Sarah Van Maele & Ludovic Bellia

Do you know what to do in case of an emergency?

Everyone is familiar with fire drills to ensure that when a fire breaks out, people immediately know what actions to take and where to go. The necessity of practicing this regularly is a no-brainer. So why not do regular exercises to make sure everyone and everything stays safe in case of a cybersecurity emergency?

Incident Response Plan

It’s not a matter of “if” disaster will strike, but “when”. And when it inevitably happens, what will it look like? Will you even notice it before it’s too late?

Depending on your role within the company, picking up on the first signs or preventing an attack from succeeding might not be what keeps you up at night. But not all vulnerabilities are created equal. What about your coworker who feels they’ve been slighted, could they become vulnerable enough to eventually pose a threat? That USB drive you received, are you sure there’s nothing malicious on it?

Cybersecurity incidents are high-stress situations where an inaudible clock is ticking and urgency is of the essence. If the building catches fire and everyone is scrambling for what to do in the chaos, the extent of the damage is devastating, which is why reacting to this type of physical incident must absolutely be a reflex and not the result of a thought process while flames are erupting all around you.

This dog did not receive adequate training and probably never participated in a tabletop exercise (artwork: KC Green)

We have touched on incident response plans and how they relate to the other essential plans in a previous blog post, but, specifically, what components should this IRP have?

Requirements: Building a Robust Incident Response Plan

A well-documented and trained incident response plan should include the following components:

  • Incident Identification: Procedures for detecting and reporting incidents.
  • Roles and Responsibilities: Clearly defined roles for each team member involved in the response.
  • Communication Plan: Guidelines for internal and external communication during an incident.
  • Response Procedures: Step-by-step actions to contain, eradicate, and recover from an incident.
  • Training and Awareness: Regular training sessions and awareness programs to keep the team prepared.
  • Continuous Improvement: Regular reviews and updates to the IRP based on lessons learned from exercises and real incidents.

So you’re equiped with your IRP, but how do you ensure its efficacy? One effective method to do this is through tabletop exercises.

Theory: Understanding Tabletop Exercises

Tabletop exercises are discussion-based sessions where team members walk through simulated emergency scenarios to evaluate their response strategies. Unlike full-scale drills, these exercises are conducted in a low-stress environment, allowing participants to focus on decision-making processes and communication.

The primary goals of tabletop exercises include:

  • Identifying Gaps: Highlighting weaknesses in the current incident response plan.
  • Enhancing Coordination: Improving communication and coordination among team members.
  • Building Confidence: Ensuring that all participants take ownership and are familiar with their roles and responsibilities during an incident.

Practical: Conducting Effective Tabletop Exercises

To conduct a successful tabletop exercise, follow these steps:

  • Define Objectives: Clearly outline what you aim to achieve with the exercise. This could be testing specific aspects of the IRP or improving overall team coordination.
  • Develop Scenarios: Create realistic scenarios that reflect potential threats your organization might face. These scenarios should be detailed enough to challenge participants but not so complex that they become overwhelming.
  • Assemble the Team: Include representatives from all relevant departments, such as IT, legal, communications, and management. This ensures a comprehensive evaluation of the IRP.
  • Facilitate the Exercise: Guide the discussion, prompting participants to explain their actions and decisions. Encourage open communication and collaboration.
  • Debrief and Review: After the exercise, conduct a debriefing session to discuss what went well and what needs improvement. Document the findings and update the IRP accordingly.

Gamification works

Thoroughly testing all components of your IRP is going to take a while, there is just no way around that. Some exercises can be completed in a few hours, some might take a couple of days depending on the specifics and desired intensity. How do you keep your participants active and engaged the entire time while also ensuring the content of the IRP will stick? These exercises need to be repeated regularly in order to be effective, so you want to avoid your participants suddenly coming down with a mystery illness when the next exercise is planned. This is why we choose to make these simulations entertaining by adding some humor to the scenarios, making them feel more like a roleplaying game.

Some example prompts from our scenarios:

Attackers are bragging on Telegram about the newly compromised company – yours – and of course soon after an article pops up about it, all national newspapers are quickly following suit with their own version of the story and it’s on everyone’s “favorite” social media platform in no time.

Every single news organization shows up at your office as well as a horde of influencers and youtubers, the latter making memes at your expense and now you’re trending on TikTok – things can’t possibly get any worse (they totally can).  

Your engineer in charge of the backups makes a confession: he does not actually know how to do any of the tasks he was hired for. He has been asking ChatGPT for every script, every terminal command, heck, even what he should eat for dinner every day. Are your backups healthy? Have any copies been encrypted yet? As soon as he can figure out a way to get the WiFi working again, he’ll ask ChatGPT for you, because it has all your company data anyway.

After receiving a prompt, participants engage in an open discussion to figure out how they should deal with those issues. This way they build confidence, cement essential information such as who is supposed to address any questions from the press, and possibly expose gaps in your plan by thinking outside of the box.

A gap identified by a tabletop exercise at one of our customers had to do with communication: it became clear that while emergency plans were in place, nobody knew how to reach the CSIRT team. Going back to the fire analogy, if the fire department is ready to go but nobody knows the number to call them, your building will burn down just the same.

Frequency

Doing an exercise only once a year is not going to cut it. Every single one in the crisis team needs to feel confident enough during a chaotic event to take ownership and make decisions rapidly. As this is a no blame exercise it’s easy to practice different solutions to problems and investigate the impact. Especially in big landscapes where no one can connect all the dots on their own. The threat landscape evolves quickly, people will simply forget what’s in the IRP, and various other factors can require an update to your plan: adoption of new technologies, a rapidly expanding organization resulting in many new hires, new compliance requirements, and so on. Additionally, it’s not a bad idea to go through an exercise as a refresher after an incident has taken place. Even if nothing happens, it’s recommended to conduct a tabletop exercise quarterly.

Conclusion

Tabletop exercises are a vital component of incident response planning. They provide a safe environment to test and refine your IRP, ensuring that your organization is prepared to handle any cyber threat. By regularly conducting these exercises and maintaining a robust incident response plan, you can minimize the impact of incidents and protect your organization’s assets and reputation. And you might even have fun while doing so! It all starts, with spotit!