Running Incident Response Tabletop Exercises to Prepare for Cyberattacks
Cyber threats are pervasive and becoming more difficult to prevent. Do you know how you’ll respond when under attack? Learn how to practice your incident response with tabletop exercises.
Cyberattacks seem like the threat-du-jour these days. No longer a niche hazard, our digitally dependent world is vulnerable to bad actors from around the globe.
And it’s not just government agencies, utility providers, and multinational corporations at risk. New stories hit the news every day that expose the vulnerability of organizations ranging from school systems to video game developers. Even leading information security providers like FireEye are not immune to intrusion from hackers.
And it’s not just money at stake. Many of these cyberattacks are part of a class known as ransomware attacks. When a company’s data is compromised, hackers often demand a ransom payment to unlock crucial data, but that’s just the beginning of a company’s problems. On an episode of The Employee Safety Podcast, Lori Price of Memorial Health System told us that a hack diminished their ability to send patient data safely and slowed down their entire organization, which is particularly bad when you’re in the business of healing people.
For most companies, large-scale hacks mean more money lost to downtime, recovery cost, and system upgrades. Recovering from a cyberattack is one of the highest priorities for any affected company.
Some of the easiest, most effective ways to keep your organization’s digital footprint safe are as simple as sensible rules and procedures to avoid leaving openings for criminals, like password requirements and anti-phishing awareness. And yet, the organizations that have found themselves in the cyber-victim club were undoubtedly familiar with these methods, so it’s clearly not that simple. A company has to be ready to respond to a successful hack quickly and confidently.
But how can you go about practicing for a massive threat? The answer is a good cybersecurity incident response strategy backed up by a comprehensive tabletop exercise program.
What Is Incident Response?
Incident response is a company’s set of activities to respond to a data breach, locking out bad actors, recovering data, and restoring system functionality. The goal of incident response is to maintain business continuity by acting quickly and minimizing the impact of a hack.
Incident response—sometimes known as incident management or abbreviated as IR (as in IR plan)—is usually the responsibility of the IT department, but it is a team effort overall. While IT team members lead the charge, everyone else in the organization must become a stakeholder to reach common goals. After all, it takes only one person with a weak password to open the door for another attack.
While emergency planning must address all events that could harm your people and your business, the incident response process focuses specifically on malicious digital incidents and cybersecurity best practices.
What is an incident response tabletop exercise?
A tabletop exercise (TTX) challenges participants to respond to a potential incident mentally and verbally, unlike a drill that simulates the incident and challenges participants to respond in a physical capacity as well. A tabletop exercise is discussion-based and can take place in a conference room or other non-threatening environment. An incident response tabletop exercise concerns the realm of digital security, such as a breach of sensitive company data. During this type of exercise, participants will be invited by a facilitator to do a mental walk-through of a cyberattack. The facilitator will present the scenario and then ask the participants what they would do in response.
The purpose of these exercises is to gauge the preparedness of employees for various safety and security threats, as well as to practice emergency response plans in a low-stress, low-cost, safe environment.
Best of all, tabletop exercises are endlessly adaptable; this framework can be used to prepare for and practice responses to all kinds of emergencies, not just the ones with “cyber-” in their names.
How to Prepare for an Incident Response TTX
Tabletop exercises are preliminary tests of security programs to help evaluate and adapt those programs for future incidents. Therefore, they’re not all that useful unless you have a plan that you’re willing to test. That means developing an incident response plan you can use in your tabletop sessions.
Four parts of an incident response plan
Just like looking both ways before crossing the street, successful safety strategies are marked by a clear assessment of potential threats before enacting a plan. A business threat assessment guides your evaluation to consider every aspect of your business that could be impacted by a hack or data breach of some sort. You’ll gather a list of potential threats, which might include:
- Password phishing attempts
- Outdated or nonexistent firewall
- Cloud software provider outage/failure
After compiling this list, determine how likely each disruption is and how severe its effects would be. This will help direct the rest of your incident response efforts.
2. Identification and activation
You’re aware of the threats that could impact your business, but what are the signs that you need to respond now?
A continuation of the first step, identification means analyzing the threats you listed to determine their early warning signs. How will you know when someone from a foreign country accesses your records? How about when one of your critical software providers, such as your CRM or HRIS vendor, goes down for hours, days, or weeks?
Incident response plans should include clear instructions on how to “activate” your plans. For example, you might install a safeguard that alerts an on-shift IT manager when a foreign IP address logs in to internal systems. Whatever “triggers” you decide on, they need to be specially selected to sync with the way your company works.
