[1] T. Grance, T. Nolan, K. Burke, R.
Dudley, G. White, & T. Good, “Guide to test,
training, and exercise programs
for IT plans and capabilities”, 2006.
[2] D. B. Fox, C. D. McCollum,
E. I. Arnoth, & D. J. Mak, “Cyber wargaming:
Framework for enhancing cyber wargaming
with realistic business context”, MITRE Corp.
McLean VA Homeland Security Systems
Engineering and Development Institute, 2018.
[3] S. Crimando,
“The 10 Step model for designing tabletop exercises.
EverBridge”, 2017.
A tabletop simulation exercise consists of a collaborative activity that allows experimenting how to react to a cybersecurity incident, both in the technical and executive aspects. For this, a fictitious situation of an incident is presented, where the participants respond within the proposed limits. Thus, several working groups with different roles and responsibilities meet to propose responses and actions, allowing to validate the pre-established plans and processes. For this, a facilitator typically presents a scenario made up of a series of events, and coordinates the discussions that arise from them [1]. The original idea comes from an adaptation of the so-called "war games" that for centuries have functioned as a resource for military leaders to practice planning and strategic thinking, improve their preparedness for hypothetical conflict scenarios, and enhance their situational awareness. Documented records of these practices date back to ancient India and the Roman Empire.
Scenarios based on real-life situations linked to implemented technologies can provide a realistic estimate of the impact of technical events on an organization's operations. Scenarios integrate theoretical and practical elements that establish an association between cybersecurity and business effects to provide a realistic view of the outcome of an event. Obtaining results based on the variability of controls, management decision making, infrastructure present, third party dependencies and disruptions from multiple parties in a sector or industry, allows a wide range of gaps in operational resilience to be identified. Establishing a systematic, repeatable and measurable model for incident response simulation exercises provides insights into the potential benefits of acquiring new technologies and managing their lifecycle [2].
Simulations have been used in a variety of settings, even predating modern technologies, for a variety of purposes ranging from entertainment to learning and preparation for real situations, without compromising the integrity of people and resources. Tabletop simulation exercises for cybersecurity incident response practice are increasingly gaining ground among specialized team preparation and training practices.
In order to conduct an exercise of these qualities, a planning represented in a 10-step process, adapted to cybersecurity practice, is commonly accepted, taken from civil emergency response knowledge, which far exceeds in maturity level and history technological incidents [3]:
Of all the tasks to be performed, the ones that require the most specific knowledge of cybersecurity are the analysis of existing documentation, and the creation of the scenario according to the agreed conditions. While the objectives of these exercises can be diverse, typically the main ones are centered among the following:
It must be decided at the design stage whether the exercise will be oriented to stress the operational functions of incident response (usually technology and cybersecurity areas) or the decision-making circuits (corresponding to managers and directors). Beyond this, there are different types of participants depending on their role. The protagonists are the players, the people with the most active role who debate by performing their functions, and discuss or initiate actions in response to the scenario. On the other hand, there are the observers, who although they do not participate actively, can visualize what is happening, and eventually support the players. Then there are the connectors, who are a liaison between players and organizers, are familiar with the scenario, and witness the discussions, documenting the results for the report. Finally there are the coordinators, who lead and facilitate practice, oversee the flow of events, monitor interaction, and maintain communication with the connectors.
In terms of dynamics, participants represent their different areas (business, technology, cybersecurity, legal, communications, etc.) and are presented with an incident scenario that affects the organization, resulting in multiple events unfolding over time. The participants act according to the information received (evaluate, prioritize, act) and may have instances of general interaction or between groups, for sharing and joint decision making.
In addition, certain variables must be defined that condition the design of the process, such as the type of base incident, which is the pillar on which the complete scenario is built, and can be selected a priori or proposed based on the analysis of the organization. These can range from cases of ransomware or compromise of cloud servers, to system failures, zero-day vulnerabilities, malware infection, denial of service, and information leakage, to mention just a few highlights.
Another variable that conditions the design is the industry to which the organization belongs, because there are regulated industries, with different standardization needs, and achievable by different laws, and adjustments or impositions related to this may be required. Examples of relevant industries with specific requirements are the financial, energy, pharmaceutical, food, or transportation sectors.
As for the action report, an executive presentation is usually made, which refers to a briefing on lessons learned, including a summary of the activities performed, and a report of results containing a work report detailing the development of what happened, analysis of activities, and recommendations, and including proposed actionables to improve the management of security incidents. In some cases, it is also possible to subsequently work on the creation or update of the incident response strategy manual (playbook) for integral action in real cases, as well as the creation or update of the related processes and procedures.
In a next installment we will focus on the two main modalities that characterize exercises of this type, one of them is traditional, based on direct live interaction (or in a hybrid mode adding remote people) and the other is the platform-based modality, which adds another level of interaction, extending the possibilities of the exercises.