Security tabletop exercises

Security tabletop exercises test how a team or process works. These exercises are a discussion-based simulation where key stakeholders walk through a hypothetical cyber incident to assess their response strategies, identify weaknesses, and improve preparedness. These exercises help organisations refine their incident response plans, enhance communication, and build resilience against real-world threats.

backgroud-texture-bg-2

Why are security tabletop exercises important?

  • Blind Spot Identification: Security tabletop exercises help you identify cybersecurity blind spots before cybercriminals can find and exploit them.
  • Security Posture Analysis: With cybersecurity tabletop exercises, you can assess your security posture and find ways to optimise it.
  • Communication Analysis: Tabletop exercises for cybersecurity can highlight communication issues among teams or departments that can hamper your ability to address cyberattacks.
  • Compliance: Conducting and documenting tabletop exercises for security is an incident readiness requirement for security programmes in many highly regulated industries.

Types of security tabletop exercises

Rapid-fire scenarios

A rapid-fire scenario is "extremely high level meant to be understood and discussed easily and quickly," according to ISACA. It requires little to no preparation and lasts about 10 to 30 minutes.

Rapid-fire scenarios can include junior, mid, and senior-level team members from a wide range of backgrounds. These team members can review multiple security scenarios, and each can act as an incident responder.

Technical-only scenarios

Technical-only scenarios usually last one to two hours. These scenarios promote in-depth technical discussions and require extensive planning. They allow team members to evaluate the technical aspects of a security incident.

A technical-only scenario usually involves a "seed" event. As the event unfolds, your organisation can add more details to it. This can help team members prepare for complex cyber attacks.

Full stakeholder scenarios

Full stakeholder scenarios are expansions of technical-only scenarios. They focus on technical issues and non-technical problems and logistics.

These generally last two to four hours. It can include technical team members along with legal, marketing, and HR professionals.

Full stakeholder scenarios are ideal for organisations that want to improve communication between their teams or departments. It can be beneficial to include technical and non-technical personnel in a full stakeholder tabletop exercise. This gives participants from many teams or departments the opportunity to work together to address a security issue.

Some organisations ask teams or departments to enter at different times during the scenario. This allows these teams or departments to get involved in the same way they would if a real-world security incident occurs.

Who runs a tabletop security exercise?

Third party

Third-party tabletop security services facilitate and manage scenarios and prompt discussions. They require little to no effort to set up and run.

A third party can tailor its tabletop exercise to your organisation or environment. It will learn about your organisation and its security challenges. Then, it will develop a custom security tabletop exercise for your organisation and its teams or departments.

Self-service

Your organisation can create its own security drills. It can be costly and time-consuming to develop and implement these exercises. However, you can customise your cybersecurity exercises to your organisation and its environment.

With custom cybersecurity tabletop exercises, participants can learn about your organisation's security challenges. For example, these challenges can involve systems that participants use daily. This helps make the challenges more "real" and drives engagement. It also ensures participants can collaborate to identify and tackle specific issues that can directly impact your organisation, its employees, and its customers. 

How does Sophos conduct tabletop security exercises?

At Sophos, we create custom tabletop cybersecurity exercises for particular teams or departments. In an exercise, we usually start with a minor security issue and encourage participants to share their approaches and ideas with one another. From here, we use "findings" to highlight the severity of the issue.

We offer cybersecurity scenario themes that organisations can use to develop and run their own tabletop exercises. Alongside these, we offer the following tips to help you get started with security tabletop exercises:

Identify your target audience

Determine your target audience, then create your cybersecurity scenario. For instance, a complex security scenario is ideal if you are testing your cybersecurity team.

Comparatively, if you are testing your IT or DevOps team, choose an issue that participants will understand and give the time, energy, and attention it deserves.

Choose the correct participants

Include a single team or department or multiple teams or departments in your security scenario. A single-team scenario lets you see how specific participants will respond to a cyber attack. Meanwhile, including several teams or departments encourages many stakeholders to collaborate in addressing a security incident.

Determine when to involve participants

Consider when different teams or departments should be involved in your cybersecurity scenario. For example, if your organisation's personally identifiable information (PII) is compromised, you may need to involve members of your legal team or department to ensure compliance with GDPR and other data security mandates.

Often, it is beneficial to include at least one person from every team or department within your organisation in a security scenario. Doing so can foster cross-functional communication and collaboration among teams and departments across your organisation.

