Incident response tabletop exercises

Pitfall 1: Not taking the organization’s layered security controls into account

Getting individuals on board to step through an exercise can sometimes be problematic. For example, the exercise might begin with an employee opening a workstation to see a screen like this one:

The technical teams might immediately rebut the possibility of this scenario because the organization has deployed advanced endpoint threat protection. Even if the simulation facilitator asks the participants to imagine the endpoint protection failing or the possibility of an asset without the protection, the simulation could come across as unrealistic for the technical stakeholders, and any next steps in the simulation are shrouded in an attitude of “that would never happen.” 

Remedy: To avoid this roadblock, it is vitally important that scenarios are created using the organization’s standards, security controls, and technology. Scenario preparation should start with a session that includes key technical and security stakeholders to identify governance procedures, IR plans, and the existing technology stack to replicate semirealistic scenario details within the exercise. 

Customized scenarios might start by exploiting known gaps within the environment or technology stack. Examples include a device or network segment that has been provided a policy exception to standard security controls or through a trusted IT vendor solution (supply chain attack) that would allow an attacker to gain a foothold into the environment. To resonate with technical teams, it’s imperative to reinforce that security controls actually can fail and updates within the simulation might include a worst-case scenario. Setting appropriate expectations, establishing the rules of engagement, and customizing the scenario all can support a more successful training session. 

Pitfall 2: Focusing solely on the technical response

While IT bears a lot of the responsibility for an organization’s ransomware response, it should not have the responsibility for responding to an incident and simultaneously leading operational continuity processes. 

Remedy: Organizations should make sure tabletop simulations are conducted across two sessions, with different objectives: 

Technical tabletop simulations. Technical tabletop simulations should be performed with a customized threat scenario and established expectations. Participants that should be involved in the technical simulations are those that support the technology efforts of the organization, typically inclusive of IT, information security, the security operations center, and the help desk. The goal of a technical tabletop simulation is to identify the technical response to the incident, evaluate different containment and response strategies, identify technical gaps with the cybersecurity program, and determine the extent to which executive decision requirements arise. 

Executive tabletop simulations. A separate exercise should be with executive leadership, which plays a key role in terms of communication and business decisions that need to be made in an incident response scenario. The same technical threat should be presented with augmentations from the lessons learned in the technical session. Executive members of the organization should participate with the goal of identifying the business- and operational-level response while IT identifies, contains, and recovers from a material threat. Key questions that will need to be answered from this session include: 

• At what point does the business consider paying the ransom? 
• What is the duration the business can continue in downtime operations?
• When should insurance providers be contacted? 
• Is there a point at which the organization will turn away customers, patients, or clients? 
• What kind of support do third-party organizations provide in this situation?
• How does the organization respond to media requests?
• How will the organization communicate with vendors, partners, customers, and the larger employee base? 
• What are the highest priority business processes and applications that must be kept functional or restored first? 

Pitfall 3: Not having the right team for the session 

One of the most challenging parts of organizing an incident response simulation exercise is who to invite. Sometimes too many people are invited, and other times, the right participants are not lined up. 

Remedy: One rule of thumb is to limit the number of participants to 20 or fewer. Exercises with more than 20 attendees tend to end with only a handful of individuals participating in the exercise. As facilitators of these exercises, ultimately all invited individuals have roles to play during the simulation. Moreover, having a prebuilt list of thought-provoking questions aligned with each individual’s role supports an all-encompassing session. 

The following chart is a general guide on who to invite to these exercises. Keep in mind that those invitations should be within the context of the size and complexity of the organizations. 

Pitfall 4: Excessively rigid exercises

An incident response simulation exercise is meant to be interactive training. Participants need to feel the exercise is an open and safe environment to brainstorm, ask critical questions, and discuss possible challenges and issues that could arise in an extended downtime scenario. Excessively rigid exercises that cause anxiety among the attendees are not productive.

Remedy: Ideally, everyone involved in these exercises is a specialist in her or his business role and is well versed with the documented plans for incident response and emergency operations. However, in a real-world scenario, participants might be newer or less familiar with the established plans. 

Documented incident response, incident management, and contingency or emergency operations plans should be made available to participants for reference during the exercise. Using IR checklists that succinctly articulate the tasks to consider in an incident can help the team verify that nothing is missed. Additionally, exercise facilitators should refrain from injecting explanations or pointing to documented procedures throughout the exercise. 

Pitfall 5: Not following up with lessons learned 

Too often, an exercise is performed and the results and after-action report are communicated to the leaders, but then resulting action items and improvement opportunities are only rediscovered when a true incident arises or during an internal or external audit. 

Remedy: It is vitally important that after-action items are followed through with remediation in the same capacity as findings from assessments and audits. Governance supporting business resiliency, unlike other domains or areas of focus, needs to be agile to support the ever-changing threat landscape and transformation of business operations.  

Why incident response tabletop exercises matter

Practice makes perfect – or, at the very least, exercising disaster scenarios and recovery processes can help make organizations stronger when it comes to identifying vulnerabilities and maturing security postures. By conducting and participating in incident response tabletop exercises, organizations can avoid common pitfalls, reduce the number and severity of attacks and business interruptions, and better confront the threat landscape.