Tabletops are an essential tool to improve organizational awareness and streamline Incident Response efforts. Regular tabletop exercises help keep resources aligned for success as your security posture matures and your team develops. This blog post will highlight opportunities to improve incident response capabilities and common pitfalls to avoid.
Standard tabletops are driven by a facilitator talking participants through a simulated crisis response scenario. The facilitator steps through the scenario by prompting participants with new pieces of information, or “injects”, simulating an unfolding situation. These exercises often include representatives from various functions who roleplay how they would respond to these injects and interact with other teams. The level of detail in their responses can range from a simple verbal description of a high-level process, to consulting documentation such as a written incident response plan (IRP) or run book, to conducting live technical analysis. Walking through these exercises battle tests team members, builds familiarity with processes and tooling, and identifies opportunities to improve security operations and maturity moving forward.
We recommend running tabletops quarterly – or annually at a minimum. This will provide time to implement improvements identified during the tabletop, while also providing more opportunities to diversify your audience and build a stronger cyber security resilience culture.
If your organization is just starting out, start with a limited exercise driven by security leadership (directors, managers) and SOC employees (analysts, engineers, etc.). Consult with other teams - for example the network team, legal team, communications team – as the scenario develops. This will focus the team on operational incident response fundamentals. Leave the senior executives out of this tabletop and limit the team to no more than ten people to keep it focused. The deepest you should get from a technical perspective would be talking about what is logging; there would be no hands-on keyboard.
As you mature your capabilities, you can then run scenarios with a company-wide approach as well as get into the weeds and incorporate real attacks. In a company-wide approach you would have an executive session and a security leadership session followed up by a war room session (purple team preferred). This approach requires a higher level of effort and coordination, so we don’t recommend starting here. When implementing the practical piece, you would engage a red team to perform an attack exercise in your environment, with the blue team following their response playbook in real time: this is a full dress rehearsal.
· Do we have established communication plans (e.g., Legal, Business, IT, etc.)?
· Do we have proper visibility to information that team members need to execute the underlying processes (Logging, Tooling, Access)?
· Do we have the proper response actions and procedures in place (on the fly and documented processes)?
· Is there fail over between team members?
· Indirect knowledge transfer - attacks, defense, tooling, internal processes.
· Ideas to boost resilience - defense options, backups, etc.
· Additional exercises to battle test teams - threat hunts, purple team exercises, red team scenarios.
· New detections to build - SIEM, EDR, IDS/IPS, etc.
· Process improvements - run books, RACI Models.
· Communication plan improvements
The above gives you an idea of how to think through a tabletop, however, it is important to avoid focusing on one of these items for too long and during a particular tabletop. The best exercises push for creative thinking and dynamic solutions.
It is a common principle to practice anything you want to be good at. Yet, most cyber security teams rarely practice incident response.
Bonus! Improve business security culture:
When performing tabletops, you can push for a stronger culture around security awareness. As you bring in other teams, they quickly buy into the security-centric mindset. I have seen teams outside of the security function offer solutions and ideas that no one knew existed as well as identify takeaway tasks that will improve the businesses security posture immediately. Think about involving firewall, application, server, account, and even non-technical teams and avoid limiting it to only security operations.
1. The team leans on one person when it comes to the technical tactics in relation to response.
It is important to leverage the entire team and ensure the most senior engineer is not responding to each question. You can “mute” the engineer or inform the team he is “on vacation” during the tabletop. Once the tabletop is complete the senior engineer can provide additional insight. Tabletops are natural cross training opportunities when many attendees participate.
2. The team has anxiety that their responses will be held against them after the tabletop.
Often the team wants to impress leadership. Leaders need to set the stage when kicking the exercise off to encourage creative participation and that there will be no judgement held towards decisions that ultimately prove to be the wrong choices.
3. Do not fight the scenario.
It is easy to say “this would never happen to us” when a scenario comes up that you need to defend against. It is important to go into tabletops with an open mind, there will be pieces that will not apply at times however it should not deter to detract from the exercise.
4. The team becomes hyper focused on mapping response efforts to a process.
Tabletops unfortunately can turn into a process exercise, which should be discouraged. Keep in mind when the team needs to be flexible around the process and make decisions on the fly. There cannot be a check list for every cyber security scenario out there. Make a call and move forward.
How can MOXFIVE assist with your tabletops?
Let our teams make tabletops stress-free for your team and quickly identify ways you can improve in a real response scenario. Our experience in incident response enables us to draw up realistic scenarios that your team would not expect and keep them on their toes. We align the scenario to your environment and build a roadmap to resolve identified gaps.
Michael is a Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More