A tabletop exercise—sometimes abbreviated TTX or TTE—is an informal, discussion-based session in which a team discusses their roles and responses during an emergency, walking through one or more example scenarios. The atmosphere is collegial and exploratory, and is not meant to put participants in the mindset they’d have during a disaster. Tabletop exercises are used to prepare for all sorts of crises, but cybersecurity and disaster recovery are common areas of focus.
But perhaps the best way to really understand what a tabletop exercise is all about is to compare it to the other types of exercises. It is less intense than a functional exercise, in which a command center might be staffed by participants playing out a scenario in real time, or a full-scale exercise, which can involve emergency personnel responding a simulated crisis in the field. A tabletop exercise, by contrast, is played out, as the name implies, around a table, with participants responding to the leader’s prompts and description of a scenario with suggestions drawn from their organization’s emergency plans.
One important thing to keep in mind, as the State of Massachusetts’s own emergency preparedness division points out, is that tabletop exercises are not meant to be a test or a competition. They should be approached as a collaborative learning situation and no-fault environment. After all, if the organization discovers a weakness in their defenses or problem with their processes in the course of the exercise, that can be thought of as a good thing—better to figure that out during an exercise than a real crisis, after all.
Tabletop exercises in cybersecurity
Tabletop exercises are not limited to the cybersecurity realm; any organization that has to confront potential crises and disasters can benefit from playing one out. For instance, the State of Oregon used tabletop exercises to game-plan potential responses to shifts in the coronavirus pandemic in 2020.
But in many ways tabletop exercises are particularly suitable—and important—for cybersecurity environments. They’re designed to expose weaknesses in organizational structures and to make sure that people actually follow protocols and best practices that seem like they’re in the realm of theory most of the time. After all, the best laid plans often fall apart when real-world human have to implement them. While there are plenty of ways to test the technical aspects of your cyberdefenses, a tabletop exercise tests the human and organizational factors that are just as important for cybersecurity.
Things to consider for a tabletop exercise
The first question to ask yourself is whether a tabletop exercise is appropriate for your organization. It’s only worth starting the process if you already have some form of response plan in place for the scenario you’ll be running through. Tabletop exercises are great for testing plans, but if everyone involved is just improvising, that can’t tell you much. You’ll also need institutional buy-in for the process: there’s no point in running through the exercise if management doesn’t agree to let you change plans and policies based on the results.
The PlexTrac blog proposes a series of basic questions you need to answer once you’ve decided to move forward. Hopefully our description so far has brought home the reasons why an organization would conduct one. Just as important a question, however, is who will participate. This goes beyond just needing to know the emails of people to invite; the types of team members participating will shape exactly what kind of exercise you’ll have. For instance, an exercise where the participants are all members of your cybersecurity team might focus on identifying and defeating an advanced persistent threat; an exercise where participants are drawn from across the company might look at the consequences of a cyberbreach and how technical, legal, and communications departments should react to it.
Another important question to consider is when: Should you conduct tabletop exercises annually, or more frequently, to drum up vigilance among your employees? Then there’s where: The obvious location, as you’d guess from the name, is sitting around the table in a conference room, but exercises could also be conducted via videoconference for distributed teams. Finally, there’s the absolutely crucial question of how. While there’s no one right way to conduct a tabletop exercise, there are some important tips that will help you make the most of your tabletop exercises.
Planning a tabletop exercise
Jack Eisenhauer at the Nexight Group outlines a process for planning a tabletop exercise that takes many of the above questions into consideration. He breaks down the process into three phases, each of which includes three key activities. These correspond to the time before, during, and after the exercise takes place, but you’ll need to plan in advance to make sure each step comes off properly in practice.
- Clarify the objectives and outcomes, determining what you hope to achieve and how you’ll use the results after the exercise is over.
- Choose your participant team, including key decision makers and perhaps even executives who can use their influence to put an after-report into action.
- Design a scenario and exercise plan that’s believable and will prompt discussion.
- Create an interactive, no-fault space, encouraging people ask questions and make mistakes.
- Ask probing questions of the participants, following a script but being prepared to improvise.
- Capture issues and lessons as you go using visual tools and a timeline—don’t rely on note-takers.
