A Cybersecurity Tabletop Exercise simulates a hypothetical cybersecurity incident, used for planning purposes.
It is an opportunity to practice and learn, helping to ensure that processes, roles and responsibilities are clearly defined and understood.
Cybersecurity threats are more prevalent than ever before, impacting all industries. Adversaries are no longer “stereotypical hackers”, they are highly organised teams, operating as a business.
Therefore, if you are accountable for information security at your business, it makes sense to ensure your teams are thoroughly prepared. For example, you do not want the first time you execute your incident response plan to be during a high-pressure, real-world event.
This is the value of the Cybersecurity Tabletop Exercise, raising awareness, learning, identifying gaps, making mistakes and building confidence in a “safe” environment.
A Cybersecurity Tabletop Exercise can cover technical, business and/or executive processes. As a Chief Information Security Officer (CISO), I recommend regular technical and business exercises, combined with occasional executive engagement, which would likely include CxO-level roles and (if appropriate) the Board of Directors.
When constructing a Cybersecurity Tabletop Exercise scenario, I recommend referencing MITRE ATT&CK, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
This knowledge base provides a comprehensive matrix for enterprise businesses, perfect for the development of threat models.
Outlined below is an example scenario, covering the confirmed loss of sensitive (non-public) data, including an extortion attempt. It includes four injects, which are milestones in the story that purposely escalate the scenario. At each injection, the team should simulate the defined processes, documenting all decisions and actions, including the rationale.
It can be useful to have a third-party observer, someone with knowledge of cybersecurity incident management, who can assess the effectiveness and provide feedback.
It is important to remember that the scenario itself is designed to represent a worst-case scenario, therefore it should be accepted (not challenged). This is not always easy for technical thought leaders, who have a natural tendency to challenge the plausibility of the scenario itself. Remember, the value exercise is to ensure that the processes, roles and responsibilities are clearly defined and understood.
NOTE: Every business is different, therefore the scenario should be tailored based on your specific business context, emphasising any areas that you may wish to practice.
Inject 1: Third-Party Notification
Your business is notified of probable attack activity by a trusted third-party managed service provider. A user account credential has been found compromised - one belonging to a contractor associated with your business systems.
- The third-party managed service provider investigation findings suggest the user compromise occurred 77 days ago.
- High-confidence findings identify social engineering as the intrusion vector - resulting in malware installation on a workstation (endpoint) managed by the third-party managed service provider.
- Out-of-date virus signature files delayed detection, allowing an adversary to conduct further reconnaissance and exploit activity from the endpoint.
Inject 2: Investigation
Your business identifies the compromised user has accessed your business systems within the window of compromise.
- Initial analysis highlights the user accessed your business systems daily.
- No unusual account activity identified via your business detect and respond tooling (e.g., no foreign time zones, geographies, impossible travel, etc.)
Inject 3: Findings
Your business operations identify the suspect user account accessed the following production systems/data assets within the window of compromise:
NOTE: Select example systems with appropriate non-public sensitive data (e.g., employee data, customer data, financial data, etc.)
- No specific evidence of data exfiltration (copied/transferred). However, with a large compromise window (77 days) data could have been screen-captured and/or transcribed.
- Your business operations confirm (within reasonable doubt) that the compromise has been contained.
Inject 4: Data Leak and Extortion Attempt
Your business receives an anonymous phone call from an adversary acknowledging accountability for the compromise, with evidence being published publicly on the dark web. The adversary requests xxx Bitcoin (select a value that has a material impact on your business) be transferred to a crypto wallet within 72 hours, or the full dataset will be published publicly.
- The business operations confirm the published evidence is representative of the non-public sensitive data.
- The lost dataset cannot be remote/retrospectively recovered and/or obfuscated (masked).
At this stage, the scenario concludes with a focus on key decisions. This specific example works well, as it includes a long dwell time (77 days) and ambiguity regarding how much data has been exposed as part of the compromise. This uncertainty forces a risk-based decision to be made.
I recommend the following areas are discussed:
- How does the business measure the reputation impact and downstream ramifications of the compromise (e.g., customer confidence, sales, stock price, etc.)?
- Does the business engage an external cybersecurity/ransomware/extorsion firm?
- Does the business pay the ransom? If so, how?
- Does the business engage law enforcement?
- Does the business directly communicate with employees/customers?
- Does the business trigger a formal cybersecurity breach disclosure (e.g., SEC, etc.)?
- Does the business trigger a privacy breach disclosure? If so, which Countries?
- How does the business monitor the situation post decisions (e.g., customers, shareholders, credit score, etc.)?
- What is the broader communication and crisis management strategy?
- What further engagement (if any) should occur with the third-party managed service provider (the origin of the compromise)?
To help understand if a Cybersecurity Tabletop Exercise could be useful for your business. Ask yourself how prepared your business would be to answer these questions.
If there is uncertainty regarding the process or decision authority, I would recommend proceeding.