Incident response tabletop exercises: Guide and template
Have an incident response plan but aren't running incident response tabletop exercises? These simulations are key to knowing if your plan will work during an actual security event.
The best way to validate the effectiveness of an incident response plan is to try it with a live audience. After all, if a plan doesn't work when needed, it has no value.
This is where incident response tabletop exercises come in. Let's examine these exercises and how to create and plan them.
What is an incident response tabletop exercise?
An incident response tabletop exercise is an activity that involves testing the processes outlined in an incident response plan. Attack simulations are run to ensure incident response team members know their roles and responsibilities -- as well as the tools and processes to use -- in response to a given attack scenario.
Incident response tabletop exercises can be discussion-based or operational:
- Discussion-based tabletop exercises involve the incident response team talking through the events of a specific security incident.
- Operational exercises involve hands-on and discussion-based activities.
Exercises offer the following benefits:
- Validate the effectiveness of an incident response plan.
- Identify and solidify plan procedures that work and correct any procedures that do not work.
- Pinpoint and correct steps that are out of sequence or steps that need to be added or deleted to create a more efficient and effective plan.
- Determine resources that could be needed in the event of an incident -- for example, staffing, equipment, communications, transportation or alternate locations.
The following standards have been developed for exercising and incident response:
- ISO 22320:2018 -- Security and resilience -- Emergency management -- Guidelines for incident management.
- ISO 22361:2022 -- Security and resilience -- Crisis management -- Guidelines.
- ISO/IEC 27035-1:2023 -- Information technology -- Information security incident management.
- NIST Special Publication (SP) 800-61 Rev. 3 -- Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile.
NIST offers a guide on testing, training and exercise programs for IT plans. The U.S. Department of Homeland Security and the Federal Emergency Management Agency similarly provide security exercise and evaluation guidance.
Incident response tabletop exercise template
Successful tabletop exercises involve planning, processes and participation, followed by post-exercise review. Whether discussion-based or operational, incident response teams must ensure exercises encompass realistic scenarios that are tailored to their organization's threat landscape.
Our downloadable incident response tabletop exercise template is a good starting point. It can be customized to any organization's unique incident response exercises and adjusted as necessary.
ClickThis template includes the following core components:
- Scope.
- Purpose.
- Objectives.
- Attack vector.
- Incident scenario.
- Discussion questions.
- Notes.
- Post-exercise remediations and review.
Incident response exercise scenarios
Incident response exercises document situations that could threaten an organization's operations or survival. Incident response plans and the accompanying steps for initial response are essential to business continuity (BC), disaster recovery and cybersecurity planning processes. They provide a way to identify problems and their accompanying solutions to recover and restore normal operations after a disruptive event.
Incident response exercise scenarios can cover many different events, from biological attacks to pandemics to natural disasters. In terms of cybersecurity-specific incidents, common tabletop exercise attack vectors include the following:
- DDoS attacks.
- Phishing attacks.
- Viruses.
- Ransomware.
- Credential theft.
- Malicious insiders.
- Brute-force attacks.
- Device or system misconfigurations.
- Unpatched vulnerabilities.
The following are some cybersecurity incident scenarios typically covered during incident response tabletop exercises:
- Data breaches.
- Unauthorized access.
- Device compromise.
- Network compromise.
- Service compromise.
How to create and plan an incident response tabletop exercise
Incident response teams should create exercises for the scenarios and attack vectors specific to their organizations. Expand the premise of the incident into a series of steps to make it more realistic. For example, a data breach tabletop exercise should include the initial attack vector, such as a phishing scam or credential theft, and its consequences.
Base the exercise on the scenario occurring, what could happen during said incident and the responses to address it. Detail each situation and its objectives, team members involved, equipment used and any additional materials needed.
Before the exercise, take these steps:
- Assign an exercise moderator who presents the ground rules for the exercise and serves as the timekeeper to keep exercises on track and on schedule.
- Assign someone to take notes.
- Plan where the exercise will take place. Discussion-based exercises can be held in a conference room if on-premises or conducted remotely. In an ideal exercise, team members work side by side to encourage interaction and discussion about how to deal with an incident as it unfolds.
Teams should prepare for the following during an exercise:
- Run through the events of the incident and possible responses.
- Situations that develop outside the exercise flow should be addressed or noted for later discussion.
- Exercise facilitators might introduce specific situations -- called injects -- that can change or alter the sequence of events. Injects challenge exercise participants and encourage them to modify or adapt their incident response approaches during what could be rapidly changing circumstances.
Post-exercise, discuss the events while they are fresh in participants' minds:
- Capture details about what worked.
- Document what did not work.
- Note any updates to make to the incident response plan.
- Schedule a follow-up exercise if necessary.
Tabletop exercise example
The following table outlines a ransomware tabletop exercise, including the scenario events and responses, as well as a column for exercise observations. Note that exercise leaders would have access to both columns, while participants would only see the scenario column.
| Scenario event | Response | Observations |
| Firewalls or intrusion prevention systems alert security team about an issue. | Security team examines alarms, makes initial assessment of attack vector and contacts the incident response team. | |
| Employees report they are unable to access files and systems, saying a code is needed to access them. | Security team examines code patterns captured by perimeter security systems. | |
| Security team is alerted of a suspected ransomware attack. | Security team initiates incident response plan and alerts incident response team members of the plan launch. Incident response team alerts senior leadership of the attack and advises employees to log off systems and back up files. |
|
| Security team examines systems, determines access to them has been blocked. | Incident response plan activities isolate the malware for examination and quarantining. | |
| Employees are still unable to access files and systems. | Incident response team asks senior leadership and others to identify negative impact within their departments -- for example, inability to handle customer inquiries and place orders. | |
| Senior leadership and others inform incident response team that the attack is causing operational problems. | Incident response team continues to assess the situation and examines malware captured by the antimalware system. | |
| Senior leaders determine whether the company needs to shut down until the attack is remediated. | Incident response team determines the company's BC plans might need to be launched. | |
| Senior management delays launching BC plan, informs incident response team. | Employees are advised they can remain in their offices or leave, told to await further updates. Incident response team determines the nature of the attack, attempts a fix. |
|
| Employees still unable to access files and systems. | Incident response team finds the encryption used in the attack is too difficult to decrypt, advises senior leaders. | |
| Senior leaders instruct IT to recover the damaged files and systems from backup copies. | IT and incident response teams begin system recovery, clean affected systems and reload backed-up assets. | |
| Employees report they can access systems and files. | Incident response team notifies senior leadership. A message is sent to employees that systems have been recovered. Post-incident activity launches. |
Incident response tabletop exercise schedule
Just as incident response plans should be reviewed and updated annually -- at a minimum -- so should incident response tabletop exercises. Keep the incident response plan and tabletop exercises up to date and as current as possible. Add scenarios as needed to account for new and emerging threats, and to review steps and procedures with new and existing team members.
Review and revise plans and exercises, if needed, any time changes are made to the company's business, infrastructure or compliance needs.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
