How to Run an Effective Tabletop Exercise

When a cyber security incident happens, time is of the essence. This is why organizations need to design a plan of action in advance. Simply building a plan isn’t enough, however; every member of your team needs to know what steps to take first.

This is why tabletop exercises are an essential part of every incident response plan. These exercises are meant to help incident response teams in both security and other business units receive training on how to properly handle cyber security incidents.

Conducting tabletop exercises helps provide a team establish a rehearsed, go-to response should a threat occur. It gives all stakeholders in a security response the ability to practice what to do in a security breach. This can mean the difference between a timely response and muddled confusion should a threat occur.

The following steps will help ensure that your tabletop exercises are a successful representation of what should take place to protect your organization in the event of a security incident.

Read: Learn more about the do’s and don’ts of responding to an incident.

Choose a Realistic Threat

A successful tabletop exercise should resemble the real world as much as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic attacker behavior.

Examples of real-world cyber security threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords.

The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it’s important that it mimics a threat that’s likely for your specific environment. 

Run Through the Exercise

Once the imaginary threat has been put into motion, each member of the group should perform — in real time — the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place.

These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third-parties. They also include making decisions about whether or not to shut down systems, as well as collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it.

Learn and Document

In addition to giving the entire team an opportunity to practice their response in real-time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what a tabletop exercise are designed to weed out.

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will not only help the next exercise run more smoothly; they’ll ensure a more effective response when an actual threat strikes.