3. Containment and eradication
While squashing malicious bugs was definitely more exciting in Starship Troopers, doing so as part of your incident response plan is just as crucial. Just like with a disease outbreak, the first goal after activation should be to prevent the threat from spreading and causing further damage. That means quickly informing all employees about the situation, shutting down affected systems, and disconnecting devices infected with malware from the internet.
Communicating during a cyberattack
Cyberattacks are chaotic, disorganized moments, but your people need the right information in order to react appropriately. Time is of the essence when your systems are compromised, and getting an alert out to your whole company warning them of the attack is critical to preventing further damage.
But what if the hack took out communication tools like email? You need a way to reach everyone instantly across multiple avenues of communication, which is where an emergency mass notification system comes in. A multichannel system that can send messages via SMS, voice call, email, social media, and more is the best way to communicate during a cyberattack.
And finally, you need to have a portion of your incident response plan dedicated to remediation. How will your company restore backups of disrupted systems? How will employees’ access be restored? How will you restore relationships and operations with vendors, clients, and regulators? Once you’ve answered questions like these, you should compile the information from all steps in a comprehensive, centralized document.
How to Run an Incident Response Tabletop Exercise
Tabletop exercises follow a common format that makes them easy to understand and endlessly flexible. Here’s how you would go about designing a tabletop exercise specifically oriented to incident response:
Design the scenario
Now’s the time for a bit of imagination. Consider the various threats your incident response team has identified in your threat assessment and select the one you’d like to work on. This tabletop exercise scenario can be built around a hypothetical malware or denial of service attack. Using that as a guideline, flesh out the story with some detail so it’ll feel more realistic to participants. You want this exercise to feel relatable to your employees so they can identify with it and immerse themselves in the experience.
You should start at the “identification and activation phase.” What is the sign that alerts participants to the fact that a data breach has occurred? While planning, try to anticipate what participants might choose to do, and prepare for them.
There are a few different ways individuals can contribute to a tabletop exercise, all of which are equally important. Those roles are:
This is the person (or perhaps two people) who leads the exercise. They’re tasked with presenting the scenario to participants and determining how the “world” of the scenario reacts. They shouldn’t be “presenting” as one might at a meeting. Rather, their goal is more like that of a moderator, to keep the discussion moving and to pose thought-provoking questions.
Exercise participants form the bulk of contributors to the session. Their job is to imagine themselves in their normal roles at work when faced with a cyberattack. The facilitator encourages them to explore potential actions, ask clarifying questions, and honestly envision themselves while practicing decision-making. Remember to include members of your cyber security team!
Observers, as their name implies, do not interact directly with the participants and facilitator. Usually just one or two people act as observers, passively absorbing the path of the discussion. They don’t have to take a vow of silence, though, and might be prompted by the larger group to answer questions depending on their expertise. This person should be knowledgeable in a field such as IT, cybersecurity, law enforcement, or even digital forensics.
These might be the same people as the observers, or they might not, but either way, the evaluators rely on the observers’ notes. After the exercise is done, their job begins. They produce a report, much like an after-action report, that notes what went well and what you might change for next time.
Run the exercise
Once you have all the people and plans lined up, you can run the experiment. Have the facilitator present the scenario to the participants, who then act out the incident response plan. Once you run through the scenario once (which should not take longer than 30 minutes or so), run it again but with a changed variable, such as an important person being unavailable. A popular and effective twist is to incorporate elements of converged security, i.e., on-site, real-world, physical security measures that interact with the digital world, like internet-connected cameras or digital access doors. You might also challenge participants to focus on devising the most cost-effective solutions to a given problem.
Doing this multiple times with small changes for each run will give everyone a better idea of the many ways these situations can rear their heads.
Report and improve
When the evaluators hand in their report, the cycle begins again. The report hopefully uncovered strengths and weaknesses of your plan, which you can use to inform your updates to your incident response plan. If you commit to revisiting this incident response tabletop exercise every so often, you’ll see your plans evolve and improve over time.
Practice Makes Protection
No matter what kind of threats your company contends with, you’ll be able to adequately prepare only if you commit to improving your plans and updating them as your company grows and changes. Cyberthreats have unlimited destructive potential, which makes tabletop exercises a great solution. With this powerful tool, you can familiarize yourself with the threats that aren’t necessarily frequent enough that everyone is well-trained in proper response.