What is a Tabletop Security Exercise?
A tabletop exercise encompasses a cyberattack and its potential damage. The exercise lets you see how your organization will respond to an attack. It also provides you with cybersecurity insights.
Why Are Security Tabletop Exercises Important?
- Blind Spot Identification: Security tabletop exercises help you identify cybersecurity blind spots before cybercriminals can find and exploit them.
- Security Posture Analysis: With cybersecurity tabletop exercises, you can assess your security posture and find ways to optimize it.
- Communication Analysis: Tabletop exercises for cybersecurity can highlight communication issues among teams or departments that can hamper your ability to address cyberattacks.
- Compliance: Conducting and documenting tabletop exercises for security is an incident readiness requirement for security programs in many highly regulated industries.
Types of Security Tabletop Exercises
Rapid-Fire Scenarios
A rapid-fire scenario is "extremely high level meant to be understood and discussed easily and quickly," according to ISACA. It requires little to no preparation and lasts about 10 to 30 minutes.
Rapid-fire scenarios can include junior-, mid-, and senior-level team members from a wide range of backgrounds. These team members can review multiple security scenarios, and each can serve as an incident responder.
Technical-Only Scenarios
Technical-only scenarios typically last one to two hours. These scenarios promote in-depth technical discussions and require extensive planning. They allow team members to evaluate the technical aspects of a security incident.
A technical-only scenario usually involves a "seed" event. As the event unfolds, your organization can add more details to it. This can help team members prepare for complex cyberattacks.
Full-Stakeholder Scenarios
Full-stakeholder scenarios are expansions of technical-only scenarios. They focus on technical issues and non-technical problems and logistics.
A full-stakeholder scenario generally lasts two to four hours. It can include technical team members along with legal, marketing, and HR professionals.
Full-stakeholder scenarios are ideal for organizations that want to improve communication between their teams or departments. It can be beneficial to include both technical and non-technical personnel in a full-stakeholder tabletop exercise. This gives participants from many teams or department the opportunity to work together to address a security issue.
Some organizations ask teams or departments to enter at different times during the scenario. This allows these teams or departments to become involved in the same way they would if a real world security incident occurs.
Who Runs a Tabletop Security Exercise?
Third Party
Third-party tabletop security services facilitate and manage scenarios and prompt discussions. They require little to no effort to set up and run.
A third party can tailor its tabletop exercise to your organization or environment. It will learn about your organization and its security challenges. Then, it will develop a custom security tabletop exercise for your organization and its teams or departments.
Self Service
Your organization can craft its own security exercises. It can be costly and time intensive to develop and implement these exercises. However, you can customize your cybersecurity exercises to your organization and its environment.
With custom cybersecurity tabletop exercises, participants can learn about your organization's security challenges. For example, these challenges can involve systems that participants use daily. This helps make the challenges more "real" and drives engagement. It also ensures participants can work together to identify and address specific issues that can directly impact your organization, its employees, and its customers.
How Does Sophos Run Tabletop Security Exercises?
At Sophos, we craft custom tabletop cybersecurity exercises for specific teams or departments. In an exercise, we usually start with a minor security issue and encourage participants to share their approaches and ideas with one another. From here, we use "findings" to highlight the severity of the issue.
We offer cybersecurity scenario themes that organizations can use to develop and run their own tabletop exercises. Along with these, we offer the following tips to help you get started with security tabletop exercises:
Identify Your Target Audience
Determine your target audience, then develop your cybersecurity scenario. For instance, a complex security scenario is ideal if you are testing your cybersecurity team. Comparatively, if you are testing your IT or DevOps team, choose an issue that participants will understand and give the time, energy, and attention it deserves.
Choose the Right Participants
Include a single team or department or multiple teams or departments in your security scenario. A single-team scenario lets you see how specific participants will respond to a cyberattack. Meanwhile, including several teams or departments encourages many stakeholders to work together to address a security incident.
Figure Out When to Involve Participants
Consider when different teams or departments should be involved in your cybersecurity scenario. For example, if your organization's personally identifiable information (PII) is compromised, you may need to involve members of your legal team or department to ensure compliance with GDPR and other data security mandates.
Oftentimes, it is beneficial to include at least one person from every team or department within your organization in a security scenario. Doing so can foster cross-functional communication and collaboration among teams and departments across your organization.
