Everything you need to know about cyber crisis tabletop exercises


Nowadays, cybersecurity has become a major concern in all industries due to the increasing dependence of organizations on technologies. Research by Immersive Lab reported that in 2019 there were more than 20,000 new vulnerabilities. Not only that, TechRepublic reported that global businesses saw a 148% increase in ransomware attacks after COVID-19 hit the world. So, for most organizations, the question is not who will be the target of a cyber attack. Instead, the question is, “When will this happen and how to deal with it?” “

Organizations need an incident response plan to combat future incidents so that they can protect their reputation and finances from malicious activity. But how can they know that the plan they have is effective enough to mitigate future cyber incidents? Using a Cyber ​​Crisis Tabletop Exercise (CCTE), organizations can test or rehearse the emergency preparedness plan before a crisis occurs.

What is a tabletop exercise in the event of a cyber crisis?

A cyber crisis tabletop exercise, also known as a cyber incident response test, helps organizations identify different risk scenarios and prepare them for cyber threats. This is to assess whether your organization’s incident response plan is working effectively in the event of a cyber attack. To this end, he considers several simulated scenarios that could have a profound impact on your business if they happened in reality.

Internal and external stakeholders, C-level executives and / or an internal security team in your organization can participate in a CCTE. The entire exercise is guided by a trained facilitator or senior staff who analyzes an organization’s crisis management capabilities and ensures that response and recovery plans are well coordinated and communicated. They also keep participants focused on the exercise goal.

Benefits of the cyber crisis table experience

Cyber ​​crisis exercises help companies achieve the following goals:

  • Develop a better understanding of violations in a cost effective manner without any disruption to business systems and processes
  • Maintain company reputation and customer confidence through effective communication and better management
  • Coordinate communication within teams and departments, thereby improving the effectiveness of response plans
  • Help management staff and other participants understand their roles and responsibilities in the event of a cyber attack
  • Identify flaws or flaws in the response plan and assess the capacity and preparedness of teams in the face of an incident

Types of cyber crisis scenarios to practice with a tabletop exercise

There are certain cyber crisis scenarios that organizations may face in the future that could affect their business continuity. To mitigate these threats, organizations must be aware and well prepared to respond to the scenarios and threats mentioned below.

Scenarios 1: Malware attack

A malware attack is where criminals enter your system through malware so that they can destroy your system or gain access to sensitive information. It could involve an employee of your company accidentally inserting a malware infected SD card into the company system.

In this scenario:

  • Process tested: Detection capacity / User awareness
  • Threat actor: accidental insider
  • Affected asset: network integrity

Scenario 2: Unauthorized access

This is one of the most common examples of a data breach where attackers intend to gain access to your organization’s data or network without the required permissions.

In this scenario:

  • Process tested: incident response
  • Threat actor: hacktivist
  • Affected asset: Network / System

Scenario 3: Ransomware attack

This is one of the difficult situations for organizations to deal with. According to Verizon 2021 Data Breach Report, the range of losses in 95% of ransomware cases was between $ 70 million and $ 1.2 million; the median amount lost was $ 11,150. This threat took third place in offenses, doubling its frequency compared to last year.

In this scenario:

  • Process tested: incident response
  • Threat actor: external threat
  • Affected asset: financial data

Scenario 4: Compromise in the cloud

Almost all businesses today store their data in the cloud. Attackers know this, which is why they increasingly target these environments to expose sensitive information.

In this scenario:

  • Process tested: incident response
  • Threat actor: external threat
  • Affected asset: Cloud

Areas of intervention to cover for a successful tabletop exercise workshop

To ensure the success and effectiveness of the exercise and the desired outcome for business continuity, the following areas of intervention should be covered:

1. Scenarios and threats

To be successful in a tabletop exercise, the facilitation team intends to create scenarios and threats to focus on questions such as “Who is the threat actor?” “, ” What is his intention ? And “How will the team handle and react to the attack?” “Focusing on threats and scenarios helps businesses understand the risks they might face after a cyber attack and confirm that the cyber incident response plan is effective enough to eliminate those risks.

2. Threatening actors

Threat actors can be a group / individual with malicious intent or a key factor in malicious activity that seeks to undermine the IT security of an organization. It is essential to involve threat actors in the simulation exercise of organizations and to assess their impact on a business.

3. Critical assets

Another critical element to a successful cyber crisis tabletop exercise is to simulate a compromise involving critical business assets. Therefore, it is essential that participating teams address the impact of an attack on their critical assets and reassess the plan to protect or mitigate the effects of cyber crises on those resources.

How to perform a cyber-crisis tabletop exercise?

As we explained earlier in the blog, CCTE participants test their response capabilities. They can use the following steps to design and conduct a cyber crisis simulation exercise:

Step 1: Identify the objective

The selection of objectives should be determined based on the basic capabilities specific to the needs of an organization during a cyber attack.

Step 2: Composition of teams and stakeholders

After identifying the goal, organizations should identify the exercise leadership team, stakeholders, planning team, and facilitation team to successfully plan, design, and conduct the exercise.


Step 3: Select the type of scenario

Once your organization has finalized the team and its objective for the exercise, the leadership team should identify the type of scenario for the incident or cyberattack and create one in order to put the plan into practice. ‘exercise.

Step 4: Create a meeting calendar

The exercise leadership team should create meeting schedules for other participants to discuss exercise design topics and review response plans.

Step 5: Design the exercise and provide a schedule

The design of the exercise is different for each organization. It depends on the type of scenario that the exercise hosts. To do this, develop a scenario with surprising elements and formulate a series of probing questions to stimulate discussion among team members. In addition, a timeline is provided for the exercise to take place.

Step 6: Conduct the exercise

After that, the exercise is performed, where many ideas and solutions are provided and evaluated.

Step 7: Prepare the improvement plan

After performing and evaluating the exercise, a detailed after action report is prepared with potential improvements.

A TTCE is a flexible approach, and the steps for performing the exercise can be customized depending on the purpose of the exercise. The rule of thumb for every tabletop experience is the same, however: once an exercise is considered complete, the conclusions and lessons learned are documented in the after action report / improvement plan. And the plan is changed accordingly.

Best Practices for Making Cyber ​​Crisis Tabletop Exercise a Success

There are certain best practices that every organization should follow in order for a tabletop exercise to be successful and effective. Here are a few to remember:

  1. Take the time to prepare incident response plans for the exercise
  2. Involve several members of the whole organization to form teams
  3. Make sure all participants know the basic rules of the exercise
  4. Leverage the resources of external organizations, government and your industry
  5. Keep the scope of the exercise wider while structuring the tabletop exercise
  6. Invite subject matter experts to the planning team to make the scenario realistic


A tabletop exercise is a crucial approach in cybersecurity. However, this exercise is not limited to cybersecurity. Any organization facing a disaster or crisis can benefit from this exercise. CCTE is designed to uncover organizational weaknesses and ensure organizations are implementing best practices and protocols for cybersecurity.

However, it is worth spending the time for the exercise if you have a response plan ready for the scenario you are going to go through and if the top management is willing to let you modify the plan and policies depending on the outcome of the situation. exercise.

Not only that, but make sure that the tabletop exercise conducted by your team is appropriate for your organization.

About the Author: Hardik Shah is a technical consultant at Simform, a company that provides vscustom software development services. He leads large-scale mobility programs that cover platforms, solutions, governance, standardization and best practices.

Editor’s Note: The views expressed in this guest author’s article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

Source link

Leave A Reply

Your email address will not be published.