INSIGHTS Tabletop exercises
Every single person at a certain point in their life has to deal with some sort of an incident. Be it a flat car tire, wounded arm, earthquake or a computer virus — you have to do something about it in order to make sure that the situation does not get worse. In some cases you can deal with the problem on your own, in some others, you needed external help from someone who is qualified and capable of helping you. But how do you know whether you need someone’s help or you can resolve a problem on your own? Normally, you ask yourself several questions:
[TL;DR] This article discusses how to prepare for incidents and get better at dealing with them. Specifically, we will go a bit deeper into the cybersecurity domain and explore methods of making your organization more prepared for a cyber attack. You can also find a template for a tabletop exercise I designed in the end of the article. Enjoy :)
- Have I dealt with this issue before?
- Was I successful in it?
- Am I able to resolve the current situation on time with the resources I have?
Let’s consider an example. Imagine you fall off your bike, I guess many of you had it happen to you in the past. What do you do first? You evaluate the damage: are you hurt, how badly are you hurt, can you get home, is the bike damaged, etc. In simple cases, you might just get a bruise and dirty clothes, get on your bike and go on with your day. In a bad case, your bike might be broken. So what are your options here? You can either fix it yourself or go to a bike shop. If you’re an average bike rider, you probably don’t have tools and experience fixing bikes, so you just go to someone who: dealt with this in the past, was successful in it and can resolve your issue in a reasonable time, so you can get your transport back.
You as a person can also get better at dealing with incidents. What’s the secret? Practice, practice and practice again. The difficult problem here is — how do you practice incident response if the incidents are not happening?
This is where such a thing as a tabletop exercise comes in. So what is a tabletop exercise? For the definition we will switch to the corporate world, where it can be easily applied, since many companies are very unprepared for incidents.
A tabletop exercise is a meeting of key stakeholders and staff who walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. 
A tabletop exercise, in other words, is a tool that allows the participants to go through a theoretical incident scenario and try to describe in detail the steps required to respond to it. And you can apply it to any situation, like falling off your bike.
There are several things required for the successful tabletop exercise:
- A moderator. The moderator will walk everyone through the scenario and add more information to the case as it progresses. The moderator will also answer the “what if” questions the participants might have, set the pace and steer the exercise in the right direction. During the exercise, the moderator should not only ask what should the participants do, but also how exactly they will do it. It’s easy to say that a flat tire must be replaced, but it’s a lot harder to say how to do it.
- Current runbooks or procedure manuals. Every participant should familiarise themselves with all existing incident response and disaster recovery plans before the exercise. You can also print them and hand them out to all participants during the exercise.
- A good case. The case should not be too similar to incidents that happened in the past, so that you can test your team’s ability to critically think and adapt to unknown situations. At the same time the case should not be too frustrating or unrealistic.
- Goals. Try to set the expected outcome of the exercise and what do you want to achieve with it. You should take this opportunity to figure out what gaps do you have and where to invest resources to be more prepared for a real case.
- Debrief. After the exercise, take the time to answer questions such as: (a) what went well? (b) what could have gone better? (c) how can we speed up some steps? (d) how should we adapt our incident response plans?
Your first tabletop exercise
It’s not that easy to design a case, but there are many resources online to get inspiration from:
- Phishing attack scenario by About You GmbH. I myself designed a tabletop exercise for the company I am working for. You can feel free to use it or just take it as a template.
- 6 tabletop exercises from CIS.
- Cyber Capabilities Tabletop Exercise. This is a very well prepared tabletop exercise in the cybersecurity domain.
- Community emergency Response Teams (CERT) Drills. This is mostly about disasters such as an earthquake, fire, flood, etc.
Here are some recommendations from my side that can make your first tabletop exercise more fruitful:
- Depending on the case and the number of participants, book the appropriate time for the exercise. I wouldn’t recommend to book less than one hour.
- Ask the participants exactly how they are going to complete certain steps: what tools will they use, are those tools ready to be used (like a VM for malware analysis) and even which command line arguments they will type into the terminal, because Googling and reading documentation takes valuable time.
- Keep things real and set the pace of the meeting. Often during the exercise you will find the participants being quite abstract or imagining things. When presenting the case to them, start with high level input and then wait for the team to ask you the right questions.
Tabletop exercise is a really great tool to discover your gaps in emergency preparedness. If you ask yourself and your team the right questions, you will have many valuable to-do items after each tabletop exercise, such as trainings your team might need to take, things to include into your IR plans, etc. It is really important to know exactly what to do in a stressful situation, because when “shit’s on fire”, even the best of us will find themselves a bit lost.
I would like to finish this article with a great quote I heard in a podcast that I can’t remember anymore:
As a child you are taught how to use a spoon. At first you hold it wrong and drop stuff. But as soon as you’ve mastered it, you’ll be able to eat with a spoon anywhere in the world, any time of day or night or after not using the spoon for years. Try to build security of your company as a spoon, because we don’t need an annual refreshing course how to eat with a spoon.
 — Defensive Security Handbook, 2017, Lee Brotherston and Amanda Berlin, published by O’Reilly Media Inc.