I design and facilitate many incident response tabletop exercises (TTX) at work. When I saw this book announced by no starch press, I had to jump on the pre-sale. This was an easy read. I read and marked it up during a single flight. It is a resource that anyone charged with running a TTX should be familiar with.
You can get a feel for the logical structure and flow of the book by looking at the summary contents listing. This, along with the detailed contents listing which follows (five pages long), makes it very easy to navigate. You can easily return to it as reference material. One of the benefits of buying from no starch is the ability to get both the physical and digital copy together.
Notable Takeaways
When looking to establish what a tabletop exercise is:
this book uses those created by the United States’ Homeland Security Exercise and Evaluation Program (HSEEP), which defines an exercise as “an event or activity, delivered through discussion or action, to develop, assess, or validate plans, policies, procedures, and capabilities that jurisdictions/organizations can use to achieve planned outcomes.
The need for a TTX to break outside the confines of the IT Department are made clear:
Gone are the days in which a cybersecurity event is a one-person operation. Today, incident response requires input from various stakeholders from both technical and strategic backgrounds.
You can also build a program to make the TTX process a value-add instead of a looking backwards check-the-box
for the forward-thinking organization, a tabletop exercise can explore the effect of a proposed process change before it is implemented.
The tabletop exercise should not, however, become a “check the box” affair item to fulfill a contractual obligation or a regulatory requirement. Attendees should all understand that the tabletop exercise is an opportunity to learn, grow, and prepare for a cybersecurity emergency.
Your exercise doesn’t have to target the most significant business impact, but you should focus on a scenario that is relevant enough to capture the attendees’ attention.
When looking at the results of the Ponemon Institute and IBM Security, Cost of a Data Breach Report 2023:
The 2023 report found that having an incident response plan and testing it regularly is the second most impactful cost mitigator of 28 studied factors.
With that being said, we all still have a LONG way to go:
Organizations that test their incident response plan have a mean time to identify of 196 days and a mean time to contain of 62 days, which is faster than organizations that just have an incident response team.
A good reminder to keep the scenario interesting, but also making sure you keep things grounded in the real-world.
when a tabletop exercise scenario is based on what has actually happened versus what could happen, there’s often a greater level of collaboration among participants.
Participants may have to suspend a certain degree of disbelief, and a scenario may push the boundaries of what is plausible, but it should not be utterly absurd.
Try looking at real events for inspiration, including documented cyberattacks, organizational failures to properly respond to an incident, known malware, and insider attacks.
During the tabletop exercise, the facilitator may be put in the position of having to defend the scenario’s viability. In these cases, they might find it useful to have statistics or brief case studies on hand to present to the audience.
When it comes time to build out your program, or perhaps revamp an existing program, make sure you have the proper organizational support in place
The sponsor’s exact role and identity will vary depending on the type of exercise you’re pursuing, the maturity of the organization, and the participants in the exercise, but sponsors are generally two or more rungs higher on an organizational chart than the highest-ranking participant.
The executive sponsor should understand the processes being tested but doesn’t necessarily need an in-depth mastery of the topic.
And or course, make sure you are setting up the TTX to succeed by tailoring it to the audience
Senior-level exercises generally focus on strategic concerns of the business, organizational authorities, and decision-makers. Operational-level exercises address the technical, hands-on aspects of the response.
Each session should be treated as its own self-contained tabletop exercise, with separate attendees and specific areas of focus.
Remember, you are the facilitator, not the main character
Although each tabletop is different, you should limit yourself to the following tasks:
Providing clarification, when needed, about the scenario and injects
Controlling the discussion so that the group can explore topics in their entirety while ensuring they don’t waste time going down rabbit holes that don’t align with the exercise’s objectives
Identifying comments and concerns that warrant additional discussion
Injecting your own professional expertise by asking targeted questions to explore potential deficiencies
Recording themes and potential deficiencies to document after the tabletop exercise
Keeping track of timing and working through the scenario at the appropriate pace
A facilitator is akin to a referee at a sporting event; you should aim to speak no more than 30 percent
A common facilitation technique is to enter the event with several questions ready to ask participants.
The exercise is important, but make sure you don’t forget to do the real work
The most important work occurs after the conclusion of the exercise, in the evaluation phase.
The Personal Blog of Sean Goodwin 