Demystifying Cyber Tabletop Exercises

If you've been hearing a lot about cyber tabletop exercises lately, it could be due to the growing emphasis placed on them by your cyber insurance carrier, who may inquire about their annual conduction in their questionnaires. If you've never conducted a tabletop exercise before, it's understandable that it may seem daunting and unclear on what it entails and how to proceed. In a series of forthcoming blog posts, I aim to demystify tabletop exercises and guide you through their various aspects. By providing insight into what a tabletop exercise is and offering step-by-step instructions on how to conduct one, I hope to alleviate any apprehension you may have. You might find that it's not as challenging as it appears once you've experienced one or received guidance on creating your own. Stay tuned for these blog posts, as they will provide valuable information and support to help you successfully navigate the world of tabletop exercises.

Introduction

The objective of this tabletop exercise is to simulate a cyber incident scenario and provide the agency with an opportunity to assess their organization's preparedness, response capabilities, and decision-making processes. By participating in this exercise, the agency will gain a better understanding of the potential impact of a cyber incident and the necessary steps to mitigate and recover from such an event.

Planning The Exercise

To foster a productive and open environment, it is crucial to emphasize that this tabletop exercise is conducted in an open, no-fault, low-stress manner. The exercise is designed as a learning experience, where there will be no retaliation, finger-pointing, or blame assigned to any individual or department. The primary goal is to enhance the agency's cyber resilience. The insights gained from this exercise will be utilized to develop actionable plans aimed at strengthening the organization's cybersecurity posture. Tabletop exercises play a vital role in preparing for cyber incidents, as they allow officials to practice their response capabilities and decision-making processes in a controlled setting. As the saying goes, it is better to sweat in training than to bleed in battle.

When conducting tabletop exercises, it is crucial to customize the scenarios to make them relevant to your organization. By collaborating with industry experts and leveraging the expertise of your internal team, you can develop scenarios that reflect the specific threats and challenges your agency may face. It is important to focus on how you would respond if these scenarios were to happen, rather than worrying about the probability of their occurrence. The primary goal of these exercises is to help the agency prepare, and preparing for extreme scenarios is always preferable. By training for the worst-case scenarios, your response capabilities will be enhanced, and you will be better equipped to handle any situation that falls short of the worst. Remember, the objective is to build resilience and readiness, irrespective of the probability, in order to effectively mitigate cyber threats.

When selecting a scenario for a tabletop exercise, it is crucial to resist the temptation to choose a scenario in which you feel confident or comfortable with your response. Instead, opt for scenarios or sets of scenarios that you anticipate struggling with. It is natural to want to showcase your competence in front of superiors, but it is essential to prioritize the exercise's purpose of identifying areas for improvement and enhancing preparedness. By intentionally challenging yourself and your team, you can uncover weaknesses, gaps, and blind spots that may exist in your current capabilities. This proactive approach ensures that you address potential vulnerabilities before a real-life incident occurs. Failing to identify and address these weaknesses during the exercise could have significant consequences when facing an actual event. Trust in your staff and your organization's response may be diminished, and it could even result in career setbacks. Therefore, it is vital to prioritize growth and learning by selecting scenarios that push your boundaries and encourage continuous improvement.

For a tabletop exercise to be successful, it is essential to establish clear objectives and ensure that all participants understand the purpose of the exercise and the expected outcomes. By clearly communicating the objectives, participants can align their efforts and focus on the specific goals of the exercise. This understanding helps create a shared sense of purpose and ensures that everyone is working towards the same objectives. Clear objectives also provide a framework for evaluating the exercise's success and measuring the achievement of desired outcomes. By setting and communicating these objectives, the tabletop exercise can effectively facilitate learning, collaboration, and improvement in the organization's cybersecurity preparedness and response capabilities.

Here are some sample objectives

1. Strengthening Cybersecurity Awareness: The exercise aims to enhance the agency's cybersecurity awareness, ensuring that all stakeholders understand the importance of protecting the community's systems and services. By promoting a culture of cybersecurity awareness, employees and officials can play an active role in safeguarding critical assets and data.

2. Examining Information-Sharing Processes: The exercise will assess the agency's internal and external information-sharing processes. It will focus on improving communication and collaboration with relevant stakeholders, including other government agencies, law enforcement, and cybersecurity experts. By enhancing information-sharing protocols, the agency can effectively respond to and mitigate cyber threats.

3. Discussing Preparedness for Cybersecurity Incidents: This objective aims to evaluate the agency's level of preparedness to respond to, mitigate, and recover from cybersecurity incidents. Participants will assess existing incident response plans, identify areas for improvement, and discuss strategies to minimize the impact of potential cyber incidents. The exercise will facilitate the refinement of incident response procedures and ensure the availability of necessary resources.

