October 31, 2018 By Ed Moyle 5 min read

Sometimes the best way to train is through hands-on simulation. In security, one particularly useful simulation strategy is a roundtable or tabletop exercise. If you’re not familiar with the tabletop concept, think of it as essentially a structured war game in which participants work through a defined, scripted scenario that mirrors what they might encounter in real life.

This could be an incident response situation, a malware breakout, a rogue insider threat or any other scenario that demands carefully planned, thoroughly rehearsed processes, procedures and strategies. You might choose to run a lighter-weight cybersecurity simulation by simply walking through response activities, or you can opt for a more hands-on test where participants spend time physically playing out their role.

How Can Security Leaders Facilitate Meaningful Discussion With Top Management?

I’ve found tabletop exercises to be particularly effective for ransomware preparation because they tend to trigger discussions with executives about whether to pay the demanded fee to unlock enterprise data. Most security professionals — myself included — believe that paying a ransom increases the likelihood that you’ll be targeted again in the future. Furthermore, there is no guarantee that an attacker would actually follow through and return the stolen files, and you’ll lose credibility if the incident comes to light later.

Business leaders often have conflicting opinions on this matter. From their perspective, a ransom is merely pocket change compared to a catastrophic business disruption. A tabletop simulation gives security leaders an opportunity to offer their viewpoint when executives aren’t dialed up to eleven.

3 Steps to Build an Immersive Cybersecurity Simulation

Despite the utility of tabletop exercises, designing and deploying one can be daunting. This requires implementing performance elements, which not everyone is comfortable doing. It’s also a more creative pursuit than many security professionals are used to and, frankly, it’s somewhat afield of the work they normally do.

Fortunately, there are steps security leaders can take to develop an effective cybersecurity simulation. The key is to start with a simple exercise to get familiar with the process, then introduce more complex elements as you get comfortable and start to see success.

Step 1: Figure Out What You’re Testing

The first and most important step is to determine what you want to test. This seems obvious, but there’s actually more to it than you might think. In the ransomware scenario described above, for example, the answer to “What you are testing?” isn’t just ransomware response. What are the specific details of the incident? What systems are impacted? Who discovered the ransomware, and how? What are the attackers’ goals? Are there unrelated things happening in the organization that might impede incident response?

These are all important points that you should decide on ahead of time. In an ideal world, each answer would map back to a goal you’ve set or question you hope to answer. Let’s say, for example, that you’d like to test whether a specific team knows how to alert technology groups to potential incidents; in that case, you might establish this team as the one that initially discovers the incident in your simulation.

The more specificity and clarity you have related to these details, the easier the rest of the development process will be. Lacking specificity in your planning at the outset means you’ll either run out of steam or have to go back and rework the exercise midway through. In fact, this planning is so important that I often write it out in a high level of detail in an incident response playbook.

You’ll also want to brainstorm unexpected or unanticipated surprises (injects) and write them into your playbook. Perhaps your organization is audited in the middle of a chaotic incident, for example, or maybe there’s turnover in staff. The playbook should also address what to do if the CEO goes on CNN to discuss the breach publicly. Whatever scenario you ultimately decide to inject into your training, it’s important to raise the stakes a little bit, introduce some potential anxiety and increase immersion.

Step 2: Determine Who Does What When

Once you know the full play by play of the event, the next step is to break it out into pieces — both by time (phases) and role (points of view). In terms of phases, keep in mind that not everything happens at once in a real event, and it shouldn’t in your exercise, either. Depending on how much time you have allotted for the exercise, decide on a cadence for the event. For a partial-day event, start with four or five timed phases (e.g., 20 minutes each) that tie to key milestones. When you know how many there are, decide what portions of the “plot” occur within each phase and where you will place injects for maximum impact. If it’s helpful, document the stages of the exercise and the key portions of the narrative that occur within each in the playbook.

This next part is a bit trickier. Essentially, you’ll want to chop up each phase into smaller subnarratives that play out from a particular participant’s point of view. For example, maybe the second phase has an attacker moving laterally through the network. IT might know this right away, but HR won’t know unless it is communicated to them. Think about your participants as you develop these subnarratives. Ask yourself what they would know in a given situation, what’s important to them and what motivates them.

Put thought into how you’ll share information with participants and what you will share during each phase. In a real security event, many questions go unanswered and only some of what occurs relates to the situation. You can replicate this by providing information to participants that is only sometimes directly relevant. You can include information that is “flavor” (i.e., not germane to what you’re testing) and red herrings (information that seems germane but isn’t), along with data that is actually critical.

Once you know what information will be available to each participant during each phase, the last key step is to put together a system to communicate it to them. You want any sharing of information between individuals or teams to occur during the exercise, so use a mechanism that ensure they receive only the information targeted to them. The simplest approach is to start with sealed envelopes.

Step 3: Present Your Exercise

If you’ve followed the first two steps, you’ll have a master playbook that contains a high level of detail about the test you envision and a set of information you can communicate to each participant for each test phase. Congratulations! You’ve done the hard part. The fun part — actually conducting the event — comes next.

There are two things to keep in mind when presenting your exercise, particularly if you’ve never done it before. The first goes back to external guidance: If you’ve never seen a simulation like this in person, consider attending one to get a feel for how to run the exercise. The second point to remember is that it always helps to practice. Enlist people you know and trust to pilot your simulation and solicit honest and objective feedback. You may need to tweak the exercise based on what you discover during the pilot. You don’t want to be ironing out the kinks (or potentially falling on your face) in front of your peers, so pilot it as many times as you need to feel comfortable.

Lastly, when it comes to setting up a cybersecurity simulation, frills matter. Anything you can add to increase the immersiveness of the exercise or its utility is helpful. For example, you might choose to use a tool like Kahoot! or another gamified feedback mechanism to engage with participants in parallel with the exercise. Spending hours or days working through a detailed exercise can induce fatigue, and you want participants to stay engaged, so anything you can do to make it more fun and immersive is well worth it.

Incident Response Can Be Fun

When a data breach inevitably strikes, you’ll need your entire organization, from rank-and-file employees to top leadership, to be on the same page. A cybersecurity simulation is one of the best ways to develop a strong security culture throughout the enterprise because it challenges each department to communicate effectively and think critically to solve complex problems. With the right setting, challenging parameters and fine-tuned details, you can significantly boost your organization’s security and resilience posture — and have a little fun while you’re at it.

Listen to the podcast to learn more

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today