Sometimes the best way to train is through hands-on simulation. In security, one particularly useful simulation strategy is a roundtable or tabletop exercise. If you’re not familiar with the tabletop concept, think of it as essentially a structured war game in which participants work through a defined, scripted scenario that mirrors what they might encounter in real life.

This could be an incident response situation, a malware breakout, a rogue insider threat or any other scenario that demands carefully planned, thoroughly rehearsed processes, procedures and strategies. You might choose to run a lighter-weight cybersecurity simulation by simply walking through response activities, or you can opt for a more hands-on test where participants spend time physically playing out their role.

How Can Security Leaders Facilitate Meaningful Discussion With Top Management?

I’ve found tabletop exercises to be particularly effective for ransomware preparation because they tend to trigger discussions with executives about whether to pay the demanded fee to unlock enterprise data. Most security professionals — myself included — believe that paying a ransom increases the likelihood that you’ll be targeted again in the future. Furthermore, there is no guarantee that an attacker would actually follow through and return the stolen files, and you’ll lose credibility if the incident comes to light later.

Business leaders often have conflicting opinions on this matter. From their perspective, a ransom is merely pocket change compared to a catastrophic business disruption. A tabletop simulation gives security leaders an opportunity to offer their viewpoint when executives aren’t dialed up to eleven.

3 Steps to Build an Immersive Cybersecurity Simulation

Despite the utility of tabletop exercises, designing and deploying one can be daunting. This requires implementing performance elements, which not everyone is comfortable doing. It’s also a more creative pursuit than many security professionals are used to and, frankly, it’s somewhat afield of the work they normally do.

Fortunately, there are steps security leaders can take to develop an effective cybersecurity simulation. The key is to start with a simple exercise to get familiar with the process, then introduce more complex elements as you get comfortable and start to see success.

Step 1: Figure Out What You’re Testing

The first and most important step is to determine what you want to test. This seems obvious, but there’s actually more to it than you might think. In the ransomware scenario described above, for example, the answer to “What you are testing?” isn’t just ransomware response. What are the specific details of the incident? What systems are impacted? Who discovered the ransomware, and how? What are the attackers’ goals? Are there unrelated things happening in the organization that might impede incident response?

These are all important points that you should decide on ahead of time. In an ideal world, each answer would map back to a goal you’ve set or question you hope to answer. Let’s say, for example, that you’d like to test whether a specific team knows how to alert technology groups to potential incidents; in that case, you might establish this team as the one that initially discovers the incident in your simulation.

The more specificity and clarity you have related to these details, the easier the rest of the development process will be. Lacking specificity in your planning at the outset means you’ll either run out of steam or have to go back and rework the exercise midway through. In fact, this planning is so important that I often write it out in a high level of detail in an incident response playbook.

You’ll also want to brainstorm unexpected or unanticipated surprises (injects) and write them into your playbook. Perhaps your organization is audited in the middle of a chaotic incident, for example, or maybe there’s turnover in staff. The playbook should also address what to do if the CEO goes on CNN to discuss the breach publicly. Whatever scenario you ultimately decide to inject into your training, it’s important to raise the stakes a little bit, introduce some potential anxiety and increase immersion.

Step 2: Determine Who Does What When

Once you know the full play by play of the event, the next step is to break it out into pieces — both by time (phases) and role (points of view). In terms of phases, keep in mind that not everything happens at once in a real event, and it shouldn’t in your exercise, either. Depending on how much time you have allotted for the exercise, decide on a cadence for the event. For a partial-day event, start with four or five timed phases (e.g., 20 minutes each) that tie to key milestones. When you know how many there are, decide what portions of the “plot” occur within each phase and where you will place injects for maximum impact. If it’s helpful, document the stages of the exercise and the key portions of the narrative that occur within each in the playbook.

This next part is a bit trickier. Essentially, you’ll want to chop up each phase into smaller subnarratives that play out from a particular participant’s point of view. For example, maybe the second phase has an attacker moving laterally through the network. IT might know this right away, but HR won’t know unless it is communicated to them. Think about your participants as you develop these subnarratives. Ask yourself what they would know in a given situation, what’s important to them and what motivates them.

Put thought into how you’ll share information with participants and what you will share during each phase. In a real security event, many questions go unanswered and only some of what occurs relates to the situation. You can replicate this by providing information to participants that is only sometimes directly relevant. You can include information that is “flavor” (i.e., not germane to what you’re testing) and red herrings (information that seems germane but isn’t), along with data that is actually critical.

Once you know what information will be available to each participant during each phase, the last key step is to put together a system to communicate it to them. You want any sharing of information between individuals or teams to occur during the exercise, so use a mechanism that ensure they receive only the information targeted to them. The simplest approach is to start with sealed envelopes.

Step 3: Present Your Exercise

If you’ve followed the first two steps, you’ll have a master playbook that contains a high level of detail about the test you envision and a set of information you can communicate to each participant for each test phase. Congratulations! You’ve done the hard part. The fun part — actually conducting the event — comes next.

There are two things to keep in mind when presenting your exercise, particularly if you’ve never done it before. The first goes back to external guidance: If you’ve never seen a simulation like this in person, consider attending one to get a feel for how to run the exercise. The second point to remember is that it always helps to practice. Enlist people you know and trust to pilot your simulation and solicit honest and objective feedback. You may need to tweak the exercise based on what you discover during the pilot. You don’t want to be ironing out the kinks (or potentially falling on your face) in front of your peers, so pilot it as many times as you need to feel comfortable.

Lastly, when it comes to setting up a cybersecurity simulation, frills matter. Anything you can add to increase the immersiveness of the exercise or its utility is helpful. For example, you might choose to use a tool like Kahoot! or another gamified feedback mechanism to engage with participants in parallel with the exercise. Spending hours or days working through a detailed exercise can induce fatigue, and you want participants to stay engaged, so anything you can do to make it more fun and immersive is well worth it.

Incident Response Can Be Fun

When a data breach inevitably strikes, you’ll need your entire organization, from rank-and-file employees to top leadership, to be on the same page. A cybersecurity simulation is one of the best ways to develop a strong security culture throughout the enterprise because it challenges each department to communicate effectively and think critically to solve complex problems. With the right setting, challenging parameters and fine-tuned details, you can significantly boost your organization’s security and resilience posture — and have a little fun while you’re at it.

Listen to the podcast to learn more

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…