Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Tabletop Exercises: Putting Your Crisis Management to the Test
Fabian-Murer-Autor
Fabian Murer
|
09.08.2024
(updated on: 09.09.2024)

The prevalence of cyberattacks has increased markedly in recent years, becoming a common occurrence in the contemporary business environment. The vast majority of us utilize information technology tools, are connected to networks, and benefit greatly from this connectivity. Nevertheless, an increasing number of companies are coming to recognize that malicious actors are also exploiting this networking and the resulting dependence on digital resources to their advantage. Ransomware attacks for example have become part of the everyday problems faced by many organizations.

In light of these developments, the topic of IT security has also gained importance. Companies are working to protect themselves in a variety of ways, creating new concepts, developing plans, establishing various security tools such as firewalls and Endpoint Protection and Detection (EDR) solutions, and implementing numerous other measures. The objective is to detect and block attacks as early as possible in order to prevent a more far-reaching compromise of the IT landscape.

However, what happens when the protection systems fail and an attack is successful? How should the company respond (immediate assistance for cyber emergencies)? These and other questions are addressed and explored as part of a tabletop exercise in collaboration with the incident response teams.

Table of contents

What Is a Tabletop Exercise?

A tabletop exercise is a scenario-based training exercise, typically conducted in a controlled environment, designed to test and improve participants’ crisis management, emergency planning, and decision-making skills in a risk-free environment.

During a tabletop exercise, a fictional but realistic scenario is presented that simulates a crisis or emergency. The participants, typically managers and/or key members of an IT team, must then work together to respond to the simulated situation, make decisions and devise solutions. This is typically done through facilitated discussions and role-playing.

These exercises can cover a variety of topics, including natural disasters, failures of critical infrastructure, terrorist attacks, or other threat scenarios. In the area of cybersecurity, they can also simulate complex cyberattacks, such as a ransomware attack. These interactive, hands-on exercises allow participants to test their emergency plans, identify vulnerabilities, and improve teamwork and communication in the event of a cyberattack.

What Types of Tabletop Exercises Exist?

A tabletop exercise can be conducted in many different ways. The selection of an appropriate exercise is contingent upon the resources available, the objectives of the exercise, and the target group. An exercise designed for technical personnel will differ from a crisis management exercise for managers, both in the manner of its execution and in its objectives. The following sections will present a few examples.

Standard Tabletop Exercise

This is the basic form of a tabletop exercise. Participants are presented with a fictitious scenario, which is then followed by the introduction of various aspects of that scenario. The objective of the exercise is to facilitate discussion and analysis of the various aspects presented. To illustrate, a common element in a ransomware attack scenario is the restoration of systems from backups. Participants may be tasked with addressing the following:

  • The process of restoring compromised systems from a backup
  • The handling of a ransom demand
  • The determination of which systems are of the greatest importance to the company

This type of exercise is suitable for different groups, from the management level to the technical analysis team, as it can elucidate both general and conceptual aspects, as well as theoretical technical aspects.

Functional Tabletop Exercise

A more realistic type of tabletop exercise is the functional tabletop exercise. In advance of the exercise, a script comprising planned inputs, referred to as “injects,” is prepared for a specified scenario. These injects drive the narrative of the exercise or scenario forward by being presented to the participants at designated stages. Injects are specific messages that provide details about the events occurring during the exercise. An inject can be any information that advances the scenario, such as:

  • An email
  • A phone call
  • A tweet
  • An alarm from an endpoint protection system
  • The result of an analysis
  • The request for an interview

This type of tabletop exercise is especially beneficial for practicing incident management, crisis communication, and collaboration between the participants and between different departments.

Technical Tabletop Exercise

In contrast to previous forms of the exercise, the technical tabletop exercise is designed to simulate a range of activities within the network and/or the company. The objective is to work through the incident response plan in its entirety, encompassing all aspects, from initial detection and subsequent elimination to communication and escalation. To facilitate the practical application and assessment of these processes, only a selected few individuals are typically informed of the exercise. This approach ensures that the teams adhere to the defined processes in a conscious and deliberate manner.

A comprehensive script is also developed in this form of the exercise, delineating the precise timing and manner in which the injects are to be introduced. The injects themselves bear resemblance to the functional exercise, yet are executed in an active manner in this case, as illustrated by the following examples:

  • A simulated reporter actively writes an email to the communications department.
  • A simulated employee actively calls the service desk and describes a problem or observation.
  • Activities and commands are actively executed on selected systems with the intent that these activities generate alerts.

These active inputs should elicit reactions from employees. The goal of the exercise is to compare these reactions with the defined process in order to identify opportunities for improvement. This type of tabletop exercise can be used for several purposes: On the one hand, it is useful to train recognition and reaction on the technical side. On the other hand, such an exercise can also be used to improve escalation processes and communication between different departments.

