[BreachExchange] Tabletop exercises explained: Definition, examples, and objectives

[Sophia Kingsbury]

https://www.csoonline.com/article/3622252/tabletop-exercises-explained-definition-examples-and-objectives.html#tk.rss_news

A tabletop exercise—sometimes abbreviated TTX or TTE—is an informal,
discussion-based session in which a team discusses their roles and
responses during an emergency, walking through one or more example
scenarios. The atmosphere is collegial and exploratory, and is not meant to
put participants in the mindset they'd have during a disaster. Tabletop
exercises are used to prepare for all sorts of crises, but cybersecurity
and disaster recovery are common areas of focus.

But perhaps the best way to really understand what a tabletop exercise is
all about is to compare it to the other types of exercises. It is less
intense than a functional exercise, in which a command center might be
staffed by participants playing out a scenario in real time, or a
full-scale exercise, which can involve emergency personnel responding to a
simulated crisis in the field. A tabletop exercise, by contrast, is played
out, as the name implies, around a table, with participants responding to
the leader's prompts and description of a scenario with suggestions drawn
from their organization's emergency plans.

One important thing to keep in mind, as the State of Massachusetts's own
emergency preparedness division points out, is that tabletop exercises are
not meant to be a test or a competition. They should be approached as a
collaborative learning situation and no-fault environment. After all, if
the organization discovers a weakness in their defenses or problem with
their processes in the course of the exercise, that can be thought of as a
good thing—better to figure that out during an exercise than a real crisis,
after all.

Tabletop exercises in cybersecurity

Tabletop exercises are not limited to the cybersecurity realm; any
organization that has to confront potential crises and disasters can
benefit from playing one out. For instance, the State of Oregon used
tabletop exercises to game-plan potential responses to shifts in the
coronavirus pandemic in 2020.

But in many ways tabletop exercises are particularly suitable—and
important—for cybersecurity environments. They're designed to expose
weaknesses in organizational structures and to make sure that people
actually follow protocols and best practices that seem like they're in the
realm of theory most of the time. After all, the best laid plans often fall
apart when real-world humans have to implement them. While there are plenty
of ways to test the technical aspects of your cyberdefenses, a tabletop
exercise tests the human and organizational factors that are just as
important for cybersecurity.

Things to consider for a tabletop exercise

The first question to ask yourself is whether a tabletop exercise is
appropriate for your organization. It's only worth starting the process if
you already have some form of response plan in place for the scenario
you'll be running through. Tabletop exercises are great for testing plans,
but if everyone involved is just improvising, that can't tell you much.
You'll also need institutional buy-in for the process: there's no point in
running through the exercise if management doesn't agree to let you change
plans and policies based on the results.

The PlexTrac blog proposes a series of basic questions you need to answer
once you've decided to move forward. Hopefully our description so far has
brought home the reasons why an organization would conduct one. Just as
important a question, however, is who will participate. This goes beyond
just needing to know the emails of people to invite; the types of team
members participating will shape exactly what kind of exercise you'll have.
For instance, an exercise where the participants are all members of your
cybersecurity team might focus on identifying and defeating an advanced
persistent threat; an exercise where participants are drawn from across the
company might look at the consequences of a cyberbreach and how technical,
legal, and communications departments should react to it.

Another important question to consider is when: Should you conduct tabletop
exercises annually, or more frequently, to drum up vigilance among your
employees? Then there's where: The obvious location, as you'd guess from
the name, is sitting around the table in a conference room, but exercises
could also be conducted via videoconference for distributed teams. Finally,
there's the absolutely crucial question of how. While there's no one right
way to conduct a tabletop exercise, there are some important tips that will
help you make the most of your tabletop exercises.

Planning a tabletop exercise

Jack Eisenhauer at the Nexight Group outlines a process for planning a
tabletop exercise that takes many of the above questions into
consideration. He breaks down the process into three phases, each of which
includes three key activities. These correspond to the time before, during,
and after the exercise takes place, but you'll need to plan in advance to
make sure each step comes off properly in practice.

Design

   - Clarify the objectives and outcomes, determining what you hope to
   achieve and how you'll use the results after the exercise is over.
   - Choose your participant team, including key decision makers and
   perhaps even executives who can use their influence to put an after-report
   into action.
   - Design a scenario and exercise plan that's believable and will prompt
   discussion.

Engage

   - Create an interactive, no-fault space, encouraging people ask
   questions and make mistakes.
   - Ask probing questions of the participants, following a script but
   being prepared to improvise.
   - Capture issues and lessons as you go using visual tools and a
   timeline—don't rely on note-takers.

Learn

   - Prepare an after-action report that includes documentation of the
   exercise along with areas of potential improvement.
   - Create a specific near-term plan based on the results of the exercise.
   - Provide tools and guides to boost learning, finding resources that
   feed the needs revealed by the exercise's outcome.

Tabletop exercise objectives

Let's focus for a moment on one element here: the objectives of the
exercise. To put it bluntly, what are you hoping to get out of running a
tabletop exercise for your organization? It's important to distinguish
these objectives from the goals for the participants within the exercise
itself. For instance, participants in a tabletop exercise might have the
goal of figuring out how to restore your organization's databases as
quickly as possible in the wake of a disaster. But the overall objective of
conducting the exercise is to stress-test the organization's disaster
recovery plan and see if teams know how to best work together in the face
of unexpected problems.

The National Association of Regulatory Utility Commissioners, a group that
knows a little bit about the necessity of being prepared for a crisis,
suggests the objectives be SMART, by which they mean:


   - Specific—addressing concrete questions and specifying action items
   - Measurable—establishing metrics for success up front
   - Achievable by the participants in the time allotted
   - Relevant to the mission of the organization
   - Time-bound within a reasonable timeframe established in advance

Leading a tabletop exercise

There are plenty of consultants who will be happy to lead a tabletop
exercise at your organization; however, due to these exercises' informal
nature, more often than not they're led by internal staff, and you almost
certainly have someone who would do a fine job of leading a tabletop
exercise using a guide and some solid examples.

The State of New York has a great facilitator guide for tabletop exercises.
While much of this document focuses on a specific tabletop exercise the
state runs to prepare for a catastrophic hurricane, the first few pages
provide valuable tips on leading a tabletop exercise that are applicable to
any topic area. It begins by laying out the big-picture responsibilities of
the facilitator:


   - Introducing the narrative
   - Encouraging problem solving
   - Controlling the pace and flow of the exercise
   - Stimulating discussion and drawing answers and solutions from the
   group (rather than supplying them)

The guide also provides tips on involving all participants and controlling
and sustaining the action. One of the big keys is to watch for signs of
frustration and conflict. Remember, the exercise is intended to be
collaborative, not confrontational. In particular, junior staffers need to
be given space to comment in front of management, so try to include
everyone on an equal footing.

Tabletop exercise examples and scenarios

We've been talking largely in generalities here so far. What scenarios
might play out in a real-world example? The Center for Internet Security
offers six scenarios that can put your cybersecurity team through the paces:

   - The quick fix: A network admin deploys a patch without testing it and
   then heads out on vacation, leaving users unable to log in.
   - A malware infection: A user inserts an SD card infected with malware
   into their company laptop.
   - The unplanned attack: A hacktivist group targets your
   organization—what will they find when they launch their attack?
   - The cloud compromise: Your organization has been storing sensitive
   data with a cloud storage service that's been hacked, potentially exposing
   customer information.
   - Financial break-in: An audit reveals your payroll system is issuing
   checks to people who aren't employed there.
   - The flood zone: While dealing with rising waters at your company
   headquarters, you're struck by ransomware

The document linked above has some great details on how these scenarios
would play out in a tabletop exercise and what questions you'd pose to your
participants.

The document also outlines much of what you'd need to actually run these
exercises in your organization. Several of them fit into these two
categories, which are perhaps the most common types of cybersecurity
tabletop exercises:

Incident response tabletop exercise. Much as we would like to plan and
control everything in advance, cybersecurity is a largely reactive process.
RSI has good documentation on performing an incident response tabletop
exercise, which involves making sure participants know what your
organization's policies are for specific types of breaches and who's
responsible for what actions in response to them.

Tabletop exercise scenarios for business continuity. Tabletop exercises are
also beloved by those tasked with preparing for natural or human-made
disasters, and business continuity falls into the overlap between that role
and cybersecurity. NContracts has a good guide on running an effective
tabletop business continuity planning exercise, which includes
understanding your dependencies on specific vendors and potentially looping
them into any damage control scenarios.

Tabletop exercise templates

Do you want to start planning your own tabletop exercise? There are some
templates available to you to help get you started. SearchDisasterRecovery
has a good one that prompts you to lay out the motivations for running the
exercise (so you can sell it internally), the narrative for participants,
and the communication methods participants will engage in. And The
Continuity Advisor has a helpful template that you can use to create
after-action reports once the exercise is done.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210621/4d304482/attachment.html>