Incident Response

Ten essential elements of a successful incident response tabletop exercise

Incident response

Incident response (IR) tabletop exercises are a powerful tool in cybersecurity strategies. They help companies prepare for a cyber incident by testing how well relevant stakeholders know and understand documented IR plans.

Many organizations have begun conducting IR tabletop exercises in some capacity – but, there’s a big difference between doing them and doing them well and in a way that adds value to the organization. Unfortunately, in our experience, we’ve found that many companies greatly overestimate their readiness for an actual cyber incident, which means their tabletop exercises are falling short. Typically, we find this happens for one or two reasons: either the organization treats IR tabletop exercises as a check-the-box compliance task and tries to execute them using the cheapest and easiest means possible, or it’s so focused on documenting the IR plan and putting the right security tools in place that it neglects practical execution of response strategies.

No matter the size of the company, security teams don’t want to find themselves unprepared if a major security incident occurs. Tabletop exercises can make sure this never happens, so companies need to shift their mindset to view them as more than a compliance mandate. They are a necessary preparatory exercise that facilities seamless IR and resilience in the face of a cyber disaster – and everyone in the organization needs to take them seriously.

A formula for tabletop success

With an eye towards increasing awareness around how to conduct tabletop exercises the right way, here are 10 essential elements of effective IR tabletop exercises:

  • Appoint a facilitator: As with any meeting, someone has to be in charge. Select an effective leader who has IR expertise and the skills to run the tabletop exercise. One important point to note: don’t make the tabletop facilitator the same person as the incident commander, because the latter will have a specific role to play during the exercise to prepare for a real-life situation.
  • Obtain buy-in from leadership: Just as cybersecurity strategies are most effective when they involve the whole organization, so too are IR tabletop exercises. When company leaders believe in the program and why, and commit to being direct participants, they send a strong message to the rest of the staff – one that drives engagement and success.
  • Involve the right stakeholders: Invite everyone who has a role in cyber resilience. This will get the whole team on the same page and working toward a common goal. Otherwise, different groups in charge of different pillars of cyber resilience will focus on their objectives only, creating conflict with other stakeholders.
  • Customize exercises for different groups: For maximum engagement, it’s important to tailor exercises for all audiences involved. For example, if there are many executives in the room, avoid dwelling too long on explicitly technical topics. Blend content to keep all groups engaged. Holding break-out sessions customized for each participating group is a great way to ensure their attention and participation.
  • Build credible scenarios: Develop exercises derived from real-world threats and scenarios, otherwise the participants won’t take the program seriously. There are a few ways to do this: basing scenarios on news write-ups of real-world threats or campaigns, leveraging the knowledge of threat intelligence teams, pulling from previous cyber incidents that have impacted the company, or tapping insiders with awareness of potential gaps in the company’s security posture.
  • Get the timing right: Short exercises often fail to include any time at all for discussing lessons learned or reviewing the scenario. In practice, these exercises are more akin to simply reading the IR plan as a group, acknowledging the content of it and calling it good. IR tabletop exercises need to last at least four hours, so the team can really dig into a threat scenario, discuss it at length and then review any immediate lessons learned. While half a day seems like a long time, it’s a worthwhile investment.
  • Drive engagement: Take creative approaches to tabletop exercises to improve audience engagement and ensure participants take away the information they need to succeed should a real-life incident occur. Gamification, war gaming, building out virtual personas and using technology tools such as iPads are all effective ways to build participation. “Choose your own adventure” games and surveys can also helpful. For example, during a ransomware-themed tabletop exercise, the facilitator might post a brief survey asking the team whether or not the company should pay the ransom. Then leverage the survey results to continue the exercise.
  • Create a no-fault environment: The organizers should stay focused on teaching and training. Don’t let it to turn into a blame game. Focus on having productive conversations, problem solving as a team and making stakeholders aware of the resources that exist to help in the IR process. Collaboration and communication are key, as well as listening to the ideas and opinions of others.  
  • Keep order: A big exercise with a broad audience has value but they are difficult to manage. When working with large groups of people, try to keep track of discussions, side conversations and overall “incident” communications. To overcome this challenge, ensure the facilitator maintains control of the discussion and keeps participants in their expected roles. Break-out groups and realistic incident command briefings with restrictions on who may speak also can help improve the sense of realism and limit disruptions.
  • Take notes: Appoint a designated scribe during the tabletop exercises.  Without taking notes, it’s exceedingly difficult to recount the details of the exercise and extract any lessons learned during the after-action review. Scribes should capture scenario details, develop a summary of actions taken, and document any immediate observations or opportunities for future discussion outside the exercise.

Companies today need to face that sooner or later they will experience a cyberattack. In this landscape, it’s crucial to prepare – and there’s no better way to get ready than through IR tabletop exercises. By training the organization on how to do a fast and effective IR, it can limit the amount of damage a bad actor can inflict. Start down this path by following these 10 steps.

Curtis Fechner, engineering fellow, threat management, Optiv

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.