An incident response plan is a critical part of any cybersecurity portfolio, but plans need to be tested and practiced to be executed successfully.
Cybersecurity incidents are dynamic situations, and finding out that your plan is incomplete or inflexible as an incident unfolds is not ideal.
What Are Tabletop Exercises?
Tabletop exercises are an opportunity to put an incident response plan through its paces and identify what works and what doesn’t. They also allow IT teams to recognize the business partners that must be brought into the response and the roles they need to play. Tabletop exercises can build and strengthen organizational relationships that are critical when a crisis comes.
Tabletop exercises help to improve an organization’s incident response, but they’re most effective when used as part of an overall preparedness framework. The Department of Homeland Security’s Preparedness Cycle provides an excellent model for continuous quality improvement as applied to incident response. Exercises done in the context of a cycle of planning, training and evaluation will lead to better outcomes.
How Do Tabletop Exercises Help IT Teams?
Your IT department may already participate in tabletop exercises led by other campus organizations. University police and local law enforcement conduct tabletop exercises to practice responding to a variety of disaster scenarios, and there is often an IT component to the response. If your IT organization is not a part of these drills, it should be.
In addition to solidifying the IT aspects of a disaster response, tabletop exercises teach key concepts that are directly applicable to IT and cybersecurity incidents. If you’re not familiar with your institution’s all-hazards incident response plan or continuity of operations plan, this can be a great starting point to build your relationships with your campus incident response community.
While not specific to IT, the Incident Command System used by the Federal Emergency Management Agency and others provides an excellent blueprint for scaling responses to expanding incidents. ICS defines an overall response structure that incorporates operations, planning, logistics, communications, finance and interagency liaisons. Many of the concepts provided by ICS are directly applicable to cybersecurity incident response.
More specific to IT, the Department of Homeland Security’s National Cyber Incident Response Plan provides excellent insight into the command structure and core capabilities required to respond to a cybersecurity incident. Organizations working to establish or improve their cybersecurity incident response can review the core capabilities outlined in this plan to determine where they should focus their efforts.
Click the banner below to learn how to strengthen your team's security strategy.
How to Start Tabletop Exercises with Your Team: Some Examples
A successful tabletop exercise starts with a clear objective. If this is your organization’s first time running a cybersecurity response exercise, the objective may simply be to pull together the teams and stakeholders and raise awareness about their roles. An organization that practices regularly might have more targeted objectives or might stretch itself with more complex scenarios.
Once the objective is clear, the next step is to identify a scenario that will help meet the objective. Malware, ransomware and data breaches are common scenarios that will test the IT response and pull in communications, legal, finance and executive leadership. Scenario planning will also help define the threat actors and their objectives, as well as the critical assets and the impact of the threat.
The Cybersecurity and Infrastructure Security Agency provides several tabletop exercise packages that are an excellent starting point for universities. These templates help clarify objectives, identify participants and outline roles and responsibilities for participants and observers. In addition to providing a planning framework, they also provide discussion questions that the team can consider as the incident unfolds.
LEARN MORE: How incident response addresses evolving security threats.
After you’ve established a scenario, the next step is to define the timeline and communicate it to participants. Plan for some time to introduce the exercise and make sure that participants understand the scenario. Remember to reserve some time for introspection and feedback as the exercise unfolds.
As the exercise unfolds, it’s important to stay focused on the established objectives. While it may be the team’s goal to successfully manage the scenario, the real learning comes from seeing what doesn’t work. Be sure to allow time and space to unpack these failures and allow the team to learn from them. This is a good time to remember that “practice makes permanent.” It’s practice plus feedback that leads to perfection.
After the exercise is complete, conduct a “hotwash” session to debrief and identify strengths and weaknesses of the response. Collect this information and compile a list of lessons learned that can inform and improve future planning. Your debrief will likely identify changes needed, and may result in fixes to the incident response plan or even projects to address systemic deficiencies.
Bookmark this page for more security stories during Cybersecurity Awareness Month.