A couple of weeks ago I participated in a CISO Summit with a focus on the topics of Security Visibility and Incident Response. At one point, towards the end of the summit, we fell on the topic of having a "Table Top Exercise (TTX)". I have to admit that I'd heard of these before, but I'd never before participated in one myself. But as these CISOs talked more and more about how it worked, who was involved, and the lessons learned, I was intrigued.
For them, these Table Top Exercises had become a routine part of testing their organization's readiness to handle various types of security incidents. Not only that, but it was a way to identify gaps in their processes, documentation, and tools, and as we all know, these gaps frequently help to identify risk in the organization. They mentioned asking for participation from various other teams (legal, public relations, IT, etc) because many of these incidents require coordination across the organization. We didn't get too deep into the "how" of running one of these Table Top Exercises at the summit, but I had heard enough to know that I wanted to try running one myself.
My experiment started with a simple Google search for "security incident table top exercise" which eventually brought me to an article by Sean Mason. In the article, Sean described what a Table Top Exercise is, why it is useful, how they work, and mentioned that he put together a TTX based on a combination of some materials from FEMA, along with some blog posts from Brian Krebs. I downloaded that file, which was a zip file containing a Powerpoint presentation and two Word document scripts. The materials covered a realistic scenario which began with a Twitter post of "someone has been hacked" and then walked you through various stages of getting more and more information indicating that it is your company that was hacked, and then finally the repercussions from the community, partners, and employees. It provided rough guidance on timeframes and discussion topics for each section. This document would be the perfect starting point for my own TTX.
I decided that with this being my first time, I didn't want to risk looking foolish in front of legal, PR, etc, so I just invited my security team, my boss, and a couple other security-interested people from IT. The likeness to having a Dungeon Master walk a group playing Dungeons and Dragons through a quest was not lost on one of them as he replied back to me with the following (names are changed to protect the innocent):
This feels like we are going to play Dungeons and Dragons, cyber security edition:
- John is the dungeon master and defender against the dark arts with a plus three sword of Damocles often held by those in positions of power
- Paul is the neutral good Druid that can transform into a Tasmanian devil with a plus two saving throw.
- George is the barbarian with an freakishly high constitution and hit points that allow him to keep on swinging when dealing with advanced persistent threats
- Ringo is an apprentice rogue who is working on his close order combat attacks
- Peter is a chaotic good warlock schooled in arcane spells and a plus two charisma
- Jeff is the lawful good monk with a high wisdom attribute and a wicked disarming spell
- And I guess I would have to be a chaotic neutral bard that your average Joe doesn't realize has surprisingly strong spoofing skills with a plus two cross bow of wiki
I knew two things immediately from his response. First, this was going to be fun. Second, this guy has way too much free time on his hands.
Last Friday was the day we finally did it. I had booked a total of four hours in the afternoon for us to run through the exercise, which turned out to be perfect. I lead the activity, which was just like my experiences with Dungeon Masters in D&D, and started by laying out some simple guidelines. There were no wrong answers, everyone can and should participate, we're using this as an exercise to improve our security posture, etc. We set a 25 minute timer for each section and, for the most part, the discussions were fantastic. We learned so much that was previously just assumed, with respect to our IR processes. We found a bunch of gaps, specifically where escalation and communication processes aren't defined. Most importantly, I think we realized that while there are certainly areas for improvement, we actually do have a pretty decent handle on our incident response processes. Everybody left the room feeling like it was time well spent and suggesting that we should start doing these regularly (once per quarter) to test out different scenarios. They asked to try it once more before involving outside teams, so we can show them how awesome we are, but were excited with the progress that we had made.
When it comes to risk assessment, sometimes all of the scans, audits, and interviews in the world don't come close to providing the value learned through experience. Fortunately, these Table Top Exercises allow you to experience the incidents, and assess the risks, without having to live through the real thing. And, to be honest, it was a ton of fun to be role playing incident response, rather than actually responding to incidents, for at least a little while. If your organization hasn't done one of these TTXs yet, I would highly recommend downloading Sean Mason's documents, inviting some team members into a conference room, and spending some time running through the scenario. There's no doubt in my mind that you'll find it to be time well spent.