Resources

When To Do a Tabletop Exercise

“Prepare for the unexpected” is the mantra of anyone who works in disaster readiness. The people who live and breathe information security have been preaching, “preparing for the unexpected” for years.

Commonly overheard reasons that prevent teams from preparing for a ransomware attack include:

1. Ransomware preparedness takes significant time, and we are all very busy;
2. Practicing the IR plan takes money, and there’s not a lot to go around;
3. There’s a pandemic, and things are all catawampus right now; and finally,
4. How does one prepare for the unexpected or unknowable?

The criminals know organizations are dealing with those problems, and they are taking advantage of it. Ransomware attacks are up, there’s more phishing, and business email compromise events are trending in the wrong direction.

Is Now the Right Time for a Tabletop Exercise?

This may be the most inconvenient time to do a tabletop exercise in which you pretend you’ve been hit by ransomware, which means this is the exact right time to do a tabletop exercise (TTE) compared to any other possible time. Even before the pandemic, IBM reported 77% of business leaders admitted they didn’t have a cybersecurity incident response plan. Organizations with a practiced plan save hours upon hours of time and millions of dollars.

The pandemic has changed the way we work. That means it has also changed the way you respond to a cyber-crisis. If you have an incident response plan and it was created pre-pandemic, it almost assuredly needs an update. For example, your IR plan might assume people are in the office or it might assume that workers are in the office 9am-5pm, or it might assume everyone can safely get in a room together. All those details must change. Now, an IR plan must account for remote work and even a scenario in which someone is working from a distant location.

How To Organize a Tabletop Exercise

The best tabletop exercises have multiple people involved. A real incident, like a ransomware attack, earthquake, or workplace shooting, will involve more than one department. Every organization is different, so think about the people involved. Then, think about who you would call if you couldn’t get them. Sometimes, in a disaster, the primary person isn’t reachable. Ideally, the roles involved are named in a written plan, but that’s one of the things that a tabletop exercise can tease out as well.

Here’s How a Good Tabletop Exercise Works:

1. A facilitator has a dastardly plan and timeline of events in mind and unveils the first part to the group.
2. The group decides on initial action.
3. The facilitator asks questions and helps them evaluate their proposed actions.
4. Then, the group gets another “injection.” For example, the facilitator says, “It’s 2 hours later, and you get a call from an employee who says they were the one who opened a malicious email, and they have a ransom note on their laptop.”
5. The group discusses what actions to take, and so on and so forth.

At the end of the exercise, the group will have a better idea of how to build their incident response plan.

Budgeting for a Good Tabletop Exercise

But, they’re not cheap! A good tabletop exercise can run tens of thousands of dollars. That’s why you should talk to your InfoSec providers for support first; see if you can fold TTEs into a contract for other cybersecurity services. Also, you want your tabletop exercise to take your current security stack into consideration. For example, if you are using a Managed Detection and Response provider, you might be able to spot something before it gets bad. Or, if they do full packet capture, they might be able to give you immediate insight into what has happened, and guidance into what action to take.

If your InfoSec vendor won’t work with you on tabletop exercises, you may just have the wrong vendor.