Tabletop Exercises: Real Life Scenarios and Best Practices
From insider threats to malware infections, and even the most sophisticated nation-state attacks, tabletop exercises allow you to identify strengths, weaknesses, and areas for improvement in your security posture. They help you fine-tune your incident response strategies, ensuring that when the unexpected occurs, your team is ready to act swiftly and effectively.
In this blog post, we're exploring some important example scenarios for these exercises. Special thanks to Debasis Mohanty, one of our Principal Security Consultants, for sharing his expertise and insights, which have been instrumental in creating this informative content.
What are Cybersecurity Tabletop Exercises?
Cybersecurity tabletop exercises are simulations of real-world attacks that are designed to test the organization's ability to respond to a cybersecurity incident. This exercises is a practice for responding to cyber incidents, with hypothetical cyber attacks launched at the organization. However, this exercise is entirely scenario-based and does not involve an actual attack. It is a kind of role-playing exercise where participants and key stakeholders from the organization carry out their responsibilities in the event of a cyber incident.
It is a practice session for responding to a real attack, like a fire drill. Its main objective is to test if everything is in place and working as intended during a real attack. How effective is your response plan? Are there any gaps in your process chain? These are some of the questions that a tabletop exercise can help answer.
The security experts that lead the exercise observe the participants and stakeholders and give feedback on what they did well and what they could have done better. These recommendations are then used to make process improvements, enhance the response plan and ensure that the organization has a greater chance for survival and success in the event of a real attack.
Hybrid Tabletop Exercises
While a typical tabletop exercise doesn't involve a real attack, a hybrid tabletop exercise can encompass both role-playing and a realistic attack simulation. This approach mimics real-world scenarios within the tabletop exercise to assess the preparedness of the blue team. However, an engagement like this would require more time and resources than a typical tabletop exercise.
A tabletop exercise is not designed to evaluate the efficiency of your security controls; that's a task best suited for an attack simulation or penetration test. What it tests is how the key stakeholders in your organization are prepared to respond to an incident. Do they know what to do? Do they know who to call? Is there a communication chain in place? These are some of the things security experts look for when conducting a tabletop exercise.
Exercise Design and Implementation
Before designing a tabletop exercise, it is essential for the security team to have a clear understanding of the enterprise security architecture and the associated business processes.
Tabletop exercises typically begin with a detailed examination of the enterprise security architecture to identify critical assets and processes. In preparation for the exercise, security experts gather information on important aspects such as critical assets, existing security controls and policies, levels of access, and other relevant details. This high-level overview serves as the foundation for building and implementing the tabletop exercise, providing valuable context for the facilitators and participants.
Common Cybersecurity Tabletop Exercise Scenarios
Tabletop exercise scenarios can vary widely from organization to organization, based on factors such as critical digital assets (such as networks, applications, and sensitive data), business operations (such as data processing and transmission), and third-party transactions (including vendors and business partners). Through our experience, we have identified several scenarios that are frequently used due to the increasing frequency of these types of attacks and their impact on enterprise security. In this section, we will explore these examples.
Scenario 1: Insider Threats
Scenario: A DevOps engineer, responsible for managing software on your organization's cloud infrastructure and holding a position of trust, engages in malicious activity. This engineer, motivated by personal gain, decides to leak sensitive company information. Leveraging their extensive access privileges, they intentionally expose company credentials on the internet. As a result, an outsider discovers the exposed credentials and sends an email to the CISO, notifying them of this security breach. What is the most effective way to respond?
Discussion points:
- Who within the organization needs to be immediately informed about the incident?
- How should the organization identify the extent of data exposure and the specific information that has been compromised?
- What steps should be taken to change company credentials and secure them?
- Should access to critical servers be temporarily shut down or limited?
- What procedures can be put in place to prevent insider threats like this in the future?
- What steps can the organization take to bounce back from a security breach and reduce the risks associated with exposed data?
- Are there policies and training programs in place to address insider threats and the handling of sensitive data?
- What is the process for monitoring privileged users' activities and identifying suspicious behavior?
Scenario 2: Malware Infection
Scenario: An employee within your organization received an email with a seemingly innocent attachment from an unknown source. Curious, the employee opened the attachment, which contained a malicious payload. This malware spread through the employee's computer and subsequently infected several other machines within your organization's network. What will your response be?
