Cybersecurity Tabletop Exercise Examples

With most things in life, practice makes perfect. Practice gives you the opportunity to make mistakes in a controlled, safe environment, so you can learn from them and make adjustments when facing the real thing.

With your business’s cybersecurity, perfection in protection is the only option. You have to prepare for any scenario because you can’t operate at a 99% success rate and actually feel secure. You have to stop every attack every time, or you risk a devastating data breach.

One of the best ways to prepare yourself for attacks is through practice. Practicing various attack scenarios in a controlled manner will bolster your cybersecurity results when you are facing an actual attack.

Participating in cybersecurity tabletop exercises is a great first step. A tabletop exercise (or TTX) provides hands-on training for your cybersecurity team. The exercise describes an actual attack, and you can measure the team’s performance and the strength of your incident response plan through the process. You then can make adjustments, always striving for a perfect response. We’ll discuss some of the best examples of cybersecurity tabletop exercises.

Security of Sensitive Data in the Cloud

Image of cell phone with lock symbol on the screen

Many organizations make use of cloud storage and cloud hosting to run software and store data. However, do you know whether your business’s data stored with a third-party cloud hosting service is truly protected?

Scenario: Your organization is storing data in the cloud, but you suddenly realize some of that data potentially qualifies as sensitive data for your customers. How do you ensure that it has the protection that regulations require?

Start by reviewing your organization’s policies for data storage in the cloud. Do you have a policy for the type of data you can store in the cloud with a third-party vendor? Does your policy differentiate between sensitive and non-sensitive data with regard to cloud storage?

If your policy requires the storing of sensitive data locally, rather than in the cloud, your team must figure out how this policy violation happened. Determine which new steps and measures you may need to implement to keep such data from moving to the cloud inadvertently again.

If your policy allows the storing of sensitive data with a third-party cloud storage provider, do you have safeguards in place with that provider? What requirements do you have for the cloud provider to ensure it is protecting your sensitive data from a potential breach? How can your team measure the safety protocols for that provider to ensure the protection of your data?

Finally, you should review your team’s policies and practices regarding the handling of sensitive data. Why did you only recently discover that some sensitive data was in the cloud? Do you have a means of tracking such data on a regular basis? If not, what kinds of safeguards can your team create to ensure it always knows the location of any sensitive data?

Failure of Security Patches

Image of the side of a computer monitor with code written on screen

A poorly designed security patch or a security patch improperly installed could instead open a significant security hole in your network.

Scenario: A member of the security team deploys a patch but forgets to test the installation. You later discover an error with the patch’s performance, and you are unsure what type of damage occurred to the network in the interim.

Start by fixing the patch to ensure that it is doing the job it is supposed to do. Does the organization have a plan in place to handle these types of situations? Will anyone on the team be able to correct the patch, or does it require approval from an administrator? 

How many members of the security team are able to make a correction to the patch? If only a few team members have this capability, will one of them be available at the time that you need to correctly install the patch, especially if it occurs outside of normal business hours?

Do you have protocols in place that allow you to roll back the network to the point before the improper patch installation occurred? Can you measure the potential drawbacks and advantages of employing a particular rollback before it occurs?

After fixing the problem, it’s time to reflect on why the problem occurred. Does the organization have a set of disciplinary protocols in place for the member of the security team who caused the error? Is it possible that the team member who caused the issue did not understand the proper procedures? Is the organization’s training lacking in some manner? Is it possible the error was a purposeful attack?

Network Compromised With Malware or Viruses

Image of laptop screen with red popup that says "Malicious file" on it

Security teams install multiple layers of protection to try to keep malware and viruses off the network. However, a simple mistake could lead to a compromise of the network.

Scenario: An employee clicks on a link in an email message that opens a fake website and downloads malware. A security team member discovers the malware during a routine scan at a later time.

Start by determining the proper protocol that security team members should follow when discovering malware. Do you have a list of steps clearly spelled out that shows team members how to proceed?

Can the team member initiate a response to eradicate the malware and examine the network for any signs of a compromise, or does an administrator have to initiate the response? Do you have steps in place to isolate the malware, preventing it from doing network-wide damage during the eradication process?

What kinds of processes does the team have available to measure any damage the malware created? If it led to a data breach of sensitive customer data, what steps must the security team take to notify the correct people in the organization?

After limiting the damage and eliminating the malware, it is important for the team to review company-wide security protocols. Did the malware enter the network because the employee did not understand the rules or did not understand the risk? Does the entire organization need more security training? Is there any way to detect this type of malware infection faster?

The team should even consider whether the malware download occurred on purpose, as an insider attack, even if the employee feigned ignorance of the rules.

Ransomware Attack Scenario

Image of laptop with red screen and a skull and crossbones symbol in the center of screen

Malware that ends up undetected on your network could lead to a ransomware attack.

Scenario: Your security team does not catch a malware infection in time, leading to a ransomware attack. The attacker locks all your organization’s data with an encryption key, demanding money to receive the decryption key.