- Prepare an after-action report that includes documentation of the exercise along with areas of potential improvement.
- Create a specific near-term plan based on the results of the exercise.
- Provide tools and guides to boost learning, finding resources that feed the needs revealed by the exercise’s outcome.
Tabletop exercise objectives
Let’s focus for a moment on one element here: the objectives of the exercise. To put it bluntly, what are you hoping to get out of running a tabletop exercise for your organization? It’s important to distinguish these objectives from the goals for the participants within the exercise itself. For instance, participants in a tabletop exercise might have the goal of figuring out how to restore your organization’s databases as quickly as possible in the wake of a disaster. But the overall objective of conducting the exercise is to stress-test the organization’s disaster recovery plan and see if teams know how to best work together in the face of unexpected problems.
The National Association of Regulatory Utility Commissioners, a group that knows a little bit about the necessity of being prepared for a crisis, suggests the objectives be SMART, by which they mean:
- Specific—addressing concrete questions and specifying action items
- Measurable—establishing metrics for success up front
- Achievable by the participants in the time allotted
- Relevant to the mission of the organization
- Time-bound within a reasonable timeframe established in advance
Leading a tabletop exercise
There are plenty of consultants who will be happy to lead a tabletop exercise at your organization; however, due to these exercises’ informal nature, more often than not they’re led by internal staff, and you almost certainly have someone who would do a fine job of leading a tabletop exercise using a guide and some solid examples.
The State of New York has a great facilitator guide for tabletop exercises. While much of this document focuses on a specific tabletop exercise the state runs to prepare for a catastrophic hurricane, the first few pages provide valuable tips on leading a tabletop exercise that are applicable to any topic area. It begins by laying out the big-picture responsibilities of the facilitator:
- Introducing the narrative
- Encouraging problem solving
- Controlling the pace and flow of the exercise
- Stimulating discussion and drawing answers and solutions from the group (rather than supplying them)
The guide also provides tips on involving all participants and controlling and sustaining the action. One of the big keys is to watch for signs of frustration and conflict. Remember, the exercise is intended to be collaborative, not confrontational. In particular, junior staffers need to be given space to comment in front of management, so try to include everyone on an equal footing.
Tabletop exercise examples and scenarios
We’ve been talking largely in generalities here so far. What scenarios might play out in a real-world example? The Center for Internet Security offers six scenarios that can put your cybersecurity team through the paces:
- The quick fix: A network admin deploys a patch without testing it and then heads out on vacation, leaving users unable to log in.
- A malware infection: A user inserts an SD card infected with malware into their company laptop.
- The unplanned attack: A hacktivist group targets your organization—what will they find when they launch their attack?
- The cloud compromise: Your organization has been storing sensitive data with a cloud storage service that’s been hacked, potentially exposing customer information.
- Financial break-in: An audit reveals your payroll system is issuing checks to people who aren’t employed there.
- The flood zone: While dealing with rising waters at your company headquarters, you’re struck by ransomware
The document linked above has some great details on how these scenarios would play out in a tabletop exercise and what questions you’d pose to your participants.
The document also outlines much of what you’d need to actually run these exercises in your organization. Several of them fit into these two categories, which are perhaps the most common types of cybersecurity tabletop exercises:
Incident response tabletop exercise. Much as we would like to plan and control everything in advance, cybersecurity is a largely reactive process. RSI has good documentation on performing an incident response tabletop exercise, which involves making sure participants know what your organization’s policies are for specific types of breaches and who’s responsible for what actions in response to them.
Tabletop exercise scenarios for business continuity. Tabletop exercises are also beloved by those tasked with preparing for natural or human-made disasters, and business continuity falls into the overlap between that role and cybersecurity. NContracts has a good guide on running an effective tabletop business continuity planning exercise, which includes understanding your dependencies on specific vendors and potentially looping them into any damage control scenarios.
Tabletop exercise templates
Do you want to start planning your own tabletop exercise? There are some templates available to you to help get you started. SearchDisasterRecovery has a good one that prompts you to lay out the motivations for running the exercise (so you can sell it internally), the narrative for participants, and the communication methods participants will engage in. And The Continuity Advisor has a helpful template that you can use to create after-action reports once the exercise is done.
More on tabletop exercises:
Original article source was posted here