CIR Testing and Exercising
Designing a Cyber Security Table Top Exercise
Tabletop exercises provide the organisation with a low-stress environment for members from different teams to communicate and evaluate their response procedures. The team members are trained on how to think and react to manage inevitable cyber security incidents efficiently.
1. Before the Exercise
In-depth preparation (Rainey, 2017) will most likely result in successful tabletop exercises. Before developing the cyber scenarios, the team designing the test has to meet some prerequisites.
The tabletop exercise's targeted audience is busy performing daily operations, some of which are of higher priority and take precedence over the exercise. Hence, the number of scenarios, the timing and the location of the exercise should be determined early so that the participants can set aside time to participate. Once these three factors are finalised, minimise the probability of changing them, as any changes might result in conflicting schedules.
The attendance of participants for the exercise is crucial because it ensures that all members are aware and trained on the appropriate response procedures to undertake during a cyber security attack.
Additionally, the team has to determine who should be taking part, depending on the scenario. From here, different objectives are established for which the participants of the exercise will aim.
The success or failure of the exercise is determined by how many objectives are met. If the exercise is a success, the participants can return to their respective departments and train their staff on the procedures.
If it is a failure, adjustments must be made to improve the CIR plan. Once the improvements have been made, a follow-up exercise is conducted to evaluate the improved procedures. This cycle continues until all objectives of the exercise are met.
1.1 Design
The scenarios developed have to be realistic to simulate the actual environment of a cyber security attack. Although it is less stressful than an actual cyber security incident, valuable lessons can still be gained from the exercise as the scenarios developed are aligned with the cyber security incident management processes and kill chain.
The participants of the exercise have allocated a period where they could continue their daily operations to participate in the exercise. It is also a rare opportunity for key players from different organisation departments to gather in one location.
Therefore, maximise the learning opportunities during the exercise by providing them multiple scenarios to work as a team and go through the mitigation and response procedures.
The scenarios given to the participants during the exercise should prompt interactions within themselves; through coordination and alignment of processes, the ability to manage cybersecurity incidents can improve.
Since the participants have gathered, the time spent in the exercise has to be optimal. The scenarios should highlight the severity of cyber security attacks on the organisation to instil the mindset in the participants that effective management of cyber security incidents is their responsibility, encouraging them to communicate and share opinions.
2. During the Exercise
Although the scenarios require the participants to think, they should not overthink. Some participants tend to find faults (Rainey, 2017) within the scenarios as their thought processes are slightly different. Complicating the scenarios does not help anybody as it throws the entire exercise into mayhem, making communication between parties much more difficult. It is the facilitator’s responsibility to prevent this situation from occurring. Under normal circumstances, when the participants reach a dead end, the facilitator should guide them by asking questions, not giving the answers directly, so the participants can adjust their thought process and response procedures appropriately to resolve the scenario.
3. After the Exercise
Based on the exercise results, the organisation can decide if they can proceed with testing another component of the CIR plan or if some adjustments must be made to the documentation and a follow-up exercise needs to be conducted.
One of the objectives of conducting a tabletop exercise is to improve the organisation’s ability to manage any cyber security incident. Hence, during peace times, in a stress-free environment, the participants can use this opportunity to discuss and review the failures (Rainey, 2017) that were identified during the exercise.
Actions that can be implemented to improve the plan document are identified and followed up on.
After multiple tabletop exercises, the participants become accustomed to the environment simulated from cyber security incidents and the level of teamwork between the respective parties increases. The focus should shift to executing specific processes and procedures to handle targeted simulations.
4. Example
The goal of the tabletop exercise (State Office of Cyber Security, 2016) is to increase security situational awareness and to facilitate discussion of incident response in as simple a manner as possible, targeting a time range of 15 minutes. The exercises provide an opportunity for management to present realistic scenarios to a workgroup to develop response procedures.
4.1 How to best use the tabletop exercise?
- Modify the tabletop scenario as needed to conform to the organisation’s environment;
- Engage management;
- Present scenario to the workgroup;
- Discuss the process to address the scenario; and
- Document the response and findings for future reference.
4.2 Exercise Scenario
An employee just received a somewhat panicked call from one of the system administrators detailing that the organisation has been hit by ransomware. This ransomware seems to have infected and then encrypted all the data, including backups, of two of the servers. According to the ransom the organisation received, it must pay it in a week, or the encryption key will be deleted and the data lost forever.
The work week is bustling, and people are asking why the servers are down. How should the organisation respond?
4.3 Items to Discuss
- How to determine which business units and processes rely on the servers?
- Is there information regarding the business units’ Recovery Point Objective?
- Is there information regarding the business units’ Recovery Time Objective?
- What options are available if those two objectives can’t be reached?
- Who to report the incident to?
- How to communicate with the business units?
- What’s the message to provide to business units? How about the executives?
- What would be the messaging for the public if the impact was on a critical public-facing business process?
- Activate the Continuity Of Operations Plan (COOP), IT Disaster Recovery (DR) or Business Continuity (BC) Plan
- How to make sure to prevent future infections?
- How to determine the infection vector?
- What are forms of backups available?
- Are off-site hardcopies of the organisation’s data available?
- How quickly to gain access to them?
- What’s the most recent version available?
- How to prioritise which server to recover from first?
4.4 Items to Report
- Did communications flow as expected? If not, why?
- Were processes and procedures followed?
- Were there any surprises?
- How well did the exercise work for the organisation?
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 30 Appendix 20: Designing a Cyber Security Table Top Exercise
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.