Tips for Getting the Most out of a Remote Cybersecurity Tabletop Exercise
Ransomware attacks are making daily headlines across almost all industries, with the United States recording 145.2 million ransomware hits in Q3 alone. Just last week, the FBI, CIA, and HHS released a warning to healthcare providers of the threat of an imminent attack, and to remind the providers to take reasonable precautions to protect their networks from these threats. These experts stressed the importance of having documented business continuity plans in order to minimize service interruptions in the event of an attack.
Along with a list of network best practices (found here), the alert also highlighted user awareness as a key component of organizational security. Specifically, the alert noted the importance of providing ongoing training on information security principles and ensuring employees know who to contact if they have been a victim of a cyberattack or notice suspicious activity.
Are you confident your staff knows what to do in the event of a ransomware attack?
One of the best ways to confirm your team is prepared is by testing your current Incident Response Plan in a facilitated “tabletop exercise." As defined by NIST – a tabletop exercise is: a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. This activity can identify gaps in your current incident response plans (both central and department-level plans), focus on areas that need improvement, and establish a baseline for campus response procedures. The exercise can also help increase risk awareness for executives, gets people talking about compromises and incident response, and builds relationships between all involved parties.
Prior to March 2020, the best way to run a tabletop exercise was gathering all stakeholders in a room for a day and working together to walk through some potential scenarios. However, due COVID-19 restrictions, you are most likely unable to get everyone into a room but don’t let that deter you - planning a remote tabletop exercise can still be a great way to test your response capabilities. In fact, it may now be even more important to verify that you are able to respond effectively with staff members spread across remote locations and unable to quickly pull together in a conference room.
Below are some recommended strategies for planning a successful remote tabletop exercise:
Identify your Goals/Objectives
What are you hoping to achieve with this exercise? Are you wanting to identify vulnerabilities or gaps in your current incident response plan, as well as in any related documentation and communications? Do you want to raise awareness with team member about current risk levels, vulnerabilities, and likely impacts of potential attacks? Are you hoping to assess coordination efforts among campus stakeholders and external partners? Do you need help identifying or prioritizing critical environments or associated IT resources? Identifying your primary goals prior to planning the exercise can help structure the format, determine the necessary participants, and select relevant scenarios to run through.
Engage your Stakeholders
Too often staff believe a security incident is something solely handled by their IT department. However, a breach impacts the entire organization, so it is important to look at the broader impact of an incident on operations all across campus. For more details on who should be involved, please refer to our previous article discussing the suggested key players.
Once a date has been selected, communicate the agenda, goals and objectives, as well as any necessary logistics, to the participants through an executive briefing. This will allow them to come prepared for the day and ready to engage. Share the current Incident Response Plan with everyone so they can familiarize themselves with the various steps involved. Emphasize that this is a learning experience and designed to strengthen the overall response to a security incident. By setting this tone, the group will feel empowered to ask questions and share feedback.
Given the remote environment, using a web conferencing application with video capabilities will help increase participation and engagement. We understand the need to multi-task, check email, etc., but, for this discussion, you need everyone paying attention and participating throughout. (Note: Test your web conferencing platform prior to the event to make sure everything is functioning as you expect and encourage participants to login early in case they need help accessing the site.)
Tailor the Scenario(s)
In order to maximize participation and value, it makes sense for you to focus on higher priority risks or events that are more likely to occur and tailor the exercise to your organization. Having realistic scenarios that would have a high impact on your environment will increase buy-in from the participants and help them realize the importance of your overall ability to respond and recover quickly.
Clearly define each specific scenario. For example, what is the date/time of the incident – is it reported over a weekend or after hours? Specifically, what systems or equipment are affected and what type of information is at risk? You can spend some time talking about the “what if’s?” during the exercise, but you will want to stick as close to the initial scenario as possible to respect participants’ time commitments, and so that you don’t overlook something by getting lost in too many variations.
What format best fits your experience level? Have you performed a test of your incident response plan before or is this the first time you will be going through this exercise? Determine how the facilitator will lead the exercise. Do you want a straight run-through with no start/stops to truly evaluate how successful the team is during a “live” situation? Or do you want more of a dynamic conversation with immediate feedback and prompts from the facilitator?
Based on your level of experience, you may also want to plan for difference stages of testing and have an introductory tabletop with just your central IT or security team first. During this initial phase, you can help walk the team through their response efforts, ask questions, and then clean up and revise the incident response plan, etc. Once that first phase has been completed and any lessons learned implemented, you can schedule a follow-on phase 2 exercise and involve more of the executive leadership team and other departments (e.g. Communications, Legal, Public Safety, etc.).
You will also want to assign someone the task of taking notes and preparing a post-exercise summary of all activities and steps taken. Documenting the lessons learned and remediating any identified gaps will help you improve your overall response efforts.
With COVID-19 and the extra challenges of so many working remotely, ensuring that your teams still have the ability to communicate effectively and respond to all possible security incidents is even more critical. Planning a remote tabletop exercise can help ensure your communications/call chains are effective, determine if and how security teams can access and assess employee systems as needed, document procedures for reporting possible compromises to the Help Desk, and triaging those incident reports, etc.
A remote, discussion-based tabletop exercise can be an excellent way to test your plan and verify that all appropriate staff members understand their individual roles and responsibilities. The exercise will not require extensive resources (you don’t even have to provide cookies during a remote exercise!) and will allow you to test probable scenarios without any real risk to your organization. It is much easier to identify potential snags during a test, compared to realizing you don’t know who to call or what to do next during an actual incident.
Some additional guidance from CampusGuard’s Director of Information Security Services, Ed Ko:
[Ko]: Tabletop exercises are one of the most cost-effective ways to determine if your response plans are capable of containing incidents. Regular execution of your response plan helps to build rapport between the various participants, allowing for better and more clear communications if you ever need to execute your response plan during an actual incident. These exercises help to build understanding between the various participants, to understand the time needed for analysis, external reporting responsibilities, the timeline of disclosing information to affected parties, and so many more nuanced details.
I’d be remiss if I didn’t point out the importance of making sure your response plans are able to be activated. Many times, response plans start with the assumption that the alarm has already sounded and that you are actively aware that an incident is on-going. Ensure that complimentary procedures that involve reporting and triage exist that are able to initiate the response plan kick-off. Continue to build rapport with your end users to have them act as your first line of detection. Far too often, the execution of the response plan is delayed by hours, if not days, because of the lack of end user response or the lack of appropriate triage of the submitted responses. More rapid detection and response to incidents will lessen the impact and take less effort to contain.