Start by initiating your organization’s incident response plan to determine the steps your team should take. Do you have a disaster recovery plan in place that can help you move forward with allowing the company to operate in some capacity without access to its data? How quickly can your team respond to an emergency situation like this?

If your disaster recovery plan allows for restoring your organization’s data from backup after taking several other steps, who can make the call to go to backup data? Can any member of the team start the restoration process from the backup location, or does this step require approval and deployment from an administrator? How quickly can you set up a backup network and give the employees some sort of ability to work?

How will your team examine the network and determine the full extent of the attack? Do you have steps in place that allow you to determine whether the attacker is bluffing and whether your team can restore the data on its own?

Management eventually will ask your security team for a recommendation on whether it should pay the ransom. What steps do you have in place for making this determination as accurately as possible? 

After a resolution of the ransomware attack, your team will need to evaluate the network and its response. It is important to find the source of the attack and institute protocols that prevent anything similar from happening in the future. Repeat ransomware attack attempts occur frequently. Do you have protocols in place to fully evaluate your network to prevent such attacks in the future?

Forced Evacuation of Your Building

Image of stoplight street sign floating in the middle of flood water

Your organization may end up with a situation that interrupts work and the network performance that has nothing to do with a cyberattack. Weather and other issues can lead to a loss to access to your network building and hardware. Having to work remotely and without your normal ability to communicate could open the network to a greater possibility of cyberattacks, though.

Scenario: A severe weather event hits your area, causing severe flooding and potential loss of services. Local authorities need you to evacuate your building. How do you keep the team productive and working safely while away from your physical network?

Start by consulting your organization’s incident response plan or your disaster recovery plan. Do you have a plan for keeping employees on the network and available to work from home or a remote location? 

Do your security team members know what changes they need to implement to ensure that employees can access the network and files they need remotely and safely? Are your security team members ready to begin working remotely at a moment’s notice in an emergency situation?

Who makes the decision when to switch to remote network protocols? What kinds of drawbacks will customers notice as you work from a remote location? What steps can the security team take to ensure customers receive the smoothest possible experience, despite the disruptions on your end?

Following the scenario exercise, you may find that you do not have the proper protocols in place for a scenario involving a physical interruption to the actual office location. This is understandable, as security teams focus most of their attention on hacking and inadvertent loss of data. A physical loss of the office seems almost impossible, so it may not receive the attention it deserves in your planning processes.

If protocols are not available, you will want to develop a comprehensive plan. Again, because this is not a common scenario for cybersecurity teams to handle, it is extremely important to closely examine the response you had during the exercise. You may need to make significant adjustments versus what you initially thought was adequate to handle this scenario.

It is important to focus on the security measures you are able to deploy for your remote workers as well. You do not want to hastily set up a remote network, only to open your organization up to malware intrusions or hacker attacks. 

Any exercise involving this scenario must equally balance the need to physically set up the ability for employees to work remotely, while also maintaining your security protocols.

Evaluate the Cybersecurity Tabletop Exercise Results

Whether you believe your security team passed or failed a particular exercise is only a small part of the benefit. Cybersecurity tabletop exercises give you a chance to perform a review of the scenario and to find ways to improve the response for your team.

Rarely will a team’s response to an exercise be completely perfect. (That’s why we’re practicing, after all.) It is important to take the time to do a full review of the results, including soliciting feedback from your team members. Your team must feel free to be completely honest in this feedback to achieve the best results. Administrators must be willing to hear criticisms and to be open-minded about suggestions for improvements.

Some of the areas to consider when soliciting feedback include:

  • Leadership hierarchy: Did team members know who was in charge and to whom they should report as the exercise moved forward? Were the right people making the final decisions?
  • Incident response plan: Did the team follow the incident response plan precisely? Was the team forced to deviate from the plan because it did not cover everything they needed to do? Was the plan clear and easy to understand?
  • Communication: Did team members understand how to reach out to other departments properly? Did they notify other departments of the potential breach in a timely manner, including administrators? Did they overshare information or request help from the wrong departments, which wasted time or which led to unwanted rumors? 
  • Effectiveness of training: If some team members struggled, did it occur because of inadequate training? What changes to training practices could benefit those team members? 
  • Tools: Does your team have the hardware and software tools available to respond to incidents? Would purchasing a new tool improve the timeliness of the response, which could be the difference between stopping a breach in time? Are team members using the tools they have to the maximum effect, or could they use more training?
  • Self-reflection: Don’t forget to ask the team members for their honest assessment of how they performed individually. You can evaluate certain responses accurately, but only each team member can truly assess how comfortable they felt with their own preparedness and performance. 

Finally, you should solicit feedback on whether your team felt the cybersecurity tabletop exercise was realistic enough. If the team believes that the exercise is something that could actually happen, they are almost certain to give a better effort. 

If you are struggling to come up with realistic exercises on your own, multiple companies provide pre-written exercises that you can purchase and run with your team. Some companies provide simpler exercise scenarios for free and charge a fee for complex exercises. Through a bit of research, you can find cybersecurity tabletop exercises that fit your team’s needs and budget, while also being realistic about the types of situations your team may face.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of 6sense

Incredible companies use Nira