The Case for Tabletop Exercises in Incident Response Planning

Tom Papahronis
Tom Papahronis

Strategic Advisor - eGroup Enabling Technologies

Tabletop exercises remain a mainstay of disaster recovery and incident management preparation, and with good reason: they provide an accessible and low-cost way to demonstrate the organization’s readiness (or lack thereof) for an adverse event without expensive penetration testing or Red Team attack simulations.

Today we will focus on the reasons a tabletop exercise should be performed on an annual basis and some of the common lessons learned that we have seen across a wide variety of clients we have worked with. (For more detail on the structure of a tabletop exercise, my colleague Chris Stegh has some great advice on that here.)

In response to both best practice guidance and, more recently, cyber insurance requirements, many organizations we work with have some kind of incident response plan. In addition, some have detailed playbooks for certain kinds of incidents. However, these documents are often out of date and the IT staff is not very familiar with them. In the case of a real cybersecurity incident, time is of the essence. It is important that your organization is always in a state of incident response readiness.

Table of Contents

Validate Your Plan

Use the tabletop exercise as a refresher for all the people that have roles defined in the Incident Response Plan. Often, we find that people outside of the Technology organization are unclear or unaware that they have a role to play. Incident response is an organization-wide responsibility. Beyond the Technology team, these other groups are commonly included:

  • Executive Leadership: Ensure alignment of incident response efforts with organizational goals and priorities, supplying strategic guidance and decision-making support.
  • Legal and Compliance: Assess legal and regulatory implications of incident response actions and communication strategies.
  • Communications and Public Relations: Develop messaging and communication plans to address external stakeholders and the media.
  • Human Resources: Coordinate employee communications, support, and potential HR-related issues stemming from the incident.

Validate Your Processes

Be sure to test out the specific incident playbooks that you have developed in addition to the overall plan. Common incidents (like a lost device), and rare but critical events (such as ransomware attacks or data exfiltration attempts) should be tested.

  • Include the incident scenarios you are most concerned about or most vulnerable to in the tabletop exercise.
  • Identify and Refresh staff on the specific interdependencies, documentation requirements, and third-party involvement as specified in your playbooks.
  • Find and Resolve the gaps. Over the previous year there are often changes in the team structure, new people, and new functions or roles you need to consider in the exercise scenarios.
  • Improve the playbooks to reduce reliance on specific people as much as you can. Name secondary subject matter experts to build out resiliency.

Validate Your Tools and Services

Much like your processes, the technical tools at your disposal may have changed significantly in the year since your last test. New features (especially on SaaS platforms) can improve response and visibility into incidents.

  • Make sure the response team is aware of the security, recovery, and documentation tools to use and how to use them. Bridge any gaps found with training or playbook updates.
  • Involve your existing third-party security or response vendors as applicable so the internal team is aware of their capabilities. If you have an external security operations partner, use this exercise to engage them so the internal team can see the output and limitations of what they provide.
  • Ensure you include services or tools your cyber insurance carrier requires in the exercise. Typically, they will have specific instructions for you to follow as it relates to third-party recovery vendors, legal counsel, and documentation.

Common Lessons Learned

While the specific results from each exercise certainly vary quite a bit, there are common themes that we see emerge from most of them. Some of the most frequent are:

  1. The broader organization is not engaged in incident response and sees it as an “IT problem.”
    1. Executive management is not aware of extent of risks that the organization is exposed to.
    2. The level of protection the IT team provides is not as complete as assumed.
  2. Over-reliance on endpoint protection software to automatically prevent malicious activity.
  3. Identity activity is not adequately monitored.
  4. A lack of proactive threat hunting in the environment.
  5. Underestimating how long a comprehensive response would take, typically driven by a lack of planning and preparation.
  6. Ineffective response to a SaaS vendor breach. (This is more often affected by vendor management practices rather than those for security.)
  7. Manual processes and homegrown, best-efforts monitoring are not responsive enough to today’s threats.

This list could go on, but the point is that a tabletop exercise should expose and challenge the assumptions that internal teams have made as they compare to state-of-the-industry practices and protections.

No plan or playbook is foolproof, and weaknesses often remain undiscovered until tested. Tabletop exercises shine a spotlight on vulnerabilities within the incident response plan, whether it is gaps in communication protocols, outdated procedures, or inadequate resource allocation. By uncovering these weaknesses proactively, you can address them before they are exploited by malicious actors, strengthening your overall security posture.

Sign up for an Incident Response Plan Tabletop Exercise with our team today!

Revamp Your Incident Response Plan Today

Contact our team today to get started on a tabletop exercise or begin refreshing your Incident Response Plan!