Tabletop Exercises

Written by AUSCERT Principal Analyst, Mark Carey-Smith

Tabletop exercises are referred to by different terms, including “drills”, “simulations”, just “exercises” or “discussion exercises”, though these terms don’t always mean the same thing.

NIST’s definition in SP 800-84 is: “Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.”

In our context, the emergency situation usually involves a cyber incident. Tabletop exercises, or TTXs, can be oriented towards cyber incident response, business continuity, crisis management or elements of all three, depending on what the organisation running the TTX wants to achieve. Participants can be from any role; operational, cyber security, communications, executives or a combination.

Why perform tabletop exercises?

• Having accurate and easy to understand incident response plans and playbooks is obviously important, but we just don’t know how effective they are until they are tested through use. It’s far safer to do that testing via a simulated incident in a TTX rather than a real one.
• Running TTXs can help provide an understanding for how people will respond to an incident. Even when we know it’s a simulation, it still gets some of the same juices flowing, which should also help people respond with lower levels of stress during an actual incident.
• TTXs can engage stakeholders, particularly executive ones, in a way that risk heat maps and logically structured arguments simply don’t, because if they are done well, TTXs can engage stakeholders emotionally. Emotional engagement can be a strong lever for change.
• By planning and executing TTXs in a progressive and supportive way that values opportunities for improvement, a culture of learning can be created that does not penalise mistakes but instead sees them as teachable moments.
• Some organisations have contractual obligations, for example from clients, to perform regular TTXs. Some insurance policies may require, or apply pressure via pricing mechanisms, for their clients to perform TTXs.
• Regulatory requirements, such as for some of the specific entities that fall under the SoCI ACT, require exercises to be performed, while others have implied obligations.
• The Australian Prudential Regulation Authority has requirements in CPS234 for regulated entities to: “…annually review and test its information security response plans to ensure they remain effective and fit-for-purpose”. In the associated CPG234, tabletop exercises are a recommended way to test incident preparedness.
• Audit findings may recommend the use of tabletops to improve or validate incident response practices. Such audits might be organisation-specific or sector-wide.
• To help non-technical stakeholders, like managers or execs, understand the difficulties and complexities of incident response better, such as the considerable amount of time that an incident can take to resolve, including recovery.

Some useful information for designing and running TTXs:

• CISA’s tabletop exercise resources. Use google search “CISA CTEP filetype:docx” to find editable versions of some of their documents.
• ANSSI has some good resources for what they call ‘cyber crisis management’ exercises
• The ACSC has re-badged the original Exercise in a Box platform created by the UK’s NCSC and adapted the language and context for Australian audiences. It can be an easier and more structured way to deliver TTXs for first time facilitators.

AUSCERT now delivers TTXs as part of our GRC services. We can design and deliver custom-created TTXs for organisations to suit their specific objectives. We can also assist organisations to deliver their own TTXs through assistance with planning, execution and evaluation. Please contact us for more information.