Decide How Many Participants to Include
Make sure your scenario includes participants who can engage with one another and work together to achieve common goals. In our scenarios, we often include up to 25 participants from multiple levels of a team or department or several teams or departments. Consider the size of your organization and structure of your teams and departments as you decide how many participants to include in your tabletop security exercises.
Manage the Time for Your Exercise
Give participants a sufficient amount of time to complete your tabletop exercise. At Sophos, we try to avoid lengthy tabletop exercise sessions. This is due to the fact that it can be difficult for participants to coordinate their schedules and join a session that lasts more than a few hours.
Prepare Your Materials
Use a PowerPoint presentation or other materials to present your scenario. The Sophos team commonly uses PowerPoint presentations for tabletop exercises, with each slide showing a progression of events and questions for participants to consider. We usually limit the size of most of our PowerPoint presentations for these exercises to 20 slides.
Build Your Tabletop Story
Develop a theoretical story and tailor the information that you include in it accordingly. Recent news stories can get participants' attention. For large stories, you can put breadcrumbs in systems and logs for participants to find and follow.
Match Your Tabletop Exercise to Your Participants
Create a tabletop cybersecurity exercise based on the security maturity of your participants. For instance, a detailed story can be beneficial for participants who possess a wealth of cybersecurity skills and expertise. In other situations, a generic high-level scenario may work best.
If you develop a detailed narrative, make sure it is realistic. For example, if you want to target a specific part of your organization or network, get insights from someone into this area. Then, you can develop a scenario that resonates with your target audience.
Get Feedback from Participants
Ask participants if they have any ideas that you can incorporate into your exercise. Most participants can share insights into security pain points that they encounter on a daily basis. You can use these pain points to develop a scenario that helps participants find ways to address such issues moving forward.
Map Out Your Scenario
Craft a flow diagram of how your simulated attack could play out. This helps you find gaps in your story.
Along with this, you can request feedback from members of teams and departments who understand the issues addressed in your story. These team and department members can help you resolve any issues and ensure that your scenario is realistic.
Create Discussion Questions
Write down any questions that come up during the development of your story. These questions can prompt discussions among scenario participants.
Review Your Story
Evaluate your scenario multiple times before you present it to participants. It can be difficult to determine how long it will take participants to complete your story. When in doubt about the amount of time required, err on the side of caution. If you find your presentation runs close to or beyond the time available to participants, revise it as needed.
Set the Tone for Your Exercise
When participants arrive for your exercise, encourage everyone to participate. The exercise gives each participant an opportunity to share their voice and help your organization improve its security posture. If participants communicate and collaborate with each other, everyone can get the most value out of the exercise.
Moderate the Exercise
If you moderate the exercise, resist the urge to participate. In this role, you can provide participants with the scenario and help them move through it. You can also give participants time to discuss various story topics and share discussion questions and prompts.
Track Any Issues
Make sure that someone is taking notes about any issues that come up during the exercise. You can get insights into issues that otherwise hamper the effectiveness of your story.
Watch the Clock
Set a timer for your exercise and stick to it. Keep participants on track, and remind them to continue to work on the story as it progresses.
Review Your Results
Following your tabletop exercise, consider the results and how they can be integrated into your organization's daily operations. For example, if you completed the test based on compliance mandates, you can create a PDF that contains the information that auditors need.
You can also give participants the opportunity to review your findings and run the same exercise at a later date. This can confirm if fixes or changes have helped you address any issues that were discovered during your initial exercise.
Tabletop Security Exercise Example
The following is a tabletop story that we previously wrote and ran within Sophos.
Tabletop Cybersecurity Resources
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers resources to help organizations conduct their own tabletop exercises. You can access more than 100 CISA Tabletop Exercises (CTEPs) designed to address a variety of threat scenarios, including:
- Cybersecurity: Consist of ransomware, insider threats, phishing, industrial control system (ICS) compromise, and other cybersecurity-based scenarios.
- Physical Security: Include active shooting, vehicle-ramming, improvised explosive devices (IED), unmanned aircraft system (UAS), and other physical security-based scenarios.
- Cyber-Physical Convergence: Focus on physical from threat vectors and cyber impacts from physical threat vectors.
Along with these, CISA offers pre-built templates that you can use to develop your own tabletop exercises.
Author: Luke Groves | Senior Manager | Red Team, Cybersecurity
Date: September 2023