Table Top Exercises (TTX) for Incident Response

Posted 9 years ago by Sean Mason

“Table Top Exercises” (TTX) has become part of my almost daily vocabulary given how hot the demand for them has become. From the companies and individuals I spoke with, there were a variety of reasons they were looking for a TTX, but it ultimately boiled down to the following three buckets:

1. The Information Security organization had no Incident Response (IR) capability at all and wanted to demonstrate to leadership the perils of what would happen.

2. The CISO wanted to ensure their Incident Response Team (IRT) had all their bases covered during an incident.

3. A savvy and mature IRT wanted to include outside organizations such as Legal, Human Resources, Public Relations, Office of the CIO, Office of the CEO, etc… so that everyone had gone through a drill at least once.

What I learned from these conversations, which should really come as no surprise, is that almost every organization is at a different level of maturity in regards to their IR capabilities. What may or may not come as a surprise though, is that, quite unfortunately, almost all of my conversations were in regards to the first bucket. Companies simply had not made any investments in this space and CISO’s were looking for a way to illustrate the gross miscalculation that their leadership was making.

I’ve always considered there to be a varying number of tests you can run to test your IR capability. In essence the term Table Top Exercise has taken on a meaning much like Advanced Persistent Threat- where it used to be pure- but is now tainted and seems to refer to everything (or is a good way to quickly understand how much someone knows). The below are how I tend to categorize testing, and generally how to address those buckets mentioned above:

Paper Test – The most basic of tests and can be very helpful when a team is just starting out or isn’t sure what they even need. The paper test works to ensure all documentation, templates, procedures, processes, etc… exist, make sense, and have been properly updated recently.

Table Top Exercise – Generally a TTX will involve a good amount of prep work in the form of interviews with key players ahead of a full day of testing. Understanding what they will be looking to learn and believe will happen is key (and used later). During the day of testing, a number and variety of participants will be involved and an incident scenario will be verbally walked through. While the list of participants would ideally include Public Relations (PR), Legal, Human Resources (HR), certain Executives, etc… they are generally scoped to just the information security team, missing a great opportunity to broaden awareness. Lessons learned are documented throughout and a brief follow up interview with participants will add to those findings.

Simulated Attack – Usually just scoped to the technical side of IR, this is a more invasive test that leverages a Red Team to identify vulnerabilities and utilizes them to simulate an attack against the company. This allows for a more comprehensive test of the Security Operations Center and Incident Response Team, to include full incident response activities (detection, collection, containment, forensic analysis, and communication) to ensure the full extent of the attack is discovered and responded to.

Simulated Incident – I’ve rarely seen these and are generally run by the more sophisticated teams. Similar to the Simulated Attack, but multiple functions are brought in to test their incident response readiness (e.g. PR, Legal, HR, certain Executives, etc.). This ensures the incident is properly detected and responded to in its entirety.

“The more you sweat in peace, the less you bleed in war.” – Sun Tzu

Highly effective companies proactively test and drill their Incident Response Teams to ensure the plans are current and effective in the current organizational and threat climate. However, considering most companies are still at the stage where a simple TTX will do, I began to dig for information on conducting them. I found a host of high-level information for the why, when and how to conduct tabletop exercises, but never found much meat on the details. That began to change when I found a great National Level Exercise that FEMA put together in 2012.

I thought the PowerPoint format was great, as well as the way it ran through the details, had facilitator notes, and asked good questions. I did however, have some concerns with it though. The exercise utilized videos (not always ideal and not flexible), I wasn’t a huge fan of the scenario, and it was not easily modified without a good bit of work. I wanted to modify, enhance it, and bring it forward to 2015.

Enter Brian Krebs.
Text, letter Description automatically generated
Source: @hacks4pancakes

As most readers will know, Brian has done some remarkable things for the Information Security community and one of his claims to fame is he tends to break huge incidents before even the company may know about them. What I did is leverage some of his blog posts as inspiration; I mashed them together, changed them around a bit, invented a fake company, and ultimately merged them with the FEMA exercise to create a TTX scenario that would take roughly a day to work through.

Free to Download: Table Top Exercise Materials

While I believe you could take the attached documentation and conduct your own TTX within your organization, I would recommend getting an impartial 3rd party facilitator to help run through the exercise for you (feel free to contact me if interested). Additionally, even if you are a fairly sophisticated team, it never surprises how often curve balls will come up- using the TTX when there is a change in leadership, threats, technology, and more will help identify gaps that were previously unknown.

I’d love to hear feedback on Twitter, so please reach-out @SeanAMason.