Typical Steps of a Tabletop Exercise

A tabletop exercise usually consists of several phases designed to take participants through a scripted scenario to test and improve their ability to respond to a crisis or emergency situation. Typically, a tabletop exercise includes the following phases:

  1. Preparation and Planning: The organization in which the exercise is to be conducted works with the exercise facilitators to determine the objectives, scope, and scenarios of the exercise. Depending on the objectives and the defined scenario, participants are selected from different departments and functions to reflect a realistic response to the incident.
  2. Scenario Development: The exercise facilitators develop one or more realistic scenarios that simulate potential security incidents or cyberattacks. The scenarios are developed as detailed scripts with various inputs. Scenarios can include various threat vectors such as phishing, ransomware, data leakage, or Distributed Denial-of-Service (DDoS) attacks.
  3. Conducting the Exercise: The tabletop exercise (standard and functional) begins with an introduction to the scenario in the form of a report, presentation, or simulated email or notification. Participants are informed of the attack and discuss how they would respond.
    • Discussion and decision making: Participants discuss the scenario and decide how to respond to the attack. This includes measures to contain the incident, the communication with internal and external stakeholders, and the coordination of the response.
    • Role playing: In tabletop exercises, participants take on their real-life roles and demonstrate their reactions in the role play. This encourages collaboration and communication within the team.
    • Critical reflection: After the exercise, a detailed debriefing is held to allow participants to share experiences and challenges, discuss possible improvements, and draw lessons learned.
  4. Reporting and Action Plan: After the exercise, a report is generated that documents the exercise, identifies incident response weaknesses, and proposes solutions. Based on this, an action plan can be developed to better prepare the incident response team and the entire organization for future security incidents.
  5. Repetition and Optimization: Tabletop exercises should be conducted regularly to refresh training, help train new team members, and continually improve the incident response strategy.

Objectives and Benefits of Tabletop Exercises

The objectives of a cybersecurity tabletop exercise can vary, depending on the specific needs and challenges of the company or organization. In general, objectives include:

  1. Practicing Incident Response: The tabletop exercise is designed to prepare the incident response team and other relevant stakeholders for potential security incidents and improve their ability to respond appropriately.
  2. Identifying Opportunities for Improvement: By simulating realistic attack scenarios, potential security gaps, vulnerabilities, and opportunities for improvement in the organization’s security systems and processes can be identified.
  3. Strengthening Communication and Teamwork: The exercise promotes collaboration and communication between members of the incident response team and other relevant departments to ensure effective coordination in the event of an emergency.
  4. Testing and Optimizing Incident Response Plans: Existing incident response plans and procedures can be reviewed for effectiveness and efficiency, and improved where necessary.
  5. Practicing Crisis Management: The tabletop exercise allows the team to practice the process and escalation mechanisms for a security incident, ensuring that the right decisions are made in the event of an incident.
  6. Training New Team Members: For new members of the incident response team, the exercise provides a hands-on introduction to the organization’s procedures and processes.
  7. Raising Awareness Among Stakeholders: The exercise can raise awareness of cybersecurity and the importance of effective incident response throughout the organization.
  8. Improving the Incident Response Strategy: Lessons learned from the exercise can be used to improve and refine the organization’s incident response strategy and crisis management.
  9. Building Confidence: Regular tabletop exercises can help team members feel more confident and better prepared for actual security incidents, thereby also increasing confidence in the organization’s overall security practices.
  10. Meeting Compliance Requirements: In some cases, participation in tabletop exercises may be a requirement for certain compliance standards or certifications.

The primary benefit of a tabletop exercise is that it provides a realistic simulation of a crisis situation without the associated real-world dangers. This allows participants to practice their responses and strategies in a safe environment and gain valuable experience that can be critical in an emergency. In addition, the debriefing and analysis of the exercise can provide useful feedback to improve emergency planning and response.

Summary and Outlook

“Practice makes perfect” is particularly applicable to the field of cybersecurity, especially in the context of responding to cyberattacks. Organizations invest a significant amount of time and resources in cybersecurity measures with the objective of preventing cyberattacks from occurring in the first place. However, it is crucial to prioritize regular training for potential worst-case scenarios as well. This encompasses an understanding of the appropriate courses of action in the event that protection systems are no longer effective, the necessary steps to take, and the individuals who need to be informed. These questions and aspects can be addressed, defined, and, most importantly, practiced in advance of a cyberattack. Oneconsult provides assistance in this area as well, by creating an incident response plan that defines the steps to be taken in the event of an emergency. This plan can then be practiced and internalized in the form of specific types of tabletop exercises. Based on real cyberattacks, supervised by our Oneconsult International Computer Security Incident Response Team (OCINT-CSIRT), you have the opportunity to test your processes and train your team in real-life scenarios

Categories

All Categories
Active Directory / Entra ID
Attack Simulation / Red Teaming
Cybersecurity
Cybersecurity Awareness
Digital Forensics
Incident Response
IoT/OT-Security
News & Advisories
Penetration Testing

Vulnerability Management

This might also be of interest to you:

Want to conduct a tabletop exercise?
Contact us
Fabian-Murer-Autor

Autor

Fabian Murer leads the Incident Response and Digital Forensics team at Oneconsult AG. He frequently conducts tabletop exercises with the objective of optimally preparing customers for a potential emergency.

LinkedIn

Never want to miss anything again?

Subscribe to our news feed on LinkedIn and register to receive our newsletter.

Sign up for our Newsletter
Privacy Statement

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts