Executive Level Continuity of Operations Tabletop Exercise Scenarios
Tabletop exercise scenarios: 3 real-world examples
Plus, start your journey with 10 pro tips for running a successful tabletop exercise.
Editor's note: This article, originally published in 2006, has been updated to reflect recent trends.
A tabletop exercise is an informal, discussion-based session in which a team talks through their roles and responses during an emergency, walking through one or more example scenarios. It's a great way to get business continuity plans off the written page without the interruption of a full-scale drill: rather than actually simulating a disaster, a group within the company gathers for a few hours to talk through a simulated crisis.
The exercise is increasingly a staple of IT security preparedness programs. "I find that companies who have a healthy respect for their cyber risk are the ones doing tabletops," says Dan Burke, Senior VP and National Cyber Practice Leader at Woodruff Sawyer. "Designing an incident response plan is beneficial, but putting it to the test will give you the practical insights that only come from experience."
If you're new to the idea of tabletop exercises and want a solid overview of what's goes into one, check out our in-depth explainer on the topic. But if you have a handle on the basics and are thinking about how you can most effectively implement a tabletop exercise at your own organization, then read on. We've collected some tips on best practices from a range of security pros, who have also helped us put together some example scenarios that should give you some ideas for your own exercises.
10 tips for running an effective tabletop exercise
- Make sure your tabletop exercise is your tabletop exercise.
- Explore a scenario beyond just the technical aspects.
- Get top-level management on board.
- The facilitator is key.
- You're testing people, not technology.
- Build your scenarios based on active threat intelligence.
- Participants need to get into character.
- Don't let the party get too big.
- Give your exercise the amount of time it deserves.
- Create a safe space for experimentation—and failure
1. Make sure your tabletop exercise is your tabletop exercise. You shouldn't just work through some generic breach scenario, but rather something tailored to your organization's particular situation. "Conduct exercises based on events that are critical for your particular company," says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. "Ask the top managers what their business is really afraid of, and what scenarios could destroy it."
2. Explore a scenario beyond just the technical aspects. Tabletop exercises may be driven by the IT or security team, but participants should span the entire company. "Yes, there may have been a technical attack which requires a technical remediation," says Ben Smith, Field Chief Technology Officer at RSA NetWitness, "but your tabletop exercise should also include representatives from your legal, regulatory, marketing, customer support, and even human resources functions. Employees on the front lines with the public during a recovery will need scripted and approved talking points and potentially new tools to represent your brand most effectively during a crisis."
3. Get top-level management on board. No matter what you learn about your organization's readiness in a tabletop exercise, you won't be able to implement any improvements without leadership buy-in. "The most critical constituency in crisis management training and desktop scenarios is the C-suite, or those officers who will either make a final decision in a crisis or recommend them to the CEO," says Timothy Williams, Vice Chairman with global security firm Pinkerton.
C-level execs don't always participate themselves, but will often choose a representative to participate and report back on how the exercise went. Still, it can be worthwhile to try to get them to show up in person. "It's sometimes hard to pin down executives to participate for longer exercises," says Curtis Fechner, Engineering Fellow at Optiv, "but you can remind them that their participation will not be optional during a real incident."
4. The facilitator is key. "Having a facilitator whose delivery is top notch is make or break," says John Dickson, Vice President at Coalfire. "The best ones deliver tabletops in a conversational way and put participants at ease. They remind me more of a good talk show host more than a keynote speaker. Their ability to pivot is crucial: when a participant makes a point, an effective facilitator must be able to cite a relevant war story or example that reinforces that point."
5. You're testing people, not technology. Some participants in a tabletop exercise may complain that your scenario isn't dealing with the technology they use on a day-to-day basis—but that misses the point, says Sounil Yu, CISO at JupiterOne. "The primary benefit of a tabletop exercise is to ensure that people can reliably perform in unexpected situations," he explains. In fact, in many of the disaster scenarios that tabletop exercises aim to simulate, technology that staff has come to rely on may be unavailable, and overreliance on technology in response and recovery situations is exactly what team members need to learn to avoid.
6. Build your scenarios based on active threat intelligence. You may be tempted to just pull your tabletop exercise from the latest headlines, but you should dig deeper to create a truly realistic scenario. "For many notable threats like ransomware, there are a lot of firms sharing intelligence about how these attacks play out," says Optiv's Fechner. "Using media reports is okay, but you should focus on the actual threat intelligence reports produced by government agencies and private sector security companies."
7. Participants need to get into character. Tabletop exercises are cousins to tabletop role-playing games like Dungeons and Dragons. Just as in those games, each participant should throw themselves into the role they're playing in the fictional scenario under consideration—and just as in those games, those roles might be different from the player's everyday life. "You should assign everyone a role to play," says Jacob Ansari, CISO of Schellman & Company, an independent security and privacy compliance assessor. "Maybe everyone gets their normal job function—or, maybe you mix it up every now and again to gain some fresh perspective so you can uncover gaps in your plan."
8. Don't let the party get too big. Nate Drier, Managing Principal Consultant, and Rob Lelewski, Director of Proactive Services at Secureworks suggest that you aim to keep the number of participants in your exercise to less than 20. Groups much bigger than that are "ripe with opportunity for disinterest and disengagement," they say.
