With recent geopolitical events, the adage “forewarned is forearmed” has never been more relevant. As we launch our new venture, Sleuth Kit Labs, I intend to argue more vigorously the importance of being prepared for the inevitable cyber threats hitting every industry.
In this post, I’m going to talk about the value of being prepared for a cyber attack with extra focus on table top exercises. These will ensure you and your team are ready to quickly contain and investigate an attack. Our unique advantage is that we bring both extensive response experience and research knowledge about how attackers operate and the artifacts they leave behind.
An Attack Will Happen
As a community, we know the threat is real, and no sector seems immune. Many have said, “it’s not a question of if a cyber attack will happen, but when”. I find such statements to be a bit melodramatic; however, it is a good mentality to take when considering your own internal cyber security apparatus.
Picture this: You’re leading a thriving business when suddenly, at the break of dawn, you’re jolted from your normal day-to-day activities by someone running urgently into your office with a face masked in dread. Your company is under a cyber attack.
This scenario isn’t far-fetched. It’s a reality many leaders face, and their response in those initial moments can make or break the situation. We see this happen All. The. Time.
What is Incident Preparedness?
Incident Preparedness is the combination of protection mechanisms, prevention strategies, and practicing response enablement to minimize the impact of a cyber attack.
When unprepared for a crisis, the natural human response is flight or fight, this is not helpful with difficult decisions that need to be made quickly. High-consequence decisions, like unplanned system shutdowns, calling people in from vacation, or considering ransom payments, can exacerbate the situation. Sometimes, companies might downplay the incident or attempt to cover it up, leading to unforeseen consequences. Communication breakdowns further compound these issues, delaying critical decision-making and eroding public trust.
Having observed these types of organizational amygdala responses numerous times in my career, the need for preparedness cannot be overstated. I think of response preparedness in terms of a municipal fire department — our job as leaders, managers, and business owners is to enable the response.
When your house or office building catches on fire, everyone knows to get out of the building and run to safety. A person’s amygdala takes over; the brain is normally conditioned to have a flight response in this situation, and people exit the building. For those of us who have seen fully involved structure fires in real life, the scene can be chaotic.
Many of these organizations are already following fire-prevention best practices such as having a sprinkler system, using fire retardant materials in construction, having firewalls (yes, physical firewalls are a real thing), fire doors and containing open flames to areas like kitchens, smoking areas, and science labs.
However, fires still happen. As a mitigation, effective organizations (especially schools) test their fire detection systems, the fire suppression systems, and routinely conduct fire drills. This helps the internal security personnel ensure their systems are functioning properly and helps staff and students practice their evacuation routes.
The best fire drills include members of the fire department who are professionally trained and have the experience to examine a facility’s fire safety systems. As an added benefit, these first responders become familiar with the facility and the staff, which can remove the frantic edge from a crisis. Ultimately, fire drills make it easier for staff and students to reach safety and they make it easier for responders to contain the incident. This is the heart of incident preparedness.
Cyber Tabletop Exercises are Digital Fire Drills
Similarly, it is important to conduct fire drills with your cyber security apparatus just the same as it is important to test your fire safety equipment. This rings true when you consider the fact that there is a thinking adversary on the other side of a ransomware attack or data breach. We should ask ourselves, how important would it be to conduct a fire drill if we knew that there was an arsonist actively targeting organizations in our community? What kind of drills would we conduct? What kind of precautions would we take?
Cyber security events are often “ephemeral,” which are fleeting moments that last a short time — no one is able to hold “the cybers” in their hands. This means that it is more difficult to envision what a fire drill equivalent should look like for our digital systems. The term in the industry is “Table Top Exercise” or “TTX” in short. (With so many veterans and former emergency services personnel in the cyber security workforce, we have a lot of military-style acronyms. )
A Tabletop Exercise (TTX) is a simulated scenario that tests an organization’s resilience against cyber threats. The best TTXs are facilitated by third-party experts with deep knowledge in security leadership who have extensive experience in containing threats. The TTX organizer needs to understand the methods by which threats spread in a network, so as to make the exercise realistic. These exercises should be tailored to your organization’s specific needs, revealing gaps in your incident response plan and raising awareness among key stakeholders.