Discussion points:
- How can the organization identify the type and source of the malware?
- What immediate actions should be taken to isolate and contain the infected machines?
- How should the organization communicate the situation to key stakeholders and employees?
- What measures should be taken to prevent accidental introduction of malware into the systems in the future?
- Is there a process for patching or updating systems to address malware vulnerabilities?
- What steps can be taken to educate employees about the risks of opening suspicious attachments and maintaining cybersecurity hygiene?
Scenario 3: Nation State Attack
Scenario: You are a pharmacy company. Imagine a hacking group from Russia is planning an attack on your company. They've managed to compromise one of your critical servers through a combination of social engineering and exploiting vulnerabilities in your infrastructure. You notice suspicious activity on your network but are unsure which server has been compromised. You want to determine which server has been compromised and what level of access the attacker has to your systems. How will you respond?
Discussion points:
- Who should lead the response efforts in the event of a suspected nation-state attack?
- What security controls should be in place to detect and respond to such attacks?
- What is the process for conducting a root cause analysis to understand the attack's origin and entry point?
- How can the organization determine the scope of the breach and assess the attacker's level of access?
- What measures should be taken to prevent similar attacks in the future?
- Is there a process for monitoring outgoing traffic and firewall logs to detect unusual behavior?
- Should an external party be brought in for an independent assessment of the situation?
- How can the organization improve its security posture against nation-state threats?
Scenario 4: Accidental Compromise
Scenario: Your organization recently purchased a new software from a third-party vendor to enhance its customer service. The vendor had a security breach in their supply chain, and the software package you received was compromised, without your team's knowledge. When the software was installed on your organization's servers and staff members' systems, it introduced vulnerabilities that allowed attackers to gain unauthorized access to sensitive data. How would you respond?
Discussion points:
- What processes and criteria are in place for vetting third-party vendors and their software?
- How can the organization identify and assess the vulnerabilities introduced by the compromised software?
- Are there lists of approved and whitelisted software applications?
- What data has been exposed, and is there evidence of data exfiltration?
- How can the organization improve its supply chain security to prevent such incidents?
- What measures should be taken to remediate the vulnerabilities and secure sensitive data?
- Should the organization consider legal action or penalties against the vendor for the security breach?
Scenario 5: Social Engineering Attack
Scenario: An employee in your organization received an urgent email purportedly from a high-ranking executive, requesting them to share their Office 365 login credentials due to a supposed IT emergency. Believing the message was legitimate, the employee provided their credentials. The attacker gained access to the employee's Office 365 account and began sending phishing emails from their account to other employees, further compromising sensitive data. What would you do to respond?
Discussion points:
- What actions should be taken immediately upon discovering the social engineering attack?
- How can the organization identify the extent of compromised accounts and the data accessed by the attacker?
- Is there a process for notifying affected employees and educating them about social engineering risks?
- What steps should be taken to recover control of compromised accounts and mitigate further damage?
- Should the organization conduct an internal investigation to understand the scope and impact of the attack?
- How can the organization improve internal security awareness and training to prevent future social engineering attacks?
- Are there policies in place to verify the authenticity of urgent requests for sensitive information?
- Should additional layers of authentication and authorization be implemented to prevent unauthorized access to critical systems?
Reference for scenario templates: Centre for Internet Security
General Rules of Thumb for Incident Response
- Assume everything is compromised;
- Make sure to inform all the key stakeholders as well as all your customers, suppliers, and anyone else that has an interest in your business that you have been breached.
Is a Tabletop Exercise for You?
If your enterprise has a a lot of data and systems that are critical to the success of your business, and you have a lot at stake if you get breached, then you should absolutely do a tabletop exercise. The consequences of a data breach can be catastrophic, including reputational damage, fines, and lost customers. And if your business is regulated, like healthcare, finance, or government, then it's even more important to be prepared for a breach. You can't take chances.
Conclusion
In a world where cyber threats are ever-evolving, preparedness is key to safeguarding your organization's digital assets and reputation. Through the scenarios we've explored, we've seen how tabletop exercises can be powerful tools for testing your team's response to a wide range of security incidents.
Ready to take the next step? Contact our seasoned security experts to schedule a meeting and design tailored exercises that safeguard your digital future.
