Get to Know Cybersecurity Tabletop Exercises

Learning Objectives

After completing this unit, you’ll be able to:

• Define a tabletop exercise.
  
• List the steps in creating a tabletop exercise.
  

What Is a Tabletop Exercise?

Jane, a program coordinator at a nonprofit focused on environmental conservation, was checking her emails on a typical Tuesday morning when something caught her eye: an invite titled Mandatory: Cybersecurity Tabletop Exercise - Today at 2 PM. She knew a bit about tabletop exercises - they're like practice drills - but she'd never actually been in one. Given the increasing frequency of cybersecurity breaches impacting nonprofits, she realized the significance of this exercise.

At 2 PM, Jane walked into the conference room, feeling a mix of excitement and nerves. She saw her colleagues from different teams already there, all wondering what was coming next. The cybersecurity team’s lead stepped up and started the exercise: “We've been hit by a cyber attack that's put our donor information at risk. Jane, you just got this news from our IT team. What do you do first?” This was the beginning of Jane's first tabletop exercise, a vital test of their collective readiness and response strategy.

A tabletop exercise is a form of nontechnical testing often used in emergency preparedness, business continuity planning and cybersecurity. These exercises can be conducted in a safe and controlled environment or a more complex setting that mirrors a real-life emergency. In such exercises, participants from various parts of an organization engage in conversations about real or hypothetical emergency or crisis scenarios (for example, hostage situation, data breach, natural disaster).

The focus is on the actions of individuals, either actual or simulated, and their adherence to policies, protocols and procedures in responding to the situation. The primary objective is to uncover deficiencies and identify gaps in plans, policies and procedures and improve communication and coordination among team members.

Tabletop exercises are conducted by a variety of organizations for a variety of reasons. For example, healthcare organizations use these exercises to learn from and prepare for large scale medical emergencies and educational institutions use them to learn from and prepare for critical on-campus incidents.

Cybersecurity Tabletop Exercises

Every organization with digital information systems (especially those handling sensitive data and who rely heavily on the internet for their mission-critical operations), should also conduct tabletop exercises focused on cybersecurity. For a cybersecurity tabletop exercise, the discussion is structured around scenarios such as data breaches, ransomware attacks, insider threats, violation of cybersecurity regulations, and supply chain attacks. The primary objective is to test and improve existing cybersecurity policy and incident response plans.

While cybersecurity tabletop exercises are not universally required by law or regulation, there are certain circumstances where they are typically used. For example, the US Federal Information Security Management Act (FISMA) requires federal agencies to prepare and regularly test disaster recovery or contingency plans for their information systems. Tabletop exercises are a commonly adopted practice to comply with this requirement.

Contrasting Cybersecurity Tabletop Exercises with Other Cybersecurity Testing Methods

Cybersecurity testing encompasses a variety of methods, each designed to assess different aspects of an organization’s security posture. Key methods include technical assessments like penetration testing, red and blue team exercises, vulnerability assessments, and phishing simulations.

Let’s explore how tabletop exercises, with their focus on communication and policy implementation, contrast with other cybersecurity testing methods.

Tabletop exercises are vital for testing and improving an organization’s cyber incident response strategy and team coordination, however, they are not a substitute for other cybersecurity testing methods that focus on technical vulnerabilities and defenses.

All testing methods are necessary, each addressing different aspects of an organization’s overall cybersecurity posture.

Creating a Tabletop Exercise

The creation and design of tabletop exercises are typically handled by professionals with specific expertise and roles. These include:

1. Cybersecurity Teams: Specialists in cybersecurity who understand the technical and strategic aspects of potential threats.
   
2. System Owners: The individual or group responsible for the operation and security of a particular information system.
   
3. Risk Management Personnel: Those who assess and manage risk, including the identification of potential cyberthreats.
   
4. IT Department: IT professionals, particularly those with a focus on security, play a crucial role in developing scenarios that are realistic and relevant to the organization's technology infrastructure.
   
5. Human Resources (HR): HR may collaborate in designing exercises that involve personnel policies and procedures.
   
6. Emergency Response or Crisis Management Teams: These teams can contribute by ensuring the exercises align with broader emergency response plans.
   

Creating a tabletop exercise for cybersecurity can be streamlined into a series of steps. Here's a simple list to guide the process:

1. Gather Cybersecurity Artifacts: Collect all relevant cybersecurity documents, including plans, procedures, policies, and processes. These documents are fundamental to the tabletop exercise, serving as the basis for evaluating participants’ understanding and practical application of them.
   
2. Define Objectives: Determine the goals of the exercise. What specific aspects of your cybersecurity readiness do you want to test?
   
3. Select a Scenario: Choose a realistic cybersecurity incident scenario relevant to your environment and objectives.
   
4. Identify Participants: Decide who should be involved in the exercise. This may include IT staff, management, and other key personnel.
   
5. Develop the Exercise Plan: Outline how the scenario will unfold, including key events and decision points.
   
6. Prepare Materials and Resources: Create any necessary materials, such as briefing documents, role descriptions, and background information.
   
7. Conduct a Briefing Session: Before the exercise, brief participants on the scenario, objectives, and their roles.
   
8. Run the Exercise: Facilitate the exercise according to the plan, ensuring that participants engage with the scenario and make decisions as they would in a real incident.
   
9. Debrief: After the exercise, gather all participants to discuss what happened, what was learned, and what could be improved.
   
10. Document the Outcomes: Immediately record the key takeaways, decisions made, and any identified gaps or weaknesses in your current cybersecurity posture.
    
11. Reporting: Prepare a comprehensive report outlining an analysis of the findings, including recommendations for improving policies, procedures, and response strategies.
    

This step-by-step approach ensures a structured and effective tabletop exercise, providing valuable insights into your organization's cybersecurity preparedness. In the next unit we explore how these steps come together to produce valuable and useful information in strengthening an organization’s cybersecurity posture.

Resources

• Trailhead: Get Started with Cybersecurity Risk Management
  
• Trailhead: Responsibilities of a Penetration Tester
  
• Trailhead: Threat Modeling for Threat Hunters
  
• External Site: Center for Internet Security (CIS): Tabletop Exercises (TTX)
  
• External Site: CISA: CISA Tabletop Exercise Packages
  
• External Site: NIST: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
  
• External Site: Nexight Insight: 9 Steps to Design a Powerful Tabletop Exercise
  
• PDF: World Economic Forum: Unlocking Cyber Resilience in Industrial Environments: Five Principles
  
• PDF: GFCE: Introduction to Tabletop Exercises (TTX)