Security pros generally agree that the best way to prevent a data breach is to implement strong security controls and preparedness against potential vulnerabilities. However, there’s a notable shift occurring where some traditional cybersecurity tabletop exercises are morphing into full-scale incident response simulations.
Traditionally, tabletop exercises put security teams to the test by simulating various scenarios. These simulations can range from dealing with a DDoS attack to addressing an insider threat, yet they all follow a similar incident response (IR) framework. For instance, the Center for Internet Security offers a guide featuring six sample scenarios along with corresponding questions to ask during the exercises.
However, tabletop exercises often fall short of achieving the objectives because they are organized by people inexperienced in the task, warned Andre Slonopas, the cybersecurity department chair at American Public University System, a for-profit university. “There's a proper way of initiating the process, but nobody knows what it is,” he said.
Prioritizing Business Impact
C.J. Dietzman, senior vice president of Alliant Cyber at Alliant Insurance Services, pointed to another common weakness in cybersecurity tabletop exercises: Participants approach the tests from a technological perspective rather than by focusing on business priorities.
“Technology will be a component but not the key component,” Dietzman said. He likened it to a business continuity and disaster recovery planning exercise. “You must consider the nuanced aspects of the business, including functions and mission-critical business processes. Then you work backward because those are the things that are going to have the greatest [business] impact.”
For example, focusing on the key third parties that the organization will likely have to rely on during a cyber incident can result in some ‘aha’ moments, Dietzman said. He advised testers to include:
- The company’s cyber insurance broker or carrier contacts.
- A list of the insurance company’s preferred panel service providers, public relations contacts, and other contractors who will be providing essential services.
“A general check-the-box, minimalist approach has never been sufficient,” added Michael Barcomb, director of Executive Cyber Exercises at SANS Institute. “The types of blind spots that I encourage my clients to contemplate, in the context of a cyber incident response, have very little to do with technology.”
Here are some key questions to consider:
- Have you addressed all the regulatory and compliance matters relevant to communications, including both internal and external communications?
- Who is responsible for managing these communications?
- What messages are both prudent and appropriate in this situation?
- What communications should be reviewed by counsel before dissemination?
- Depending on the scale of the event, should you talk to media outlets?
- Who ensures that line managers, executives, and supervisors throughout the organization convey the appropriate messaging?
- What message should be communicated to clients and customers?
- Are there additional topics beyond these that require consideration?
“If you don't thoroughly plan and then validate your readiness from a communications and compliance standpoint, you can put the organization in a really bad spot,” Barcomb said.
Immersive Simulations vs. Canned Exercises
Dietzman recommended running full-scale simulations where nearly all staff members, except for key personnel like the CEO, general counsel, and CISO, are led to believe that the incident is an actual breach. This could entail scenarios such as receiving a 4 a.m. phone call on a Sunday reporting the detection of an incident, followed by the full implementation of the IR plan. In some cases, organizations might ask FBI or Secret Service agents to participate by roleplaying as if the breach were real.
“[Sunday at 4 a.m. is] when the real call is going to come,” Dietzman said. “It's not going to come during the business hours to fit comfortably into your schedule.”
Barcomb, a retired U.S. Army colonel and intelligence officer and former IBM cloud executive, agreed. He has run tabletop exercises in both military and corporate environments, using immersive techniques to simulate high-pressure, high-risk scenarios. These exercises put corporate executives at the center of what could be a potentially catastrophic breach.
Experiencing scenarios like receiving that early-morning phone call and having Secret Service or FBI agents onsite, roleplaying as if the breach were genuine, provides security teams and executives with a sense of realism, Barcomb said.
Richard Stiennon, chief research analyst at IT-Harvest and author of There Will Be Cyberwar, added that practicing IR playbooks often reveal areas that need improvement.
Companies must have current contingencies in place for potential disruptions, such as a storm knocking out phone lines or key personnel being unavailable, Stiennon said. Having an IR plan that lacks task assignments for current employees can pose a liability.
He suggested that enterprises approach cybersecurity tabletop exercises with the same dedication as Apple co-founder Steve Jobs approached giving a speech — rehearse it again and again. Regular practice for major events, be it a speech or a data breach, helps develop muscle memory to make timely decisions. Hesitation during an incident response, such as indecision on the next step, can cost valuable time while data is compromised or exfiltrated.
Ensuring that an incident response team is fully prepared for the inevitable occurrence of a cyberattack often determines the outcome – successfully defending against the attack and minimizing exposure, or falling victim to it, Stiennon said.
Making the Business Case
It’s vital to engage the organization’s CEO and other top executives in cybersecurity tabletop exercises. To ensure this, CISOs must find ways to get buy-in from the board of directors. If a CISO fails to get the CEO to show up at the exercise, they have likely failed to convey the severity of potential breaches.
“You should have been selling the fear, uncertainty, and doubt all these years,” Stiennon said. “You can do it educationally. You can make them aware of the things that you see on your network every day.”
He recommended taking a page from the Lockheed Martin cybersecurity handbook: Provide the executive team with weekly updates on the progress of attack teams targeting the corporate network. By showcasing evidence of potential attacks and the daily measures being taken to protect the company, you increase the likelihood of gaining their support.
Stiennon also suggested varying the types of simulations and the timing of tabletop exercises. While it may be beneficial for the CISO to run a comprehensive attack simulation annually, it’s also wise to run simulations of more common, mundane attacks.
Additionally, it is important to remember that sometimes a company may not be the primary target of an attack but rather part of another company’s supply chain. Stiennon cited the example of the 2011 RSA breach, where attackers sought the security tokens of RSA’s clients, not necessarily RSA’s tokens. In this case, RSA became collateral damage.
