Getting Started with Table Top Exercises for Incident Response

Author Elaine Harrison-Neukirch

In the past year, many organizations have moved to a remote workforce. Team sizes and resources are decreased due to employees having Covid or being quarantined. Over the same time period, Ransomware attacks have increased to a daily occurance. These are a few reasons that Table Top Exercises (TTE) should be a staple in Incident Response planning. They provide “practice” for the incident response team and stakeholders who have roles and responsibilities in the event of a real-life incident.

What is a Table Top Exercise?

A Table Top Exercise is an informal session, led by a facilitator. Attendees include key stakeholders and the incident response team. The goal of a TTE is to enable teams to “practice” incident response. A specific scenario (ex: a security event such as ransomware or a hacked system) is presented and discussed. The group determines the roles and responsibilities required for the specified scenario. They also decide what actions should be taken.

Why are Table Top Exercises important?

These sessions enable stakeholders to better understand the roles and responsibilities they will be assigned in the event that the scenario becomes reality. Often, discussions uncover gaps in the incident response plans. These can be corrected before a real life event occurs. Playing out the scenarios assures the team is comfortable with their assignments and will lend to less hesitation in responding to an actual event.

Who should be involved?

Anyone who has been assigned a role and responsibilities for an actual incident response event should be included. There may be a need for multiple TTE sessions. When my company ran through a TTE for a ransomware scenario, the initial session was for only IT teams. The next session included C-Level executives and directors, as well as others involved in the operational side.

How to get started

New to table tops? Not a problem. There are many resources available. These are a few of my favorites:

• National Institute of Standards and Technology - NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

• Center For Internet Security - Six Tabletop Exercises to Help Prepare Your Cybersecurity Team

• Black Hills Infosec - Backdoors and Breaches Incident response Card game

A quick Google search will unearth many other resources you can use when planning your first TTE. Reach out to group members of any security groups that you belong to, as well as your LinkedIn network. You most likely have a connection who has done one or many of these and would be happy to help.

Components of a Table Top Exercise

1. The Scenario - Pick a scenario that your organization sees as a viable threat. Ransomware is a hot topic, especially in the healthcare and education sectors.

2. The Facilitator - Who will lead the TTE? Select someone who is familiar with both the IT and Operations sides of the organization. This person may be helpful in determining which stakeholders should attend the initial session as well as additional TTE sessions.

3. The Stakeholders - Which individuals or teams need to be involved in the TTE? This may be determined by your organization’s incident response plan.

4. The Incident Response Plan - This should be available to all participants and can be used as a guideline. The incident response plan will be needed when determining gaps as the TTE progresses.

5. Notes and Action Items - Assign a participant to take notes during the TTE and create action items for followup.

6. Post TTE Survey - Send a survey after the TTE has completed. Use the survey as a tool to gather information on improving the TTE sessions and making them more valuable.

Organizing a Table Top Exercise for the first time can be daunting. Review the plan with your manager and get it approved before moving forward. A Table Top exercise is not a one time session. TTEs should be held throughout the year, using different scenarios.

Due to the pandemic, virtual TTEs are advised. There are benefits to virtual sessions. As with most longer virtual meetings, the challenge is keeping everyone focused. Plan for breaks, giving participants time to stretch or grab a coffee! Start with a smaller group until you and your facilitator are comfortable with holding virtual sessions.

Lessons Learned

1. IT is not the only department that should be involved in TTEs. Operational owners and leaders for all areas of the organozation should be involved as they are all impacted when an incident occurs.

2. Detailed notes need to be taken and action items created.

3. There should be someone assigned to follow up on action items and assure they are completed.

4. Sending out a post TTE survey to participants is a great way to gather feedback on how furture TTEs can be more effective.

About the author: Elaine Harrison-Neukirch is a Network security Engineer and aspires to educate many people about Cyber Security and Cyber Hygiene.