October 31, 2018 By Ed Moyle 5 min read

Sometimes the best way to train is through hands-on simulation. In security, one particularly useful simulation strategy is a roundtable or tabletop exercise. If you’re not familiar with the tabletop concept, think of it as essentially a structured war game in which participants work through a defined, scripted scenario that mirrors what they might encounter in real life.

This could be an incident response situation, a malware breakout, a rogue insider threat or any other scenario that demands carefully planned, thoroughly rehearsed processes, procedures and strategies. You might choose to run a lighter-weight cybersecurity simulation by simply walking through response activities, or you can opt for a more hands-on test where participants spend time physically playing out their role.

How Can Security Leaders Facilitate Meaningful Discussion With Top Management?

I’ve found tabletop exercises to be particularly effective for ransomware preparation because they tend to trigger discussions with executives about whether to pay the demanded fee to unlock enterprise data. Most security professionals — myself included — believe that paying a ransom increases the likelihood that you’ll be targeted again in the future. Furthermore, there is no guarantee that an attacker would actually follow through and return the stolen files, and you’ll lose credibility if the incident comes to light later.

Business leaders often have conflicting opinions on this matter. From their perspective, a ransom is merely pocket change compared to a catastrophic business disruption. A tabletop simulation gives security leaders an opportunity to offer their viewpoint when executives aren’t dialed up to eleven.

3 Steps to Build an Immersive Cybersecurity Simulation

Despite the utility of tabletop exercises, designing and deploying one can be daunting. This requires implementing performance elements, which not everyone is comfortable doing. It’s also a more creative pursuit than many security professionals are used to and, frankly, it’s somewhat afield of the work they normally do.

Fortunately, there are steps security leaders can take to develop an effective cybersecurity simulation. The key is to start with a simple exercise to get familiar with the process, then introduce more complex elements as you get comfortable and start to see success.

Step 1: Figure Out What You’re Testing

The first and most important step is to determine what you want to test. This seems obvious, but there’s actually more to it than you might think. In the ransomware scenario described above, for example, the answer to “What you are testing?” isn’t just ransomware response. What are the specific details of the incident? What systems are impacted? Who discovered the ransomware, and how? What are the attackers’ goals? Are there unrelated things happening in the organization that might impede incident response?

These are all important points that you should decide on ahead of time. In an ideal world, each answer would map back to a goal you’ve set or question you hope to answer. Let’s say, for example, that you’d like to test whether a specific team knows how to alert technology groups to potential incidents; in that case, you might establish this team as the one that initially discovers the incident in your simulation.

The more specificity and clarity you have related to these details, the easier the rest of the development process will be. Lacking specificity in your planning at the outset means you’ll either run out of steam or have to go back and rework the exercise midway through. In fact, this planning is so important that I often write it out in a high level of detail in an incident response playbook.

You’ll also want to brainstorm unexpected or unanticipated surprises (injects) and write them into your playbook. Perhaps your organization is audited in the middle of a chaotic incident, for example, or maybe there’s turnover in staff. The playbook should also address what to do if the CEO goes on CNN to discuss the breach publicly. Whatever scenario you ultimately decide to inject into your training, it’s important to raise the stakes a little bit, introduce some potential anxiety and increase immersion.

Step 2: Determine Who Does What When

Once you know the full play by play of the event, the next step is to break it out into pieces — both by time (phases) and role (points of view). In terms of phases, keep in mind that not everything happens at once in a real event, and it shouldn’t in your exercise, either. Depending on how much time you have allotted for the exercise, decide on a cadence for the event. For a partial-day event, start with four or five timed phases (e.g., 20 minutes each) that tie to key milestones. When you know how many there are, decide what portions of the “plot” occur within each phase and where you will place injects for maximum impact. If it’s helpful, document the stages of the exercise and the key portions of the narrative that occur within each in the playbook.

This next part is a bit trickier. Essentially, you’ll want to chop up each phase into smaller subnarratives that play out from a particular participant’s point of view. For example, maybe the second phase has an attacker moving laterally through the network. IT might know this right away, but HR won’t know unless it is communicated to them. Think about your participants as you develop these subnarratives. Ask yourself what they would know in a given situation, what’s important to them and what motivates them.

Put thought into how you’ll share information with participants and what you will share during each phase. In a real security event, many questions go unanswered and only some of what occurs relates to the situation. You can replicate this by providing information to participants that is only sometimes directly relevant. You can include information that is “flavor” (i.e., not germane to what you’re testing) and red herrings (information that seems germane but isn’t), along with data that is actually critical.

Once you know what information will be available to each participant during each phase, the last key step is to put together a system to communicate it to them. You want any sharing of information between individuals or teams to occur during the exercise, so use a mechanism that ensure they receive only the information targeted to them. The simplest approach is to start with sealed envelopes.

Step 3: Present Your Exercise

If you’ve followed the first two steps, you’ll have a master playbook that contains a high level of detail about the test you envision and a set of information you can communicate to each participant for each test phase. Congratulations! You’ve done the hard part. The fun part — actually conducting the event — comes next.

There are two things to keep in mind when presenting your exercise, particularly if you’ve never done it before. The first goes back to external guidance: If you’ve never seen a simulation like this in person, consider attending one to get a feel for how to run the exercise. The second point to remember is that it always helps to practice. Enlist people you know and trust to pilot your simulation and solicit honest and objective feedback. You may need to tweak the exercise based on what you discover during the pilot. You don’t want to be ironing out the kinks (or potentially falling on your face) in front of your peers, so pilot it as many times as you need to feel comfortable.

Lastly, when it comes to setting up a cybersecurity simulation, frills matter. Anything you can add to increase the immersiveness of the exercise or its utility is helpful. For example, you might choose to use a tool like Kahoot! or another gamified feedback mechanism to engage with participants in parallel with the exercise. Spending hours or days working through a detailed exercise can induce fatigue, and you want participants to stay engaged, so anything you can do to make it more fun and immersive is well worth it.

Incident Response Can Be Fun

When a data breach inevitably strikes, you’ll need your entire organization, from rank-and-file employees to top leadership, to be on the same page. A cybersecurity simulation is one of the best ways to develop a strong security culture throughout the enterprise because it challenges each department to communicate effectively and think critically to solve complex problems. With the right setting, challenging parameters and fine-tuned details, you can significantly boost your organization’s security and resilience posture — and have a little fun while you’re at it.

Listen to the podcast to learn more

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today