Prior to the TTX, the facilitator develops the input to meet the pre-determined goal of the TTX, based on the client’s pre-test specifications about their environment. These steps depend on the client, the industry, regulations, and their current security posture.
The facilitator develops the test input to meet a specific level of management, as well as the appropriate technical personnel and all others who should make the appropriate decisions. Typically, a project kickoff call occurs between the client and the facilitator to gather information about the organization, including its IR plan, and the participants needed. Read more about strategic ways to test your Incident Response Plan.
A typical exercise flow will consist of three essential elements:
- Inputs
- Process
- Outputs
These items are consistent with the U.S. Department of Homeland Security’s Cyber Tabletop Exercise for the Healthcare Industry, which can be translated across industries. It recommends the following flow-through process:
Inputs
A tabletop exercise is based on an input ® action ® output paradigm. An input presents a simulated, realistic cybersecurity situation that prompts participant discussion about the actions to be taken. The following input types may be considered when planning or executing a TTX, depending on the types of incidents that might affect your organization:
- Scenarios – Situation custom developed to support the exercise objectives, and to provide generic and qualitative descriptions of situations relevant to the overall exercise goal(s). The opening situation may be used as the context or starting point for Participants to identify major concerns and formulate their responses.
- Internal Reports – Contain pieces of information or conflicting information that indicates a cybersecurity issue or breach, or vulnerabilities and deficiencies at the attendant control points.
- Media Reports – Articles or other media from well-known news organizations or security and investigation sites suggesting a cybersecurity or data exfiltration issue at the company.
- Network Data – Anomalies, performance issues, unauthorized access, or traffic/data intercepts either detected and alerted automatically, or evident in another context.
- Scripted Injects – An integral part of the inputs representing a new piece of information delivered at key times by the facilitator to expand the discussion. Just as an attacker may inject malicious code in an attempt to corrupt a system, a facilitator may inject different tactics or scenarios into a simulation to take the discussion in a different direction or unveil new simulated threats.
- Contingency Plans – A risk management document, or set of documents, that describes roles, processes, procedures, and considerations for recovering IT services and data in the event of a security breach, natural or other disaster, or system disruption.
Process
Once the scenario is presented, the facilitator monitors and directs the discussion among the TTX participants. For each inject, the discussion follows the steps in the process below, with individual participants adding the actions they take, and identifying any holes in the process. The TTX facilitator’s job is to direct the conversation focus and move the discussion through these steps:
- Assess the situation.
- Revalidate assumptions.
- Identify security and organizational implications.
- Develop a course of action.
- Review resources.
- Develop recommendations.
- Take action to implement changes.
It is acceptable – and possibly expected – for one or more participants to not have an answer, or to point out that a hole exists in the process where organizational development, more information, or process improvements are needed. This type of discussion is the point of the exercise, which is dependent on the client’s industry, including regulatory aspects, as well as the organization’s current security posture or maturity.
Outputs
As part of the TTX, you will receive deliverables that document in detail the nature of the scenarios presented and the discussion that ensued:
- The exercise schedule and agenda created in collaboration with your project owner (typically the Information Security Director) during the kickoff call.
- The scenario(s) created based on the information gathered during the kickoff call and your existing Incident Response Plan, including the roles and participants required for the exercise.
- Handouts created for distribution to participants during the exercise, based on the scenarios.
- Notes created by the TTX observer during the discussions, paying particular attention to how the proceedings highlight communication gaps within participant areas or other departments with which they most frequently interact.
- A summary of the conducted exercise with participants’ feedback, positive observations, and potential areas for improvement as they relate to your organization’s readiness to handle Information Security incidents.
The TTX deliverables will enable you to...
- Document process or improvement recommendations directly related to security incidents.
- Update or improve internal reporting, potentially including automated alert adjustments, knowledge sharing, and incident documentation requirements.
- Define or clarify external reporting for incidents that affect your organization.