Simulated Cyber-attacks: How Tabletop Exercises Enhance Security Preparedness
Mark Cunningham-Dickie of Quorum Cyber rolls for initiative in a discussion on how tabletop exercises can enhance your cybersecurity strategy. This article originally appeared in Insight Jam, an enterprise IT community enabling the human conversation on AI.
The criminal world of the cyber hacker has evolved with sinister sophistication. Today’s cyber-criminal works in a multi-tiered business structure, costing an average of $4.45 million due to data breaches in 2023. In 2020, the U.S. suffered 46 percent of the global breaches, more than double any other country. IT departments must explain to those controlling budgets that these ever-more sophisticated attacks have operational and business risks. With hackers employing access brokers who search for targets, developers who constantly evolve the tech, and individuals who purchase the stolen data, the need to invest in equally sophisticated cybersecurity is imperative.
There is no stopping the efforts of these threat actors. Attack surfaces will be expanded, and additional operating system architectures like macOS and Linux will be targeted. Ransomware perpetrators will likely use triple and quadruple extortion strategies that put significant pressure on those attacked, improving their success rates. A recent alliance of forty countries culminating in an agreement not to pay ransoms to cyber-criminals will probably result in even more aggressive extortion tactics. To mitigate the risk of ransomware, the best defense against bad actors remains vigilance, preparedness, and planning.
Simulated Cyber-attacks: How Tabletop Exercises Enhance Security Preparedness
Tabletop Incident Response Exercises
Tabletop Incident Response exercises are among the best ways to increase vigilance, preparedness, and planning. These exercises put senior-level managers through a simulated cyber incident to define corporate roles and responsibilities in the event of an attack. Tabletop Incident Response exercises ensure that plans, playbooks, and teams are tested top-to-bottom. Having senior-level management participate in the exercises helps the C-suite understand IT concerns, allowing them to be on the same page and better prepared in the event of a hack. Input from legal, finance, other departments, and external domain experts will round out the exercises and unite all in the defensive effort. These exercises can be enlightening for the C-suite individuals who often do not realize the extent of the impact that a ransomware attack can have, which includes:
- IT systems offline.
- Duration to restore IT services (which could be weeks or more).
- Defending lawsuits from clients.
- Loss of clients.
- Financial penalties from industry regulators.
- Recruiting new personnel in the event of lawyers or other employees leaving due to any or all of the above.
Tabletop Exercises Work
Cybersecurity drills give organizations a good look at their ability to react to ransomware, phishing, and other attacks. Tabletop exercises are the least complex drills to run. They typically run for two to four hours and cost less than $50,000. In addition, they often involve simulated attacks, where a facilitator takes the organization through a cyber-attack scenario, and its employees discuss the steps they would take in the event of an actual attack.
Tabletop exercises are a great way to prepare against the numerous ways that exploitation may occur. They provide valuable lessons to all stakeholders and teach organizations how to address and respond to security breaches appropriately.
Consider the following operational factors when running tabletop exercises:
- Make the cyber-attack scenarios relatable, realistic, and beneficial: Use the latest threat intelligence and choose which types of attack(s) your organization will address, such as large-scale ransomware attacks, supply-chain compromises, or Advanced Persistent Threats (APTs).
- Gather the data you need: Understand your technology setup, participants’ roles within the organization, response plans and playbooks, objectives, and motivations for conducting a cyber-attack incident. In particular, focus on potential weaknesses to identify areas you’ll need to improve.
- Invite the proper people: The more senior, the better. However, not everyone can be available at the same time. This unavailability is a real-world scenario and, therefore, permissible. Even if people come and go, that allows for a good look at how the situation is communicated to people joining or re-joining the sessions. It also helps identify individuals who are points of failure or success.
- Determine the length of the exercises: A typical tabletop exercise will require a half day, though that can be shorter or longer based on objectives. There will be those in attendance who are familiar with table exercises and those who are less familiar. Those who are familiar will know how to respond to questions and inputs, and for those who are not familiar, a slower, more careful explanation will be needed to provide context so that they won’t see the exercise as questioning their knowledge, quality of work, and experience.
- Have the necessary resources: It’s crucial to have an experienced facilitator. This person will know how to navigate complex areas, get through sticking points, and handle overly controlling individuals. A good facilitator will skillfully move the exercise along, ensure that the information is accurate, and make sure that everyone gets to contribute. A laptop and a projector are indispensable for in-person events, but the event can also be successful when held remotely.
Conclusion
Cyber-attackers are getting better at what they do, and what they do can cause significant damage to an organization. Therefore, it is imperative to hold exercises with all stakeholders from the C-suite to IT and all departments affected by this exploitation. Tabletop exercises allow organizations to test and improve their response so that internal and external communication plans may be developed. The nonprofit Center for Internet Security calls tabletops “a must.” The center explains that the exercises coordinate separate business units and identify the employees who will play critical roles during and after an attack.
There is no “one-way” to conduct a tabletop exercise. The Cybersecurity and Infrastructure Security Agency does provide packages to help organizations start their exercises. Some organizations run tabletop exercises with internal teams, although hiring outside expert advice regarding cybersecurity is more common.
A successful tabletop exercise happens when all stakeholders gather to analyze the problems needed to shore up cybersecurity. The analysis should focus on the continuous improvement of cybersecurity practices. There is no template for a good tabletop exercise, but all good exercises should be seen as a way to find areas to grow and improve.
The most successful tabletop exercises occur when team members understand and coherently respond to each other — when they are learning together, sharing expertise, and flowing toward progress.