COMMENTARY: Boxing great Muhammad Ali once said that champions don’t become champions in the ring – they become champions in their training.Ali was referring to his boxing experiences when he spoke those words, but the same guidance applies to security and IT teams.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]While there’s inevitably plenty of in-the-moment training that happens when it comes to keeping an organization secure, taking the time to prepare for the unexpected can pay dividends when attackers inevitably strike. Tabletop exercises (TTXs) are powerful tools that can help identify critical gaps in both network security and incident response processes. In addition to helping security and IT practitioners gain more technical knowledge about threats that likely impact the business, facilitating TTXs often let teams uncover new and often unexpected insights that reach far beyond the latest advanced persistent threat (APT) group techniques. In my experience, TTXs often reveal several counterintuitive insights that go far beyond basic incident response practice, which helps organizations fundamentally change the way they think about cyber preparedness. By uncovering the human dynamics, communication breakdowns, and other factors that can make or break incident response activities, TTXs help the entire organization build a new and important response muscle. And in a world where threat actors are continually upping the ante, gaining fresh perspectives and adjusting the organization’s defense strategies accordingly can help teams beat adversaries at their own game. Aamir Lakhani, global director of threat intelligence and artificial intelligence, Fortinet.SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Attributes of an effective tabletop exercise
Some regulatory and compliance requirements mandate that certain organizations conduct regular TTXs, but these are far more than “check the box” exercises. Running an effective TTX doesn’t need to be complicated—conducting streamlined, regular exercises benefit organizations of all sizes across all sectors in a variety of ways. There’s no single right way to create and conduct a TTX, and it’s vital to assess the organization’s unique needs when architecting the exercise and deciding who’ll be involved. Think through the technical and non-technical aspects of the attacks that your business is most likely to experience. Start by examining past breaches, or take cues from real or potential threats that have impacted competitors and the broader industry. Focusing on the technical elements of incident response is crucial, but don’t overlook the non-technical aspects of a cyber response—consider legal and compliance issues, executives outside the IT team who will need to be engaged, and internal and external communications response.When it comes to communicating about the incident, it’s where we often find the organizational response the weakest, as it’s usually a process that isn’t given sufficient attention or planning. Internally, the organization may need to communicate details of an attack without oversharing, and the company may have external reporting requirements for customers, vendors, and regulators. It’s also important to have guidelines for when and how the company will engage with the media if they inquire about the incident. Consider who the company will invite to participate and pay special attention to stakeholders outside the security and IT teams. It’s often this element of cross-team collaboration that needs the most practice—knowing who to contact, understanding what each person is responsible for, and creating guidelines for how everyone will work together effectively when an incident occurs. During any TTX, the company’s security and IT practitioners inevitably learn about the specifics of a potential attack and how to mitigate that incident. While it’s always valuable to gain more technical knowledge, TTXs offer organizations the opportunity to identify critical—and sometimes unexpected—gaps. Based on my ongoing involvement in and observations from TTXs, here are four often surprising insights teams will glean that will ultimately strengthen the organization’s resilience:- Discover helpful actions teams can take ahead of time: The UC Berkeley Center for Long-Term Cybersecurity, the Berkeley Risk and Security Lab, and other public and private sector organizations work together regularly on exercises. During a recent TTX, participants noted examples of helpful actions their teams can take beforehand, such as establishing clear protocols for incident reporting and escalation, incorporating AI-specific scenarios into regular TTXs, and enhancing collaboration between security practitioners and data scientists to improve decision-making and response efforts during incidents involving AI.
- Prioritize muscle memory over playbook performance: Teams often discover that, when under pressure, their carefully-crafted incident response playbooks contain significant gaps, with practitioners defaulting to ingrained habits instead of consulting the playbook. While a plan can certainly serve as a guide, the value of a TTX is to get the team to develop reflexes that work as expected, especially when tensions are running high.
- Pinpoint and correct communication breakdowns: Typical communication structures often break down when a crisis occurs. Senior leaders can become bottlenecks, and the analysts and engineers who are actively engaged in mitigating the incident sometimes struggle to communicate upward about the urgency of what’s happening “in the trenches.”
- Identify new opportunities for collaboration: TTXs aren’t only about finding weaknesses in incident response plans. During these exercises, teams can also uncover new ways of doing things that maybe weren’t obvious before because the people involved in the TTX hadn’t previously worked together.
