Quick Wins · · 4 min read

Quick Wins: Tabletop Exercises and Incident Response

Quick Wins: Tabletop Exercises and Incident Response

At Ember Lake, our New Year’s resolution is to make cybersecurity easier to approach and work for each of our clients. As cliche as it sounds, we’ve taken some time to come up with a series we’re calling “Cyber Quick Wins”, monthly blog posts to help raise cybersecurity awareness levels as well as provide any nuggets of information to take back to your own organizations.

This month’s topic is Tabletop Exercises (“TTX”), Digital Forensics and Incident Response, and the relationship between them. Cyber readiness is often something that is spoken about, but, unfortunately, it’s a “policy piece” instead of a “practice preach”. One of the most efficient ways to bolster readiness is using Tabletop Exercises. These exercises are not merely theoretical drills – they are essential tools for combating cyber threats and understanding the organization’s response capabilities. These exercises become even more prudent if you’re a CIMA regulated entity; the Statement of Guidance for Cyber specifically requires these be performed annually (CIMA SOG:C April 2023, 9.1(h)). More information about the SOG:C can be found here and here.

What are Tabletop Exercises?

Tabletop Exercises are interactive sessions where team members navigate through hypothetical emergency situations. These scenarios, often simulating potential real-world events such as cyber-attacks or natural disasters, provide a platform for teams to discuss, analyze, and refine their response strategies. The beauty of these TTXs lies in their format: low-cost, high-impact approaches that allow for thorough evaluation of plans without the complexities of real-time simulations.

The importance of TTXs within an overarching security strategy can’t be stressed enough. They serve multiple purposes, such as:

  1. Preparing teams for potential cyber-attacks by highlighting roles and responsibilities.
  2. Highlight critical controls to protect data flows and assets.
  3. Identify and remedy gaps in existing response plans.

By simulating theoretical scenarios in a controlled environment, organizations are not only testing their preparedness, but also understanding potential vulnerabilities in their infrastructure and potential areas of improvement. This proactive approach is invaluable to train members of any Incident Response Team on effective response and communication requirements for the organization. TTXs are also pivotal in underlining the importance of coordination and teamwork. The collaborative nature of these exercises ensures departments understand and appreciate their roles, leading to a more cohesive and effective response when a real incident strikes.

What Makes an Effective Tabletop Exercises?

The success or failure of an effective TTX hinges on planning and execution. There are two important factors present in every successfully exercise:

  1. Set clear, achievable objectives so all participants are aligned with the exercise’s goals.
  2. Identify the right mix of participants and ensure they are included (where appropriate) within the Incident Response Team.

Developing realistic scenarios tailored to the organization’s specific risks and environment is crucial in making the exercise relevant and engaging.

The actual execution of the exercise should be interactive and immersive, leveraging realistic scenarios tailored to the organization (bonus points for creating scenarios that encourage and generate active participation). Each exercise should kick off with detailed debriefing where discussions and actions are analyzed to identify strengths, weaknesses, and areas for improvement. Similar to any Incident Response Policy, an “Lessons Learned” session should be held afterwards to capture any feedback, serving as a roadmap for enhancing future responses and exercises.

So Where Do Incident Response Teams Come In?

While TTXs are one important step in preparing for incidents, the presence of any dedicated Incident Response Team is equally crucial. Specializing in managing various types of incidents, these teams have expertise and regular involvement in live incidents and typically have skills and capacity to perform digital forensics. This forensic analysis attempts to identify the Tactics, Techniques, and Procedures (“TTPs”) taken by an adversary within a cyber incident to understand scope and scale. Without understanding the full breadth of the incident, the organization can’t effectively respond to an incident. Including the IR team in the TTXs ensures these teams provide insight into technical capabilities of the organization’s controls and the IR team’s own capabilities – two pieces of critical information prior to an incident.

In this scenario, the services offered by dedicated DFIR teams become invaluable. These teams not only provide expertise in conducting effective TTXs but also offer specialized incident response services. For example, Ember Lake has experience leading Incident Response for several on-island entities and partners with leading DFIR teams to provide further support during an incident.

All organizations benefit from expert guidance in both preparing for and responding to incidents. Having a dedicated partnership before an incident offers a dual advantage: enhancing internal teams’ capabilities through TTXs while having access to specialized incident response services that add an extra layer of security.

Closing Thoughts

Integrating a TTX into an organization’s security strategy is an extremely cost-effective tool that can have wider reaching benefits. Not only do these exercises prepare teams for potential incidents, but they also play a crucial role in identifying vulnerabilities, opportunities for improvement, and strengthening coordination. Coupled with the expertise of a dedicated DFIR team or specialized cybersecurity firm (like Ember Lake), organizations can significantly enhance their readiness and resilience against a myriad of threats, ensuring a robust defense in the face of ever-evolving cybersecurity challenges.

To learn more about how Ember Lake can assist with Incident Response or other cybersecurity professional services, send us an email at info@emberlake.ky.

Read next