Running your first cybersecurity tabletop exercise (TTX)

Photo credit: Stranger Things

Ever wonder how big organisations measure their cybersecurity readiness? Apart from conducting regular audits, risk assessments, and running security scans, cybersecurity tabletop exercise (TTX) has also been gaining popularity in Singapore. Some notable examples in recent years are the Exercise Cyber Star and Exercise Cyber Maritime.

In this article, we will be sharing with you a couple of pointers to help kickstart your first cybersecurity tabletop exercise.

What is a cybersecurity tabletop exercise (TTX)?

No, it’s not Monopoly.

For those who don’t know, a cybersecurity TTX consists of a group of simulated scenarios that tests an organisation’s or individual project team ability to respond to a cyberattack. These exercises are typically conducted in a classroom-style setting, with participants playing out various roles in the scenario.

The exercise progresses through a series of stages, with new information and challenges presented at each stage. The goal is to test the organisation’s ability to respond to the attack, identify vulnerabilities, and develop effective mitigation strategies.

Here are the steps you should follow to run a successful cybersecurity tabletop exercise:

Step 1: Identify your participants

The first step is to identify a project team or a team of individuals who will participate in the exercise. Depending on the nature of your organisation, this team should include representatives from the various roles — e.g. software developers, project manager, communications team, Chief Information Security Officers (CISO), Security Incident Response Managers and Officers (SIRMs/SIROs), CIO/CTO, and management.

Tips: Try hosting in a small team first (e.g. during sprint planning day). If someone is unavailable during the exercise, the scenario could be updated to have said person uncontactable during the incident.

You will also need to appoint a separate standalone team that consists of a facilitator and observers. A facilitator’s main role is to lead the exercise for the participants so s/he should preferably have a cybersecurity background and is familiar with the organisation’s guidelines and policies.

Step 2: Design scenarios

The next step is to create fictional scenarios that serve as the basis for the exercise. The scenario should be realistic and relevant to the organisation’s operations and cybersecurity concerns. Scenarios should be broken down into different stages and presented to participants one after another. Similar to how during an actual attack, new information is gathered and presented as time goes on. Examples of scenarios might include a data breach, a ransomware attack, or a DDOS attack.

Step 3: Define the objectives

The objectives of the exercise should be clearly defined to all the participants, such as what you want to achieve from this TTX. It can be to test the effectiveness of your incident response plan, identify weaknesses in your security controls, or to assess the readiness of your team to respond to a cybersecurity incident. It is important that these objectives are communicated clearly to all the stakeholders to ensure a smooth exercise.

Step 4: Set the rules

The rules of the exercise should be clearly defined, including the scope of the exercise, the duration, and the roles and responsibilities of each participant. Make sure everyone understands the rules and expectations.

The last thing we want to see is the exercise turned into a finger-pointing and ‘shaming’ session. This will only sow discord within the team, which is not the desired outcome of the exercise.

Step 5: Conduct the exercise

From our experience, TTX is most productive when all participants are gathered in the same room. This is especially true when you’re running a complex scenario that involves multiple teams or across organisations. It is also recommended to allow other colleagues who aren’t part of the exercise to observe the session.

Start by presenting the scenarios to the participants and allow time for them to digest the information and come back with an actionable plan. Based on the response of the team, the facilitator may choose to inject more information or move on to the next stage.

Step 6: Evaluate the results/follow-up

Throughout the exercise, designated observers should be taking notes and documenting how the team reacts to the scenario. Were the team familiar with the incident response playbook? How did the team communicate and coordinate their effort during the exercise?

At the end of TTX, observers will consolidate their findings, debrief the participating team, and discuss the lessons learned. This should include identifying any improvements that need to be made to the organisation’s incident response plan and cybersecurity strategy, as well as identifying any training or education needs for the individuals involved in the response, or the organisation as a whole.

In summary, a cybersecurity TTX is an effective way to test your incident response plan and improve your cybersecurity posture. With careful planning and preparation, you can run a successful exercise that will help you identify weaknesses and improve your organisation’s cybersecurity readiness.

Share your cybersecurity tabletop exercises experiences with us in the comments section below. Till then, stay safe and keep learning!

🧙🏼‍♀ Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.