A tabletop exercise (TTX) in cybersecurity is a strategic drill designed to assess and enhance an organization’s readiness for cyber incidents. Security team members engage in discussions about various potential situations to test their response strategies in a simulated environment.
| “Not every incident response plan that looks good on paper holds up in execution. At the end of the day, it comes down to people and process and both must be tested. That’s why your organization must perform tabletop exercises to ensure yours can withstand a real incident.” – Tab Bradshaw, Chief Operating Officer, Redpoint Cybersecurity |
The goal of a tabletop exercise is to provide a low-risk platform to evaluate policies, response plans, and procedures without impacting any real operations. Tabletop exercise scenarios help identify any possible gaps in an organization’s cyber defense strategy before a real incident occurs.
This blog will provide insights on how to effectively conduct these exercises. We’ll discuss who should be involved in them, what you should do, and where to look if you need further guidance implementing them.
Who Should Be Involved in a Tabletop Exercise?
The roles and responsibilities during a TTX are defined by CISA as follows.
Players
These individuals are actively involved in the exercise. They engage in conversations or take action in response to the simulated cybersecurity incidents.
Observers
While they do not participate directly in the exercise, observers can contribute to the development of the players’ responses. They do this by asking pertinent questions or offering their expertise.
Facilitators
Their role is to provide updates about the situation and guide discussions. Facilitators also offer additional information and answer any questions that arise.
Note-Takers
Note-takers primarily focus on documenting the discussions of the players and observers. They pay special attention to how these discussions align with existing plans, policies, and procedures.
| Gain More Incident Response Planning Insights |
The people who should be involved in a tabletop exercise include (but may not be limited to) the following. Any of these individuals may be able to take on any of the roles highlighted above in a way that best suits your scenario and their expertise.
- IT and Cybersecurity Teams: They bring the technical expertise needed to handle cyber threats.
- Executive Management: They provide strategic decision-making and understand business implications.
- Department Heads: They offer operational insights from various parts of the organization.
- Outsourced Cybersecurity Experts: They provide external threat intelligence and specialized knowledge.
For organizations that rely solely on in-house resources, getting an outside perspective from cybersecurity consultants regarding your exercise is still a smart idea.
It’s wise to create a scenario that challenges existing protocols and encourages innovative thinking. This approach will better prepare you for emerging real-world threats and make it easier to pinpoint areas of improvement.
How to Conduct a Tabletop Exercise
These steps, while general, are vital in preparing for possible cyber attacks. Tailoring these exercises to your organization’s unique needs, considering industry, regulations, emulated scenarios, and security posture, is essential for effective outcomes.
1. Initial Assessment
The process begins with a thorough analysis of your threat profile, operational environment, and areas of concern. It involves discussions with key individuals to gain a deep understanding of the organization’s characteristics. This analysis ensures that the exercise is relevant to your specific context.
2. Scenario Development
Based on the initial analysis, tailored scenarios are developed. These scenarios reflect the unique challenges and goals relevant to your organization. The scenario should balance practicality and challenge to thoroughly test your entire incident response plan.
3. Structured Response
Players engage in a series of steps to ensure a comprehensive response to the developed scenario. Depending on the nature of your exercise, your players may or may not have time to coordinate a response in advance.
Their steps include:
- Assessing the situation
- Revalidating assumptions
- Identifying implications
- Strategizing the response
4. Identifying & Addressing Response Process Gaps
After the response team deploys their solution, open discussions to identify any gaps or areas for improvement are encouraged. This is a key learning opportunity to see what works well and what doesn’t in a safe, yet realistic setting.
5. Documentation & Review
Your note-takers document the exercise’s nature, discussions, lessons learned, and feedback from players and observers. Review this documentation to identify positive observations and areas for improvement in your organization’s risk management.
6. Implementing Insights
Use the insights gained from the exercise to enhance security protocols, internal reporting, and incident response plans. This step is crucial for continuous improvement and cybersecurity readiness.
Tabletop Exercise Examples
The best place to look for well-planned out blueprints are the CISA tabletop exercises. CISA Tabletop Exercise Packages (CTEPs) are packages that offer comprehensive toolkits to help organizations conduct their own cybersecurity drills.
CISA offers TTX for all kinds of emergency scenarios, not limited to cybersecurity. They also include CTEPs for physical security situations such as natural disasters, active shooters, and unmanned aircraft systems (UASs).
For the scope of this article, here is an overview of the cybersecurity situations relevant to organizations that have CTEP blueprints provided by CISA. This overview and the toolkits offered will give you a solid foundation for your TTX.
| CTEP | Overview |
| Ransomware CTEP Situation | Tailored to help organizations identify vulnerabilities in their current strategies and develop more effective responses specific to ransomware incidents. |
| Ransomware Third Party Vendor CTEP Situation | Guides organizations through exercises that simulate a ransomware attack initiated via a targeting a third-party vendor that led to broader network issues and ransomware installation. |
| Distributed Denial of Service (DDoS) CTEP Situation | Provides a structured exercise framework, including scenario modules that simulate a DDoS attack, and facilitating discussions on detection, response, mitigation, and recovery. |
| K-12 Schools CTEP Situation | Guidance on identifying and responding to various cyber threats with an emphasis on the practical application of response tactics in the specific operational environment of a K-12 school. |
| Cyber Insider Threat CTEP Situation | Includes exercises that simulate incidents initiated by insiders, such as disgruntled employees exploiting vulnerabilities or unintentional data compromisations. |
| Industrial Controls CTEP Situation | Offers scenario-based exercises that simulate cyber incidents impacting industrial environments, such as ransomware that affects operational equipment. |
| Healthcare and Public Sector CTEP Situation | Emphasizes the criticality of safeguarding Protected Health Information (PHI) and the unique vulnerabilities of healthcare networks. Also includes exercises that simulate incidents that affect network-connected medical devices. |
| Vendor Phishing CTEP Situation | Specifically addresses the challenge of phishing attacks through third-party vendors. Exercises focus on the identification and mitigation of phishing threats originating from trusted third-parties. |
| Water/Wastewater Systems CTEP Situation | Similar to the industrial scenario, but with more focus on water and wastewater systems. Highlights the importance of securing industrial control systems (ICS) and operational technology (OT) against cyber threats. |
| Maritime Ports CTEP Situation | Included scenarios address unique maritime issues such as disruptions in vessel traffic systems and port infrastructure vulnerabilities. |
| Commercial Facilities CTEP Situation | Specifically addresses cybersecurity challenges in commercial facilities, focusing on events like special gatherings and retail operations. Presents scenarios that simulate cyber incidents such as phishing and ransomware attacks during significant events in commercial facilities. |
| Chemical Sector CTEP Situation | Includes unique processes for dealing with unmanned aerial system (UAS) threats, and insider threats that specifically target industrial control system (ICS)/Supervisory Control and Data Acquisition (SCADA) system attacks. |
Get Professional Assistance Preparing For Real-Life Scenarios
Online tabletop exercise templates are an excellent starting point for your organization’s TTX planning. However, you mustn’t solely rely on an online template alone. You still need the guidance of cyber experts and key players to ensure that your TTX provides optimal results.
For top-grade threat intelligence, you can turn to Redpoint Cybersecurity. 92% of our team have advanced cybersecurity degrees and 30 members of the team have an average of 22 years of US federal government cybersecurity experience. We’ve seen a lot of different situations in high-stakes environments, so we’re well-equipped to guide you through a practical TTX.
Contact us today to get started.