Building Resilient Teams Through Tabletop Exercises

Jason Brown, Information Technology Security Manager, The Shyft Group [Nasdaq: SHYF]

Preparing for your next incident

With ransomware attacks on the rise, incident response has become an important area for cybersecurity. Frameworks such as the NIST Cybersecurity Framework and ISO 27001 have dedicated sections for how a company should prepare for a cyber incident. Regulatory bodies are also requiring documentation such as policies and procedures, and proof that you are following that documentation. From containment, eradication, to getting the business back to a known good running state, preparing for an incident is just as important as ensuring company resiliency.

It takes 10,000 hours to master a skill, which is a considerable amount of time. Think of all that needs to be accomplished in each day. From email, to presentations, and to responding to incidents, who has time to develop new skills? Having documentation is just one step, however; how do you train your teams to also respond to an incident appropriately?

Tabletop Exercises

Running tabletop exercises is one sure way of training your team on incident response. Tabletop

exercises do not have to cost any money and can be question and answer based. Take a incident that may have happened to your company, or an issue that you may have read about and develop 4 – 6 scenario questions. These scenarios can then have a total of 2 or more sub-questions to be asked based on that scenario.

Live Action Tabletop Exercises

Live action exercises require more technical thinking. Live action scenarios can include the use of desktops, servers, networking equipment, anything in the environment that could be used to train the employees how to troubleshoot, contain, and eradicate an adversary from your network. For example, you could have a scenario where a server is infected, or a switch configuration was changed. How would you go about training your staff on how to troubleshoot or identify the source of the change? Q&A based tabletop exercises can only provide so much detail and information, sometimes you just need to get your hands on a keyboard to truly know what to do.

The Silent Observer

A silent observer is one who sits idly, listening to the questions and answers portrayed during the exercise. The silent observer is one who is a subject matter expert in the company and could answer every question correctly. This is an individual that is senior level, allowing junior to mid-level engineers the opportunity to answer the questions.

"To make learning fun and exciting, gamify it a bit by using tabletop exercises. Ensure that the team members are engaged during the exercise and are learning from the scenario questions being discussed"

The silent observer is one who will bring feedback for how they felt the tabletop exercise went and

provide comments for how to improve the scenario questions. The observer shall also sit in on the lessons learned or after-action reviews to correct and answer the scenario questions based on their experience of not only the technology, but also internal policies and procedures that should be used during the incident.

Wrapping It All Up

Once the exercise is over, and you have gathered the results, it is time to hold an after-action review. This review shall cover what went right during the tabletop exercise and what did not go so well. These reviews should cover everything from how the exercise started, to the right and wrong answers provided, to calling out fundamentals that did not occur such as opening a work order or notifying an incident commander at the appropriate time.

The after-action review is meant to make everyone on the team better. This is a safe learning experience for all staff members to prepare them for the real thing. It can also be a ‘Vegas’ moment where what was discussed during the after-action review shall never be spoken again outside of that meeting.

Remember, it takes 10,000 hours to become an expert at something. To make learning fun and exciting, gamify it a bit by using tabletop exercises. Ensure that the team members are engaged during the exercise and are learning from the scenario questions being discussed. Start off with Q&A based questions and then migrate to more technical – live action type of exercises where team members are putting hands on keyboards.