Security is a fast-moving industry and keeping up with it as an executive in the space is a never-ending challenge....
Determining the prioritization of a large set of controls and security activities is difficult when we are constantly seeing new attacks crop up in the headlines. The difficulties compound when we must prioritize addressing risks that we don't yet know about, including figuring out how we enumerate those risks. Penetration testing can be a great tool to discover risks, but the shortcoming here lies in its scope. Technical and organizational debt that represents security risk can accumulate in many different areas, many of which are not the obvious targets for a penetration test, such as the flagship web application and corporate network infrastructure.
Tabletop exercises are a low cost way to identify risks and can be applied to virtually any scenario, including those constantly hitting the data breach headlines. The goal of the exercise is to get members from several different teams together and walk through the thought processes, discussions, actions and tools used when responding to the hypothetical incident. Inspiration for contextually relevant scenarios can come from a few different places:
- What is consistently keeping members of the security team or other high-ranking company officials up at night; or
- The attack scenarios that are utilized in the context of data breaches happening in your industry or similar company structures.
Once a scenario is selected, conducting tabletop exercises consists of only three steps:
- Write up the scenario in a series of steps that unfold over time and represent the four different phases of an incident: detection, containment, eradication and recovery.
- Schedule the exercise (anywhere from 1-2 hours) with 1-2 members of all teams that would likely be pulled into the incident response process. You can choose to prepare handouts of the incident response policy, the scenario itself or any other relevant supporting materials.
- Capture notes during the exercise and write up a report containing a summary of the discussion points and more importantly, all of the shortcomings identified.
While running the tabletop exercise, a moderator should introduce the event, outline the purpose for all participants and then walk through each step of the hypothetical incident. During each stage of the incident, the moderator should prompt each participant (or participating team) to discuss from their perspective what should be done during that stage, what their responsibilities would be, ask other participants questions, and outline what tools they would use and how. It is the job of the moderator to ask probing questions if or when answers start to become vague, to ensure that the capabilities and processes that are referenced actually exist and work as intended. In some contexts, follow-up testing of a specific control is a perfectly appropriate outcome. One major ground rule for both the moderator and other members of the security team to consider throughout this process is to avoid any kind of shaming of another team when a gap is identified.
Let's use an increasingly common attack vector and walk through some of the questions that might be asked by a tabletop exercise moderator in a hypothetical scenario. An attacker has successfully sent a phishing email containing what appears to be some form of ransomware into your organization. Here are some questions that would take the participants through the phases of this incident:
- Detection: Can we identify if any users other than the reporter received the same attack? Can we identify the strain of malware that was run on the user's system?
- Containment: Do we need to quarantine that user's system to a safe part of the network and how do we do that? Are there any shared file stores that could be affected, and if so, how can we ensure they aren't? How can we quickly determine that this is just ransomware and not some hybrid strain of malware? Do we need to disable the user's credentials; how can we do that quickly in response to this incident?
- Eradication: Do we need to re-image the user's system? How can we backup other sensitive data in a safe way that doesn't reintroduce the threat?
- Recovery: Did the malicious code that ran do anything that could have accessed the data and does that fall under any regulatory controls? Do we need to disclose this incident to any customers or regulatory entities? Do we have sufficient backups in place where we can restore the data that was affected or do we need to pay the ransom? Are those backups sufficiently protected?
Tenable's Marcus Ranum explains how simulating security incidents with tabletop exercises can save time and money during an incident response process.
The questions posed above are certainly not exhaustive but could be utilized by a tabletop exercise moderator to guide the discussion that happens in the room. The scenario also becomes interesting when applied at scale, such as many users being affected at the same time. A security executive who misses an answer or provides a very weak answer to any one of the questions posed represents a potential gap in security process, one which would not have been uncovered via traditional risk discovery techniques like penetration testing. Consider running tabletop exercises on a quarterly basis and rotating the scenarios in a way that gets different teams and individuals in the room together. One of the side benefits of these tabletop exercises is that they show non-security teams the thought process that goes into defending against and responding to these scenarios, spreading security knowledge further throughout the organization.
About the author:
Robert Wood is the chief information security officer of Nuna Health, a healthcare analytics and consulting firm headquartered in San Francisco. Prior to joining Nuna Health, Wood was a principal consultant at Cigital, a software security firm. He has extensive experience in penetration testing, threat modeling and incident response.
Find out what the CISOs role is in incident response
Read how human preparedness factors in to data breach responses
Find out how to develop an effective crisis communication strategy