9. Give your exercise the amount of time it deserves. This may seem obvious, but a tabletop exercise isn't something you can just knock out over quick lunch. "Trying to rush through in an hour leaves little time to discuss anything in detail," says Optiv's Fechner. "Factor in various distractions and you'd only be looking at about 20 minutes of actual discussion. I prefer a three- to four-hour exercise for most audiences."
10. Create a safe space for experimentation—and failure. While tabletop exercises are crucial for improving overall security in the long run, the players shouldn't feel pressure to "win" the scenario. "It is important that participants understand that the exercise is in the interest of improvement," say Secureworks's Drier and Lelewski. "It is expected that there are gaps. Tabletops provide a blameless forum where the team can collectively discuss holistic strengths and weaknesses."
As Schellman's Ansari acknowledges, this can be challenging because employees are often "performing" in front of their bosses. "The coordinator needs to establish some clear ground rules that give people the freedom to act in this situation," he says. "It is, after all, a fictitious scenario and one designed to uncover weaknesses in the plans themselves, training, coordination, or other essential aspects."
Three sample tabletop exercise scenarios
- A phishing attack exposes a zero-day vulnerability
- A supply-chain attack is detected
- Reckoning with an escalating ransomware attack
- A disgruntled employee starts a data center fire
- An explosion at a nearby chemical plant releases deadly toxins
- A pandemic flu hits
As we noted above, a tabletop scenario should hew as closely to your company's specific darkest fears as possible. That said, we solicited some potential scenarios from our experts to give you a sense of how these might play out. Note how they escalate. As Brett Wentworth Senior Director, Global Security at Lumen Technologies puts it, the job of a tabletop moderator consists of "walking the participants through a scenario, letting them react in an open fashion, reporting back on their actions—and then having 'injects' to add more curveballs."
Scenario #1: A phishing attack exposes a zero-day vulnerability
Wentworth outlined our first scenario, which starts with a phishing attack and ramps up from there.
Segment 1: An employee clicks on a link in an email asking them to take a mandatory security awareness training and inputs their credentials in the site the link leads to. Looking back at the email, they see some odd formatting, a spelling error, and a banner indicating the email originated outside the organization. Their computer begins to run more slowly, and the employee follows established processes and contacts the incident response (IR) team. The players taking on the IR role will outline the steps they'd take in response.
Segment 2: A connection is seen from an IP address in Eastern Europe to the site linked to in the phishing email. This host was also apparently scanning internally for a protocol associated with commonly used software package (we'll give it the fake name Acme123) and has interacted with servers running it.
Segment 3: Traffic fitting the pattern of malware callbacks is seen communicating from an Acme123 server with another IP, this one in Asia. Suddenly, industry news breaks about an Acme123 zero-day vulnerability.
Segment 4: One server shows it had signs of a new malware exploiting the zero day, but it's not clear whether data was exfiltrated. The teams at this point must commit to forensics, notify employees, contact law enforcement and impacted customers, and update execs.
Scenario #2: A supply-chain attack is detected
This scenario, from Secureworks's Drier and Lelewski, outlines an attack reminiscent of the recent high-profile SolarWinds hack.
Segment 1: The sales department of a target organization has acquired a new software leads-tracking tool. It is installed on-premises in a virtual machine provided by the vendor. The acquisition skipped the vendor due-diligence process, and was approved by sales leadership. In the weeks following its deployment, there's an uptick in users submitting trouble tickets because of locked accounts due to password failures. In addition, some alerts are generated on encoded PowerShell activity on several workstations.
Segment 2: A security analyst on the team notes that several gigabytes of encrypted data were sent to a VPS hosted in Russia. Additional alerts are popping up, noting tools such as Mimikatz and Secretsdump. A file named exfil.zip is found with a recent timestamp, sitting on the same share that the business-critical R&D team uses.
Segment 3: A news story breaks, detailing that the leads-tracking tool was compromised by foreign state actors, and contains a backdoor that uses a domain-generation algorithm to establish command and control over outbound port 443. The story details that the threat actors are after intel from your specific industry vertical, and are not affiliated with ransomware deployments.
Scenario #3: Reckoning with an escalating ransomware attack
This example scenario comes from JupiterOne's Yu. He outlines a ransomware attack that starts out bad and gets worse.
Segment 1: The company is hit by a standard ransomware event affecting the majority of enterprise systems, with a demand of 1 percent of the company's annual revenue to be paid within 48 hours. (The scenario should require a decision on this demand within the timeframe allotted for this segment.)
Segment 2: Regardless of decision on Segment 1, the ransomware attacker escalates with the public release of sensitive stolen content and a threat to release more unless the company pays up (or pays again, as the case may be).
Segment 3: It is discovered that the hacker has leveraged information from the content they stole to attack the company's customers, resulting in material breaches for those organizations.
Segment 4: A relevant government agency starts an investigation because, as it turns out, the ransomware attacker is under United States Office of Foreign Assets Control sanctions. This entangles the company, already in the midst of a business crisis, deep into an international drama where events spin further out of the company's control.
Scenario 4: A disgruntled employee starts a data center fire
This scenario is based on a suggestion by Rad Jones, academic specialist at Michigan State University's School of Criminal Justice and former director of security and fire protection for Ford Motor.
Source: https://www.csoonline.com/article/2120836/tabletop-exercise-scenarios.html
0 Response to "Executive Level Continuity of Operations Tabletop Exercise Scenarios"
Post a Comment