Cybersecurity drills come in many forms, including penetration testing, phishing simulations, and live-fire exercises, with some scenarios costing hundreds of thousands of dollars and running over several days or even weeks.
The least complex of these drills are tabletop exercises, which typically run for two to four hours and can cost less than $50,000, with much of the expense related to planning and facilitating the event.
Unlike some other drills, tabletop exercises often don't involve attacks on live IT systems.
This common approach to tabletop exercises is old-school and low-tech, but proponents say a well-run scenario can show organizations if they have holes in their response and mitigation plans.
Tabletop Exercises Are in Demand Demand for tabletop exercises has grown exponentially in the past two years, driven by compliance issues, board directives, and cyber insurance mandates, says Mark Lance, vice president of incident response at GuidePoint Security, a cybersecurity consulting firm.
In some cases, employees ask for tabletop exercises to help educate executives.
Many cybersecurity organizations promote tabletop exercises as a way for organizations to test and improve their incident response plans and their internal and external communication plans following a cyberattack.
There are no cut-and-paste ways to run a tabletop exercise, though the US Cybersecurity and Infrastructure Security Agency provides packages to help organizations get started.
Some organizations run tabletops with internal teams, although the more common approach is to hire an outside cybersecurity vendor.
How Tabletop Exercises Work In a typical tabletop, the facilitator leads a discussion by asking a series of questions.
Tabletops can start with hundreds of different scenarios, including widespread problems like ransomware and phishing attacks.
Individual tabletops need to focus specifically on the organization or its industry to be successful, Lance says, adding that the success or failure of a tabletop depends largely on the provider's ability to plan the exercise and target it to the specific client.
Another way to ensure success is by running separate tabletop exercises for an organization's senior leadership and technical teams.
Learning Through Realistic Scenarios In addition to failing to provide a realistic scenario, facilitators of tabletop exercises also can falter by failing to keep a group engaged or by being more of an observer than a leader, says Curtis Fechner, cyber practice leader and engineering fellow at cybersecurity consulting and integration provider Optiv, stressing that participant engagement is the biggest factor in a tabletop's success.
If you've planned for a relevant scenario and kept the participants engaged, it's difficult to have a tabletop exercise fail, he says.
A well-facilitated discussion will result in participants learning about their organization's incident response plans and identifying areas that could be improved.
Most cybersecurity exercises contain a learning curve for everyone involved, says Peter Manev, co-founder and chief strategy officer of Stamus Networks, a network detection and response provider.
In December, Stamus Networks participated in a live-fire exercise called Crossed Swords, organized by the NATO Cooperative Cyber Defence Center of Excellence.
At the end of an exercise, Fechner likes to take a half hour to discuss the lessons learned throughout.
As they assess their exercise, participants should be focused on continuous improvement of cybersecurity practices, Fechner adds.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 08 Feb 2024 17:55:05 +0000