Organizations that regularly defend against cyberattacks may find it useful to occasionally take a step back and test their defense and response capabilities. One way to do this is through cybersecurity drills, which give organizations a snapshot of their ability to handle ransomware, phishing and other attacks.
Cybersecurity exercises come in many forms, including penetration tests, phishing simulations, and live-fire exercises, with some scenarios costing hundreds of thousands of dollars and lasting several days or even weeks.
The least complex of these exercises is table exerciseswhich typically last two to four hours and can cost less than $50,000 (sometimes much less), with much of the expense related to planning and facilitating the event.
Unlike other exercises, practical exercises often do not involve attacks on active IT systems. Instead, a facilitator outlines a cyber attack scenario, and employees of the client organization discuss the steps they would take in response.
This common approach to practical exercises is old-fashioned and low-tech, but proponents say a well-managed scenario can show organizations whether they have holes in their response and mitigation plans.
Tabletop exercises are required
Demand for hands-on exercises has grown exponentially over the past two years, driven by compliance issues, board directives and cyber insurance mandates, says Mark Lance, vice president of incident response at GuidePoint Security, a security consultancy. IT security.
In some cases, employees ask for hands-on exercises to help educate managers. “People want their leadership teams to understand the true impact of a potential incident,” Lance says.
Many cybersecurity organizations promote hands-on exercises as a way to test and improve their incident response plans and their internal and external communications plans following a cyber attack. The non-profit Center for Internet Safety call tables “a must,” noting that they help organizations better coordinate individual business units in response to an attack and identify employees who will play critical roles during and after an attack.
There are no “copy and paste” methods for running a simulated exercise, although the US Cybersecurity and Infrastructure Security Agency provides packages to help organizations get started. Some organizations manage tabletops with internal teams, although the most common approach is to hire an external cybersecurity vendor.
How tabletop exercises work
In a typical table setting, the facilitator leads a discussion by asking a series of questions. For example, a scenario might start with an employee calling the help desk after noticing unusual activity on the company network. Some questions at a table for IT teams could be:
-
What are your next steps?
-
How are you conducting the investigation?
-
How are you relating that activity to other activities in your environment?
-
How is it tracked in an accident ticket?
-
When does the activity reach a certain level of severity?
-
When will you involve your incident management team?
An executive roundtable might include the following questions:
-
An incident has been reported – when will we involve an external consultant?
-
When do we use our cyber insurance policy?
-
When should internal and external notifications go out?
-
Who prepares the notifications?
Tabletops can start with hundreds of different scenarios, including widespread problems like ransomware and phishing attacks. However, to be successful, individual table plans must focus specifically on the organization or its industry, Lance says, adding that success or failure of a table It largely depends on the supplier’s ability to plan the exercise and target it to the specific customer.
“The more specific it is to their environment, the more inclined they are to stay engaged and interested, because there’s a level of authenticity and validity to it,” he says.
GuidePoint, for example, uses its threat intelligence team to develop real-world scenarios that are realistic to the customer and represent recent or emerging threats.
Another way to ensure success is to run separate exercises for an organization’s senior leadership and technical teams. Lance says these two groups benefit from different scenarios.
Executives often want to talk about company-wide issues and the high-level decisions that need to be made. Instead, engineers want to get to the nitty-gritty of stopping and mitigating an attack.
“If you build a technical table, your technical resources may not open up the same way if you have senior leadership sitting with them,” Lance says. “On the other hand, senior executives may not want to appear non-technical or stupid in front of their technical resources, so they may not open up as much. Or [with both groups involved]you have too loud a voice in the room.”
Learning through realistic scenarios
In addition to failing to provide a realistic scenario, facilitators of practice exercises can also falter by failing to keep the group engaged or being more of an observer than a leader, says Curtis Fechner, cyber practice leader and engineering researcher at Cybersecurity Consulting and Integration . supplier Optiv, emphasizing that participant engagement is the most important factor in the success of a table.
“If I’m very passive,” says Fechner, “if I don’t ask questions or challenge their answers and just let them talk passively, or if you get a group of people together [complaining] with each other about a problem, which kills exercise, momentum and energy.”
However, if you’ve planned a relevant scenario and kept participants engaged, it’s difficult for a simulated exercise to fail, he says. A well-facilitated discussion will allow participants to learn about their organization’s incident response plans and identify areas that could be improved.
Most cybersecurity exercises involve a learning curve for everyone involved, says Peter Manev, co-founder and chief strategy officer of Stamus Networks, a network detection and response provider. In December, Stamus Networks participated in a live-fire exercise called Crossed Swords, organized by NATO Cooperative Cyber Defense Center of Excellence (CCDCOE).
The best results from practical exercises are achieved when “teams collaborate, learn together, exchange information and experiences and, of course, make progress,” says Manev. “In my opinion, if that happens, you’ve already accomplished something.”
At the end of an exercise, Fechner likes to take a half hour to discuss the lessons learned during the course. He asks participants what they think they did well and where the weaknesses were.
“That to me is a success table right there — when you can get those people to actually do that kind of self-analysis and come out with that introspection,” he says. “When problems are highlighted, that, to me, defines a successful exercise.”
As they evaluate their exercise, participants should focus on continuously improving cybersecurity practices, Fechner adds. “The great thing about a tabletop is that it’s a no-fail type of event. Realistically, it’s about exposing these opportunities to grow and improve.”