Incident response

How to conduct a tabletop exercise

Sharpening incident response teamwork at the tabletop can bring lasting rewards in breach mitigation and preparation.

diverse group people collaborate using Post-It notes to strategize on a glass wall
Thinkstock

As you discovered in the first installment of this five-part series, tabletop exercises can be an important practical tool for reviewing and updating incident response plans. You should schedule them to correspond with yearly Incident Response (IR) plan reviews.

When you use existing incident response measures as you play out tabletop data breaches, you uncover holes in IR that can amplify disaster when real data compromise hits the proverbial fan. Unexpected results in tabletop scenarios can foster positive change in IR planning to prepare the enterprise.

Sit back, relax, and read as CSO Magazine takes the wheel in this practical, resource-rich ride across the corporate tabletop.

Getting exercises to the table, post haste

When it’s time to exercise those IR muscles, there’s no need to develop your tabletop trapeze/apparatus from scratch. There are ample resources to choose from established organizations, including design guidance and sample exercises.

The Information Systems Security Association offers a PowerPoint presentation with extensive detail for planning, running, and retrieving the most benefit from tabletop exercises. The presentation offers links to other useful resources. This whitepaper from the SANS Institute details the creation of realistic, role-based exercises that are embedded in IR plan reviews. The state of Michigan offers ready-made tabletop exercise examples.

To keep exercises current, refer to the data breach reports included in the previous feature about reviewing IR plans and weave new breach threats and scenarios into your tabletop interactions.

7 simple steps to ensure a successful tabletop experience

Here are seven simple steps that go a long way toward furnishing an efficient, fruitful tabletop exercise, courtesy of BakerHostetler Counsel M. Scott Koller:

Step One: Secure C-Level Buy-In. Full buy-in from C-levels and upper-management will enable you to secure dedicated resources and personnel for the tabletop project.

Step Two: Reserve Hours For Exercises For More Empowerment. By reserving several hours for the exercises in a single room or facility with all the Incident Response Team members present, you can address the breach scenario concerns of all team members while meeting their needs for updated exercise results.

Step Three: Poll Your Stakeholders. “Consider polling your IT, legal, and compliance teams asking what kinds of incidents keep them up at night,” says Koller. Use that list to focus the tabletop exercises on the scariest breach events.

Step Four: Correlate That List With Recent Breaches. To focus that list further, look for intersections between what your stakeholders tell you and the recent breaches you find recorded and described at breach reporting sites such as the BakerHostetler Breach Report and similar resources described in the previous story on IR plan reviews.

Step Five: Take A Walk Through Peril. By proceeding through the mock incident and stopping to regroup and reassess at each new factual development and to discuss the organization’s response, the business can prepare even for the more fine grain elements of the breach.

Step Six: The End Is Not The End. At the end of each exercise, compare what happened in the mockup to what the IR plan says should happen. “If during the tabletop exercise, the IRT doesn’t know what to do next or is struggling with how to handle a factual development, that is a sign of a potential gap in the IRP. Another sign of a potential gap is if only one person knows what to do next and those steps are not outlined in the IRP,” says Koller.

Step Seven: Repeat Until Complete. Repeat with a new exercise until the existing plan is addressed and improved as needed. “Customize the exercises to fit the organization and to include the types of incidents that the organization is likely to face. On average, I recommend at least three different exercises with a varying degree of size and severity,” says Koller.

Rewards of tabletop exercises

Tabletop exercises come with several rewards, which can accumulate year on year. Obviously, improving the IR plan is a requirement and not just a byproduct of these exercises. In addition, teams should acquire an increasingly intimate knowledge of the types of breaches that threaten the enterprise through their participation. Teams should expect to perform better at resolving incidents with every exercise; these improvements should transfer to their real-world experiences.

There are ways that tabletop exercises can help before and during an incident by firming up weaknesses that could otherwise extend breach event damage. “I have seen organizations conduct a tabletop exercise only to find out that they were not keeping the log data they would need to rule out potential unauthorized access. Luckily, this issue came up during the tabletop exercise allowing the organization to modify their retention program to keep the log data for an extended period,” says Koller.

Bicycle instructions, all assembly required

If you’ve ever tried to assemble a new bicycle or other product using a kit and written instructions, you know that whether you end up with a sporty, two-wheeled riding experience or simply a useless piece of abstract art/junk depends greatly on the quality of the instructions.

So it is with incident response. The only difference is that thanks to tabletop exercises, you get to test the instructions before you actually dive in to building that bicycle, or enacting that live response as the case may be.

Follow on to the next part of the series.

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline