The Complete Guide to Running a Cybersecurity Tabletop Exercise

What is a cybersecurity tabletop exercise?

A tabletop exercise is an engaging and realistic simulation of a cyber crisis situation. It tests human and managerial factors, rather than technical defences to a potential cyber-attack. It can used to test incident response plans and cyber exercise playbooks, expose weaknesses and lead to improvement

A tabletop exercise builds cyber resilience. It develops and reinforces the competencies of those who would be responsible in the event of a cyber-attack in a realistic but non-threatening environment.

Typically, an exercise involves a realistic scenario and a plausible timeline over which the attack and its repercussions take place. Sometimes they are run solely with the management team in one room, other times they can involve multiple teams and even key clients or partners.

The more relevant and targeted the scenarios, based on the critical assets, risks and nature of the organisation, the more beneficial the exercise is for the organisation.

The exercise should finish with a short “hot debrief” on the day and then be evaluated and a report issued to all attendees with an evaluation and recommendations for improvements.

Why run a cyber exercise?

A tabletop exercise is a low-risk way to make practical improvements in the way your organisation would handle a cyber-attack. Cyber exercises are a key part of building cyber resilience and recommended by The NCSC, FCA, ICO, INCIBE and other bodies worldwide.

6 benefits of running a cybersecurity tabletop exercise.

1. Improve the skills of your Crisis Management Team (CMT). Exercises improve problem solving abilities and make members more aware of their individual roles and responsibilities, improving critical thinking in a “realistic” crisis.
2. Test existing incident response plans. improve response plans and playbooks. You may decide you need specific playbooks for the most likely attacks for instance ransomware. It also allows you to test your command structure and escalation.
3. Improve internal and external communications. Exercises can help you create and validate communication templates and test how and when messages are communicated to stakeholders.
4. Improve response times. Companies that run exercises respond faster and more effectively – give your Crisis Management Team the confidence to make quick and good decisions.
5. Build awareness of cyber risk. Exercising allows you to raise awareness of cyber threats bot for your CMT and the organisation as a whole.
6. Get management buy-in. The increased awareness of cyber issues generated by an exercise can create impetus for improving incident response plans, preparation, and onboarding third parties who may help and training to respond to a cyber-attack.

Who Should be involved in a cyber tabletop exercise?

It is important to have team of individuals – a Crisis Management Team -who will take charge in the event of a cyber-attack, and who have worked together in preparation for such an event. Depending on the size of your organisation your CMT will likely include representatives from legal, HR, operations, communications and cyber security. You may want to include suppliers, key clients of partners in your exercises.

Many organisations operate a 3-tier command structure. This is often called a “GSB” structure, Gold, Silver and Bronze level response teams.

In addition to the participants, it is useful to have a loggist to record what actions were taken as when, as well an exercise lead of facilitator who directs the exercise, organises the hot debrief at the end of the exercise and writes a report of recommendations.

Ensure you have deputies for each role on the crisis management team. It is also worth running the same exercise with your deputies so they have received the same level of training so that should a crisis occur while some members are away, or have recently left the organisation, your CMT can continue to function at optimal level. Remember your deputies will need an opportunity to practice too!

6 Factors in creating a successful cyber tabletop exercise

Set clear tabletop exercise objectives. It is important to set clear objectives for your exercise, this may be to test your organisation’s response to a ransomware attack, improve internal communication in an incident, or test a newly written ransomware playbook. Setting clear objectives is explained in more detail below.

Get everyone on board. It is vital to ensure that senior management understands the benefits of running the exercise and can assist in getting involvement in developing the scenario and ensuring that everyone necessary will attend and contribute to the exercise. Find a date that all key players can make and get senior management members onboard with the exercise to ensure that everyone to make the event.

Make it concise and engaging. Realism and relevance are critical to a successful exercise. The story should give your team the opportunity to respond to a situation that they could face in their roles tomorrow. If tabletop exercises are new to the organisation, start with a relatively short and simple exercise to create a positive and useful experience for attendees. Keeping it short also makes it easier for attendees to find space in their busy calendars. You can generate a lot of useful recommendations from a short exercise. Hopefully once they have completed an exercise and seen how it can benefit them and their departments in the event of a cyber-attack you can consider longer, more complex, tabletop exercises.

Get input from relevant departments to add realism. Involve your SOC, HR and Comms in the creating a realistic scenario and in providing updates throughout the process.

Make it a positive experience for attendees. While there is nothing “fun” about having your company fall victim to a cyber-attack, a successful exercise is a great way for a management team to work together and build their skills in a crisis situation. A team which has not yet worked together like this may be naturally cautious, but can quickly come to appreciate the benefits and enjoy the experience. The key to an exercise being successful in our view is leaving the team feeling more confident and competent in their roles.

Learn and improve. You will learn a lot from running an exercise and generate lots of ideas for improvements. Some of these will be easy to implement, others will take longer. Write up the outcomes from the exercise and get the recommendations actioned. The recommendations should be reviewed in the planning for the subsequent exercise to see if there are any aspects that need retesting.

Cybersecurity Tabletop Exercise Objectives

Setting clear objectives is vital, and should be done early on in the process. Clear objectives allow you to properly assess the success of the exercise and plan the next steps in your cyber resilience journey.

There are a wide range of things that can be tested in an exercise and any test can have multiple objectives to it. If you have an incident response plan or cyber exercise playbook then one objective would be to test that plan.

 Ask yourself -what am I looking to achieve by running this exercise?

Common exercise objectives include:

• Practice team co-ordination during a cyber attack
• Test your use of incident playbooks
• Practice using internal and external communications templates
• Raise awareness of cyber issues and how they could impact your business
• Test your response to a ransomware attack

It is tempting to launch straight into designing the scenario, that’s the exciting bit, but this is an error. The reason we are running an exercise is to test a set of objectives and hopefully identify areas for improvement. Let the objectives drive the scenario not the other way around.

“Create the scenario to fit the objectives, and the injects to bring the scenario to life.”

Tabletop exercise scenarios

Once you have decided on the objectives of your exercise, the next step is to begin to build the scenario or storyline. The scenario is the high-level script which presents participants with the opportunity to test the objectives already chosen, in a lifelike and believable way.

Many attacks involve the exfiltration of PII, but your company might be more concerned about intellectual property loss or unauthorised transfers. Building cyber resilience means knowing what likely disruptions could occur and running exercises to test those specific scenarios.

The scenario is broken down into separate injects – updates which are given to the participants which advance the story and introduce new elements to respond to.

Injects: How to Build an engaging storyline

Injects. In a tabletop exercise each update given to the CMT on the evolving scenario is called an inject. Each inject is designed to advance to storyline and give the CMT new information to analyse and respond to. The injects should lead to decisions that relate directly to the objectives of the exercise.

In creating a scenario and the injects bring in relevant information from different departments. This makes the exercise more realistic and closer to what the attendees would experience in the event of a cyber-attack.

Realism: model the scenario on relevant real-life incidents. For example, if your exercise is based around a supply chain attack, include components and tactics from recent cases and ask questions like;

Where do we get what we need to do the business functions we do?

How do we get those goods or services?

What could go wrong or disrupt this?

It is vital that your injects are technically realistic and reflect your organisation. For example, if your customer facing platform is taken offline, discuss with your tech team what this would look like, which specific services would be down, use REAL names, systems, departments.  The scenario must be credible and reflect your company’s’ structure.

Third parties: consider how you are going to work with third parties such as forensic companies or insurers.

Decision points: injects should lead to relevant decision points where attendees can respond to injects with a clear action. This could include requesting more information, issuing a statement, bringing in a third party or shutting down a network or service.

Incident response plans: If your organisation has a cyber incident response plan, ransomware playbook or other document, use those to create relevant injects – make sure you are giving participants the opportunity to test the plans they have.

Communication plans: How you communicate with clients, stakeholder and the public is vital in an incident and well worth testing as part of an exercise.  What are you responding to? Do you have a template? What are staff thinking -or saying? Words are important. A crisis isn’t the time to try and invent great comms statements on the spot. Some pre-planning is essential for the statement to land well and be timely and transparent.

Cryptocurrency: If a ransom is being demanded by attackers, then you will need to consider in what circumstances you would pay and how you would pay.

Timeline: Include the day, date and time of when this is taking place. Cyber-attacks don’t come conveniently at a time which is convenient to you. Ask “when would be the worst time for this occur?” and set the attack to happen then. Maybe that’s a Friday afternoon just before a national holiday? Maybe that’s just before markets close? This depends on your industry and organisation.

  “Injects advance the storyline and give the CMT new information to respond to”

The Limitations of “Off the shelf” exercises

Using ready built tabletop exercises from a government agency or third-party supplier can provide a useful first step in testing your defences to a cyber-attack. However, whilst being convenient, their generic nature has a number of key disadvantages:

• Unlikely to fit your company or sector profile so will need considerable adaptation.
• Doesn’t take into account your organisation’s structure and defences or critical assets.
• Often very simplistic and “vanilla” and lacking engagement so you need to customise them.
• Lacks a clear process for assessment and internal improvement.

While it can seem like a quick-win to bring in one of these documents, if it doesn’t work as expected and was regarded as a waste of time by attendees, it may be harder to get buy-in for further exercising down the line. They are definitely a good first step and if you currently have no plans or playbooks developed at all they are ideal for starting that process.

How to lead a successful cyber incident response exercise

So, you have done all the hard work on building your objectives, creating a relevant and believable environment and got all your team together for the exercise. Now let’s look at how to run the exercise on the day.

Explain the exercise. Tell participants why the exercise is being completed, have a short pre-exercise presentation to refresh the purpose of the exercise and on recap on the benefits.

Encourage positive engagement. Our belief is that although we are testing a crisis scenario, tabletop exercises should be an engaging and positive learning experience for all the attendees. Explain that this is not a test, there are no wrong answers, and that by doing the “likely response” to a particular inject or update is very likely what would happen in a high stress incident like a real cyber-attack. Remember you want to be able to continually improve your defences to a potential cyber-attack so make the exercise engaging and a positive experience for all attendees.

Work with the scenario. For example, if it involves a ransomware infection, it isn’t helpful for someone to say “that wouldn’t happen – the firewall would stop it”. Instead, participants should be encouraged to work with the scenario and work through what would happen “if” that were to occur. Getting senior team buy-in is a great way to ensure team members engage with the scenario.

Log discussion and action. Take notes on what is discussed and decided upon during the exercise. If you are running a virtual event this could be as simple as recording it for later analysis, if you are running a face-to-face event ensure there is someone taking notes as a loggist through the event. Having an extensive log of the activity will be vital for creating the post exercise report later.

Read our article on the importance of having a loggist here

Log when things happen. Success in managing a cyber-attack is often about when a decision takes place, as much as if it takes place. For example, your decision to inform your call centre that an attack has taken place, is a good decision. Less so if takes place 36 hours after it is all over social media, by then rumours will be rife throughout the organisation and they will be fielding angry calls with no information. 

Enjoy the exercise! Exercises are useful and fun. It might seem daunting at first, but 100% of the exercises we have run have been a fun, positive experience for attendees. It’s not a test, it’s a learning environment and heavily focused on team building.

Post Exercise Hot Debrief. After you have finished the last inject the exercise facilitator should lead a brief discussion and get attendees feedback on the exercise. This is an excellent opportunity to get ideas on ways to improve processes and actions that emerged during the exercise but may not have been clearly expressed during the heat of the moment. This feedback should be logged and added in to the report along with any actions that may come out as part of the process.

Finally, as the last part of the exercise you may wish to ask the attendees to complete exercise evaluation forms to get feedback on how the exercise was run. This can useful in evidencing objectives relating to risk awareness and confidence.

Evaluating a tabletop exercise

With the exercise complete and all notes and feedback collected, it is time to evaluate the exercise and write up the recommendations.

The exercise facilitator should set to writing up the exercise evaluation as soon as possible after the exercise has been completed while it is still fresh in the mind.

So, how do you go about evaluating a tabletop exercise?

The evaluation consists of three key areas, assessment of how the team performed against the objectives set at the outset, observations and recommendations that emerged during the exercise relating to the content, and finally the points raised and logged in the hot debrief.

The report, along with a summary of the exercise materials should be distributed to the team members as soon as possible after it is created with the opportunity given for feedback.

Depending on the contents of the report you may wish to give redacted version to senior staff who were unable to attend and to the B-Team if one exists. An exercise report can be a highly sensitive document and should be treated appropriately.

Cyber exercising as part of an ongoing cyber incident response strategy

Hopefully your exercise will have been a useful and engaging activity, generating a good level of debate and lots of good ideas about how to improve your organisations response to a cyber-attack. In order to improve your cyber resilience, it is vital that actions from the report are properly assigned and monitored through appropriate means! Make sure the improvements are implemented and feed back into the exercise and improvement cycle.

We recommend that tabletop exercises are completed at least once a year. This gives ample time for the report to be considered and the recommendations implemented. Regulators from different sectors also recommend running annual exercises. Ensure that your exercise report is referenced in the subsequent exercise to test how successful the changes have been.

5 benefits of working with an outside organisation for your cyber incident response exercise.

1. Save resources and deliver quickly. Designing, delivering and evaluating an exercise takes time, energy and focus. While designing your own exercise can be a valuable and rewarding experience, it may not be the best use of limited resources especially if you have a limited time to deliver it.
2. Get all important guidance. It can be hard to set robust objectives and explore the latest threats when you have other jobs to do. You can get that all important guidance from an expert in this area making it much easier.
3. Satisfy regulators. Many industries require regular external validation of cyber resilience processes now.
4. External validation. Many exercises lead to recommendations which CISOs have already identified. Getting these findings validated by an external third party can often assist in the getting desired improvements considered more thoroughly.
5. Get an independent report. An external unbiased report from a third party will give you realistic, actionable improvements you can make to improve your resilience.

How to choose an organisation to support your cyber exercising programme

1. Experts in exercising. Choose an organisation where cyber exercising is part of their core business, not just an “add on” to their main services.
2. Cyber focus. Choose an organisation that understands the cyber threats and understands your sector.
3. Big isn’t always best. A frequent complaint that we hear from new clients is that some high-profile consultancies are offering generic exercises, poor delivery and cut-and-paste reports that do little to build cyber resilience. Smaller firms can provide a more bespoke service.
4. Personalised service. For an exercise to be realistic and engaging it needs to reflect your business, your assets, your teams. A generic cyber exercise is just a bad story about a cyber-attack that happened to someone else. Pick a company that works in partnership with you to build something unique and tailored.
5. Delivered by experts. Delivery is (almost) as important as design. Make sure the consultancy doesn’t send someone you’ve never met to deliver the exercise. You are paying to have the exercise delivered by an expert not an intern.