Blog

How to Perform a Cyber Security Tabletop Exercise

Incident response planning is an important part of any organization’s cyber security program. Having a proper plan in place ensures smooth communications and quick decision-making in the event of a breach or attack.

To facilitate planning, the team at Thrive devises cyber security tabletop exercises to help organizations identify and prepare for various scenarios. The goal is to increase situational awareness and facilitate discussion of incident response.

This invaluable exercise clarifies an organization’s incident response plan, identifying what works and where improvements should be made.

Types of Cyber Security Incidents to Prepare For

An incident can occur at any time and include many variables, so it’s not always practical to write step-by-step instructions for each potential one. However, a tabletop exercise provides clarity on how to handle different types of incidents with an actionable strategy.

First, it’s important to understand the types of attacks that can occur.

  • External/removable media: An attack executed from a flash drive, CD, or other device
  • Attrition: A brute force attack meant to compromise or destroy systems, networks, or devices
  • Web: An attack from a website or web-based application
  • Email: An attack executed via an email or attachment (phishing)
  • Improper usage: An incident resulting from a violation of usage policies
  • Loss or theft: A computing device or media used by the organization, like a smartphone or laptop, is deemed lost or stolen

These categories can be used to define specific responses, as different incidents will require certain response plans.

As the tabletop exercise commences, Thrive runs through various scenarios, discussing proper course of action at each inflection point.

Preparation
Before any technology or business practice discussion begins, a risk assessment will be performed. The assessment can be formal or informal, and enables a full understanding of typical network activity while documenting network infrastructure.

Identification
The mock scenario seeks to detect the incident and determine its reach, while involving the appropriate parties. Information sources will be analyzed, including antivirus logs, server connection attempts, and suspicious network traffic.

Mitigation
The primary goal of mitigation is to lessen the impact of a security incident. It’s generally assumed that incidents will occur from time to time, so containing the incident and mitigating its effects are key. This portion of the exercise includes taking steps to disconnect an infected area from the internet, while understanding how to best throttle or block distributed denial of service (DDoS) traffic.

Remediation
Ensuring impacted services are once again reachable, the remediation stage involves discussing best practices for security patches, antivirus signature database updates, and restoring data from uninfected backups. If disclosed data cannot be recovered, a report must be provided to executive management, and applicable legal and customer teams must be made aware of the issue.

Recovery/Root Cause Analysis
Recovering from an incident is key to future success. The analysis exercise identifies what went right, what went wrong, and provides a timeline of important events. We will discuss the results of the incident, the lessons learned, and explain the steps to take to respond more effectively in case of a real attack.

The Benefits of Completing a Tabletop Exercise

A tabletop exercise raises security awareness within an organization, highlighting what could occur during a real cyberattack. It is meant to highlight deficiencies and weaknesses, so proper steps can be taken to prepare an efficient organizational response in advance.

The exercise determines whether an organization can coordinate communications, business operations, and external parties, with every scenario designed to focus on the likeliest threats.

Thrive provides enterprises with the tools to facilitate a tabletop scenario, but we also have the capability to run the exercise from beginning to end. To get better insights into the readiness of your organization’s cyber security incident response plan, contact our experts today.