A well-conducted Tabletop Exercise (TTX) for cybersecurity involves several key components and stages, including pre-TTX assessment, the exercise itself, and post-TTX assessment. Depending on the size of the organization, key stakeholders from different teams, as shown below.
Who Might be Involved:
CISO/Security Leadership & team: Overseeing the cybersecurity response and containment.
IT Management and Staff: Implementing technical containment and recovery strategies.
HR Representatives: Managing employee communication and potential data privacy concerns.
Public Relations Team: Handling external communication and media.
Legal Counsel: Advising on legal obligations and considerations, especially regarding data breach regulations.
Executive Leadership: Making critical business decisions and resource allocations.
When designing a TTX, you should consider what aspects of your response process you want to train. Most real-life incidents will take days, if not weeks, to resolve. While an exercise will certainly not run for that length of time, the more people and teams involved, the more time you will need to allocate for it. Often, you will achieve a better return on investment by planning a few smaller exercises that take an afternoon each rather than one large one that might last a couple of days.
For example, it would be worthwhile to design a couple of technical exercises that focus on immediate response and containment of a threat, and another that focuses on the longer-term investigation and recovery. These outcomes can then be used to design an executive-level exercise focusing on the business decisions that must be made in response to the incident. For instance, how will stakeholder notification be handled, will ransom payment be considered, and what legal obligations does the company have?
Example of a Tabletop Exercise Scenario:
If you want a high-level overview of how a Tabletop Exercise (TTX) might unfold, imagine the scenario we started this article with. Someone important has just run into your office, and they appear anxious, nervous, and uncertain. The stress is already rising in the room before they even say a word. After a few minutes of conversing in rapid speech and elevated pitches, you discover that your organization faces a sophisticated ransomware attack. After setting the stage, the exercise begins with an alert from your IT department that several critical systems are locked down and a ransom note has been received. The TTX would simulate the unfolding of this event, challenging participants to respond effectively.
This scenario could be divided into a couple of exercises, starting with the technical side to address key questions around the extent of the attack, how it can be contained, and how to return to business as usual. Then, the business side would focus on managing the business impacts.
High Level Process of a Tabletop Exercise:
Evaluate the current incident response plan (IRP) and made sure that it provides useful guidance in handling the proposed scenario.
Identify key participants from various departments (IT, HR, PR, legal, executive leadership).
Set clear objectives for the exercise (e.g., what is the primary focus, at what point will the exercise be complete) ).
Conducting the TTX: We have found that it is most helpful to have a TTX facilitator and scribe. The facilitator is responsible for presenting the scenario to the group, and ‘telling the story’ while the scribe is working valiantly to keep track of all thoughts, ideas and follow up action items that are raised.
Introduce the scenario to the participants, finishing with questions around what their next steps would be.
Work through the responses to determine what is the most appropriate, making sure to document any gaps in existing systems or plans that need to be addressed.
Once the initial introduction of the scenario has been presented and discussed, supply the team with more information and follow up questions (these are often called injects) Make sure that everyone in the room has a chance to contribute.
Continue with injections until the scenario is complete.
Conduct a review of what follow up action items were identified during the exercise.
Debrief with all participants to discuss the exercise outcomes.
Analyze the effectiveness of the IRP and incident response systems.
Identify areas of strength and weaknesses in the organization’s response.
Implement improvements to IRP and other systems as needed.
Over time, society has learned to practice and prepare for incidents that, while uncommon, regularly happen. Fire drills ensure that the occupants of a building can escape and fire professionals can respond efficiently and effectively.
Cyber incident tabletop exercises are the digital equivalent of fire drills. They offer an approachable method to review and improve an organization’s readiness, ensuring a faster and more effective response to cyber incidents. We advocate for organizations to embrace these types of exercises regardless of whether they conduct them independently or engage with experienced professionals.
If you are interested in working with Sleuth Kit Labs on your tabletop exercise, please get in touch using the form on our services page.
Stay safe out there folks; we’re here if you need us.
Lee Sult, Sleuth Kit Labs.