for such an attack.
Your IT security team notices a device, located in a country in which you do not have employees, that has been surreptitiously connecting to your servers periodically for the past two weeks. They discover that they have been scraping your customer records for anything they could find. How do you prevent further damage? How do you communicate the attack to your customers who might have been seriously impacted?
Your data wasn’t only accessed, it was deleted. Does your backup process account for a situation like this?
Supply chain attack
Most organizations rely on a wide range of software to keep their business running. Whether it’s for record-keeping, communication, or even security systems, that software is by nature susceptible to a hack, which means that you as a user are susceptible to that attack as well. This is known as a “supply chain” or “downstream” attack where one hack can cascade and impact the thousands or millions that use that software themselves.
You receive news that your CRM software provider has experienced an attack that has compromised some users’ data. Your entire sales team uses this CRM software, and they might not be aware of the situation yet. How do you prevent further damage without interrupting business continuity?
Half of your sales team is offsite at an industry product conference and is busy demoing and selling your company’s product in another country.
Finding the Common Thread
No matter what situation you encounter during these tabletop exercises, you should be confident that your team will be able to talk out a solution. But you might have noticed during these exercises that their across-the-table communication was a particular advantage in the incident management process. Without real-time communication, your hopes for successfully overcoming a cybersecurity attack are slim to none. That’s why you need a multichannel emergency communication system.
During a cyberattack, some critical communication avenues, like email or instant messaging, might be affected as well, so having redundant ways to relay the situation to your people is a critical safeguard for any cyber threat your organization encounters.