Decide how many participants to include

Ensure your scenario includes participants who can engage with one another and work together to achieve common goals. In our scenarios, we often include up to 25 participants from multiple levels of a team or department or several teams or departments. Consider the size of your organisation and structure of your teams and departments as you decide how many participants to include in your tabletop security exercises.

Manage the time for your exercise

Give participants sufficient time to complete your tabletop exercise. At Sophos, we try to avoid lengthy tabletop exercise sessions. This is because it can be difficult for participants to coordinate their schedules and join a session that lasts more than a few hours.

Prepare your materials

Use a PowerPoint presentation or other materials to present your scenario. The Sophos team commonly uses PowerPoint presentations for tabletop exercises, with each slide showing a progression of events and questions for participants to consider. We usually limit the size of most of our PowerPoint presentations for these exercises to 20 slides.

Build your tabletop story

Create a theoretical story and tailor the information you include in it accordingly. Recent news stories can capture participants' attention. For large stories, you can put breadcrumbs in systems and logs for participants to locate and track.

Match your tabletop exercise to your participants

Create a tabletop cybersecurity exercise based on the security maturity of your participants. For example, a detailed story can be beneficial for participants who have a wealth of cybersecurity skills and expertise. In other situations, a generic high-level scenario may work best.

If you develop a detailed narrative, make sure it is realistic. For example, if you want to target a specific part of your organisation or network, get insights from someone into this area. Then, you can develop a scenario that resonates with your target audience.

Get feedback from participants

Ask participants if they have any ideas that you can incorporate into your exercise. Most participants can share insights into security pain points that they encounter daily. You can use these pain points to develop a scenario that helps participants find ways to address such issues in the future.

Map out your scenario

Craft a flow diagram of how your simulated attack could play out. This helps you find gaps in your story.

Alongside this, you can request feedback from members of teams and departments who understand the issues addressed in your story. These team and department members can help you resolve any issues and ensure that your scenario is realistic.

Create discussion questions

Write down any questions that arise during the development of your story. These questions can prompt discussions among scenario participants.

Review your story

Evaluate your scenario multiple times before you present it to participants. It can be difficult to determine how long it will take participants to complete your story. When in doubt about the amount of time required, err on the side of caution. If you find your presentation runs close to or beyond the time available to participants, revise it as required.

Set the tone for your workout

When participants arrive for your exercise, encourage everyone to take part. The exercise gives each participant an opportunity to share their voice and help your organisation improve its security posture. If participants communicate and collaborate with each other, everyone can get the most value out of the exercise.

Moderate the exercise

If you moderate the exercise, resist the urge to participate. In this role, you can provide participants with the scenario and help them navigate through it. You can also give participants time to discuss various story topics and share discussion questions and prompts.

Track any issues

Ensure that someone is taking notes about any issues that arise during the exercise. You can gain insights into issues that otherwise hamper the effectiveness of your story.

Watch the clock

Set a timer for your exercise and stick to it. Keep participants on track and remind them to keep working on the story as it develops.

Review your results

Following your tabletop exercise, analyse the results and how they can be incorporated into your organisation's daily activities. For example, if you completed the test based on compliance mandates, you can create a PDF that contains the information that auditors require.

You can also give participants the opportunity to review your findings and run the same exercise later. This can confirm if fixes or changes have helped you address any issues that were discovered during your initial exercise.

Tabletop security exercise example

The following is a tabletop tale that we previously wrote and ran within Sophos.

Find out more

Tabletop cyber security resources

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides resources to help organisations conduct their own tabletop exercises. You can access more than 100 CISA Tabletop Exercises (CTEPs) designed to address a variety of threat scenarios, including:

  • Cybersecurity: Consist of ransomware, insider threats, phishing, industrial control system (ICS) compromise, and other cybersecurity-based scenarios.
  • Physical Security: Include active shooting, vehicle-ramming, improvised explosive devices (IED), unmanned aircraft system (UAS), and other physical security-based scenarios.
  • Cyber-Physical Convergence: Focus on physical from threat vectors and cyber impacts from physical threat vectors.

Along with these, CISA offers pre-built templates that you can use to develop your own tabletop exercises.

 

Author: Luke Groves | Senior Manager | Red Team, Cybersecurity

Date: September 2023