Formulating a blueprint on what to do when your organization experiences some sort of security breach is important. Testing that plan to make sure all responsible parties know what to do is also imperative. That’s where an incident response tabletop exercise can help.
A tabletop exercise ensures that the people who are part of the security incident response team understand what they need to do when there is an event, breach, or incident in their environment, thus creating the muscle memory to react appropriately. The foundation of this exercise is an incident response plan that outlines how your company deals with certain issues including details regarding who they call, who they report to, and what kind of evidence they gather.
Why a tabletop exercise is necessary
A tabletop exercise helps you train your staff by seeing how they would respond to a theoretical event or incident. The purpose is to improve your ability to protect the confidentiality, integrity, and availability of your organization’s information systems and enhance the incident response handling procedure.
It’s important to understand who in the company is playing each role, and how they are going to interact with an incident or breach. Be sure that the staff is aware of what constitutes an event, which is when an entity tries to do something malicious but isn’t successful, versus an incident, where an entity is successful at taking a malicious action.
Tabletop exercise overview
There’s a lot that goes into a tabletop exercise. It’s really up to you to determine how in depth you want to go. Typically these theoretical exercises are conducted at least annually, with a semi-annually cadence being ideal. This is a training exercise to determine what security measures and processes are lacking in your organization.
Usually the folks involved are the people who are part of your security team, including your internal help desk, internal security staff, as well as the C-suite and HR. The most important part of the tabletop exercise happens at the conclusion, where we outline lessons learned, including where you discovered you need to improve your processes or plans.
Getting started
We run your team through a multitude of different scenarios quickly to pinpoint the best places to test for weak security in your environment. Scenario examples could include:
- Stolen documents – In this scenario, we’ll open by saying, “An employee left sensitive data on their desk and then they went to get coffee. When they returned that paperwork was missing. They went to management to report it. No one in the facility came forward as a witness or a culprit.” The discussion would then proceed about whether this constituted an event or an incident and how your company would handle it.
- Data exfiltration – What happens if your databases are compromised resulting in unknown data exfiltration? We’ll talk about what happens if someone is exfiltrating encrypted data. How do you handle that? How do you figure it out?
- Ransomware attack – This set-up is a very prominent option. What happens if one of your employees decides to go rogue and disappears with their workstation or laptop containing sensitive information? What steps do you take and how do you contain the threat?
- Anonymous threat – How do you account for any of a myriad of issues that could arise from various people entering your building under the guise of working on your equipment or performing another service? Do you have some type of visitor and vendor procedures for escorting them and monitoring them while they work and ensuring that what they’re bringing inside is not malicious?
Another key point of this is to figure out if your company understands your responsibility for keeping evidence. For instance, if you have a ransomware attack, the instinct might be to completely purge the infected machine and then report the incident. Instead, if you have an infected machine, pull out the hard drive, put a new one in, re-image it, and then keep that infected hard drive as evidence and mark it with your chain of custody form.
A lot of people don’t know that you have to keep evidence, usually for at least 90 days. That way if the Department of Defense, FBI, or your cybersecurity insurance reach out to you informing you that they want to run their own internal investigation, you are all set.
Evidence collection is one of the issues that a tabletop exercise helps you address. Ensuring that when an incident does occur, you have something physical that you can reference and other entities can use as well.
Tabletop exercise results
At the conclusion of a tabletop exercise, we’re able to figure out where in your planning, processes, and procedures, you might be lacking security guidance. Once we go through your scenarios, we sit down and discuss the different setups and detailed actions that you can incorporate into your incident response plan. Perhaps it’s adding additional team members into the incident response team and making sure everyone knows their role and how to deal with issues. Note that there’s no pass or fail of a tabletop exercise. We find holes in an environment and work to fix issues before any breach occurs.
It’s also important to note that annual testing of your incident response plan is a requirement for CMMC and NIST 800-171. A tabletop exercise qualifies as this test. In order to get the points allotted to these associated controls, your company needs to complete this exercise and present an after actions report stating that you went through this training and outlining outcomes and people involved. Simply stated, if you aren’t running a tabletop exercise today, your company is not meeting compliance.
If you would like assistance in crafting your incident response plan or in testing it with a tabletop exercise, contact the experts at CyberSheath. We’re here to help.