Why Demand for Tabletop Exercises Is Growing

Organizations that are regularly defending against cyberattacks can find it useful to occasionally take a step back and test their defense and response capabilities. One way to do this is through cybersecurity drills, which provide organizations with a snapshot of their ability to handle ransomware, phishing, and other attacks.

Cybersecurity drills come in many forms, including penetration testing, phishing simulations, and live-fire exercises, with some scenarios costing hundreds of thousands of dollars and running over several days or even weeks.

The least complex of these drills are tabletop exercises, which typically run for two to four hours and can cost less than $50,000 (sometimes much less), with much of the expense related to planning and facilitating the event.

Unlike some other drills, tabletop exercises often don't involve attacks on live IT systems. Instead, a facilitator lays out a cyberattack scenario and employees of the client organization discuss the steps they would take in response.

This common approach to tabletop exercises is old-school and low-tech, but proponents say a well-run scenario can expose holes in organizations' response and mitigation plans.

Tabletop Exercises Are in Demand

Demand for tabletop exercises has grown exponentially in the past two years, driven by compliance issues, board directives, and cyber insurance mandates, says Mark Lance, vice president of incident response at GuidePoint Security, a cybersecurity consulting firm.

In some cases, employees ask for tabletop exercises to help educate executives. "People want their senior leadership teams to understand the true impacts of a potential incident," Lance says.

Many cybersecurity organizations promote tabletop exercises as a way for organizations to test and improve their incident response and internal and external communication plans following a cyberattack. The nonprofit Center for Internet Security calls tabletops "a must," stressing that they help organizations better coordinate separate business units in response to an attack and identify the employees who will play critical roles during and after an attack.

There are no cut-and-paste ways to run a tabletop exercise, though the US Cybersecurity and Infrastructure Security Agency provides packages to help organizations get started. Some organizations run tabletops with internal teams, although the more common approach is to hire an outside cybersecurity vendor.

How Tabletop Exercises Work

In a typical tabletop, the facilitator leads a discussion by asking a series of questions. For example, a scenario can start with an employee calling into a help desk after seeing unusual activity on the company's network. Some questions in a tabletop for IT teams might be:

A tabletop for executives might include the following questions:

Tabletops can start with hundreds of different scenarios, including widespread problems like ransomware and phishing attacks. However, individual tabletops need to focus specifically on the organization or its industry to be successful, Lance says, adding that the success or failure of a tabletop depends largely on the provider's ability to plan the exercise and target it to the specific client.

"The more specific it is to their environment, the more inclined they are to stay engaged and interested, because there's a level of authenticity and validity to it," he says.

GuidePoint, for example, taps its own threat intelligence team to come up with real-world scenarios that are realistic to the client and are recent or emerging threats.

Another way to ensure success is by running separate tabletop exercises for an organization's senior leadership and technical teams. Lance says these two groups benefit from different scenarios. Executives often want to talk about companywide issues and high-level decisions that need to be made. In contrast, technical people want to get into the nitty-gritty of stopping and mitigating an attack.

"If you do a technical tabletop, your technical resources might not open up the same way if you have senior leadership sitting in with them," Lance says. "In the other direction, senior leadership may not want to seem nontechnical or stupid in front of their technical resources, so they might not open up as much. [With both groups involved], you have too loud of a voice in the room."

Learning Through Realistic Scenarios

In addition to failing to provide a realistic scenario, facilitators of tabletop exercises also can falter by failing to keep a group engaged or by being more of an observer than a leader, says Curtis Fechner, cyber practice leader and engineering fellow at cybersecurity consulting and integration provider Optiv. Participant engagement is the biggest factor in a tabletop's success, he adds.

"If I'm very passive," Fechner says, "if I'm not prompting questions or challenging their responses and just passively letting them talk, or if you get a group of people [complaining] among themselves about a problem, that kills the exercise, the momentum, and the energy."

However, if you've planned for a relevant scenario and kept the participants engaged, it's difficult for a tabletop exercise to fail, he says. A well-facilitated discussion will result in participants learning about their organization's incident response plans and identifying areas that could be improved.

Most cybersecurity exercises contain a learning curve for everyone involved, says Peter Manev, co-founder and chief strategy officer of Stamus Networks, a network detection and response provider. In December, Stamus Networks participated in a live-fire exercise called Crossed Swords, organized by the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE).

The best outcomes to tabletop exercises are when "the teams are clicking together, learning together, exchanging information and experiences, and, of course, making progress," Manev says. "In my view, if that happens, you've already accomplished something."

At the end of an exercise, Fechner likes to take a half hour to discuss the lessons learned throughout. He asks participants what they think they did well and where the pain points were.

"That, to me, is a successful tabletop right there — when you get those people to actually do that sort of self-analysis and come out with that introspection," he says. "When problems get called out, that, to me, defines a successful tabletop exercise."

As they assess their exercise, participants should be focused on continuous improvement of cybersecurity practices, Fechner adds. "The nice thing with a tabletop is it's a no-failure sort of event," he says. "Realistically, it's all about exposing these opportunities to grow and improve."