4. Exploring Resource Request Processes: The exercise will explore processes for requesting state/federal incident response resources once county/state resources are exhausted. Participants will discuss protocols for escalating incidents, engaging external support, and coordinating resource allocation during extended or severe cyber incidents. By addressing resource availability and coordination challenges, the agency can strengthen its response capabilities and improve incident management.

Execution of the Exercise

During the tabletop exercise, a designated leader will play a crucial role in guiding the participants through the scenario. The leader's responsibility is to describe the events leading up to a simulated cyber incident and prompt the participants to consider their response at each stage. As the scenario unfolds, the leader will pause at specific intervals to present discussion questions. These questions are designed to foster meaningful discussions among the participants, encouraging them to explore important decision points and delve into crucial cybersecurity considerations. Through these discussions, participants can analyze the potential consequences of their actions, identify gaps in their knowledge or procedures, and collectively develop effective strategies for incident response. The leader's guidance and thought-provoking questions will ensure that the exercise stimulates productive conversations and enables valuable learning experiences for all involved.

Sample Discussion Questions

• What cyber threat intelligence does the agency receive?

• What actions would you take when you receive an alert?

• How does the agency oversee vulnerability/ change management?

• What computer use policies does the agency have?

• How is network access managed with your third-party vendors?

• How do your OT and IT teams interact? 

• How does your cyber incident response plan define escalation criteria, notifications, activations, and/or courses of action?

• What are you communicating to your customers regarding the incident? 

• What information do you report to regulatory agencies and law enforcement? 

• What external resources might you need and how do you acquire them? Who do you contact? 

• What do you tell the press?

• When do you talk to the press?

• What are the pros and cons of paying the ransom?

• Who decides whether you pay?

When conducting a tabletop exercise, it is advisable to resist the temptation to have your staff lead the exercise. While your staff may possess valuable insights and knowledge, it can be challenging for them to fully participate and engage if they are also responsible for leading the exercise. Additionally, by bringing in someone from outside your organization to lead the exercise, you benefit from a fresh perspective. An external facilitator may identify gaps or vulnerabilities that your staff might overlook due to their familiarity with internal processes and assumptions. Furthermore, executives sometimes exhibit a bias towards external experts, regardless of the competence of the internal staff. Consequently, the recommendations and insights provided by an outside expert may carry more weight and influence in decision-making processes. By involving an external facilitator, you can leverage their expertise and impartial viewpoint to enhance the exercise's effectiveness and improve your organization's overall preparedness.

At the conclusion of the tabletop exercise, it is customary to hold a "hotwash" session, which provides a valuable opportunity for an open and candid discussion among the participants. During the hotwash, the focus is on reflecting on the exercise and encouraging participants to share their perspectives on what went right, what went wrong, and how improvements can be made for the future. This open dialogue allows for the identification of strengths and successes in the response, as well as areas where challenges were encountered or improvements are needed. By fostering a non-judgmental environment, participants can freely express their thoughts, share lessons learned, and exchange valuable insights. The hotwash session plays a vital role in capturing feedback, gathering different perspectives, and generating actionable recommendations for enhancing the organization's cyber resilience and response capabilities in the future.

After the Exercise

Upon the completion of the tabletop exercise, it is essential to create an after-action report that provides a comprehensive summary of the exercise, its findings, and actionable recommendations. The report should begin with an executive summary that provides a high-level overview of the exercise objectives, scenario, and key observations. Following the executive summary, the report should detail the findings identified during the exercise, including strengths and areas for improvement. Each finding should be accompanied by specific recommendations on how to address the identified gaps or enhance existing processes, policies, and procedures. These recommendations should be practical, feasible, and tailored to the organization's specific needs and resources. Furthermore, the after-action report can include suggested resources, such as training programs, tools, or external expertise, to support the implementation of the recommendations. By creating a comprehensive after-action report, the organization can capture the exercise's outcomes, provide a roadmap for improvement, and guide future cybersecurity initiatives.

Conclusion

This is the first installment post on conducting cyber tabletop exercises, laying the foundation for exploring this important topic further. In future posts, we will delve into the numerous benefits of tabletop exercises, discussing how they enhance preparedness and response capabilities. We will also provide guidance on determining who to invite to these exercises, ensuring key stakeholders are involved for a comprehensive perspective. Additionally, we will explore various sources and platforms to obtain valuable resources and tools to support the tabletop exercise process. Finally, we will share insights and lessons learned from organizations that have successfully conducted cyber tabletop exercises, offering real-world examples and best practices. Be sure to check back soon for more on this critical topic, as we continue to delve deeper into the world of tabletop exercises for cyber resilience.