How to conduct incident response tabletop exercises
Have an incident response plan but aren't running incident response tabletop exercises? These simulations are key to knowing if your plan will work during an actual security event.
The best way to validate the effectiveness of an incident response plan is to try it with a live audience. After all, if a plan doesn't work when needed, it has no value.
What is an incident response tabletop exercise?
An incident response tabletop exercise is an activity that involves testing the processes outlined in an incident response plan. Attack simulations are run to ensure incident response team members know their roles and responsibilities -- and whether they are sufficient -- in response to a given attack scenario.
Incident response tabletop exercises can be discussion-based or operational. Discussion-based tabletop exercises involve the incident response team talking through the events of a specific security incident. Operational exercises involve hands-on and discussion-based activities.
What are the benefits of an incident response tabletop exercise?
As mentioned, incident response tabletop exercises help validate the effectiveness of an incident response plan. They can identify and solidify plan procedures that work, as well as correct any procedures that do not work.
Exercises also help identify and correct steps that are out of sequence or steps that need to be added or deleted to create a more efficient and effective plan. They also help identify resources that could be needed in the event of an incident -- for example, staffing, equipment, communications, transportation or alternate locations.
Within business continuity (BC), technology disaster recovery (DR), cybersecurity incident response and other resilience-focused disciplines, tabletop exercising is an essential activity.
Several standards have been developed for exercising and incident response. To ensure an incident response program is compliant with the standards, exercising and a documented report of exercising are necessary. Evidence of incident response plan exercising might also be required for auditing purposes.
Standards for incident response planning include the following:
- ISO 22320:2018 -- Security and resilience -- Emergency management -- Guidelines for incident management
- ISO 22361:2022 -- Security and resilience -- Crisis management -- Guidelines
- ISO 27035:2011 -- Information technology -- Security techniques -- Information security incident management
- NIST Special Publication (SP) 800-61 Rev. 2 -- Computer Security Incident Handling Guide
NIST also offers a guide on testing, training and exercise programs for IT plans. The U.S. Department of Homeland Security and the Federal Emergency Management Agency similarly provide security exercise and evaluation guidance.
Incident response exercise scenarios
Incident response scenarios document hypothetical situations that could threaten the operations or survival of an organization. Incident response plans and the accompanying steps for initial response are essential to BC/DR and cybersecurity planning processes. They provide a way to identify problems and their accompanying solutions to recover and restore normal operations after a disruptive event.
Incident response exercise scenarios can encompass many different events, from biological attacks to pandemics to natural disasters. In terms of cybersecurity-specific incidents, common tabletop exercise attack vectors include the following:
- DDoS attacks
- phishing attacks
- viruses
- ransomware
- credential theft
- malicious insiders
- brute-force attacks
- device or system misconfigurations
- unpatched vulnerabilities
The following are some cybersecurity incident scenarios typically covered during incident response tabletop exercises:
- data breaches
- unauthorized access
- device compromise
- network compromise
- service compromise
How to create and plan an incident response tabletop exercise
Each incident response scenario can be developed into an exercise by expanding the premise of the incident into a series of steps to make the exercise realistic. For example, a data breach tabletop exercise will include the initial attack vector, such as a phishing scam or credential theft, and its consequences.
Discussion-based exercises can be held in a conference room if on premises or conducted remotely -- a popular choice given the increase in remote work in recent years. In an ideal exercise, team members work side by side to encourage interaction and discussion about how to deal with an incident as it unfolds.
An exercise moderator should present the ground rules for the exercise and, if possible, serve as the timekeeper to keep exercises on track and on schedule. Situations that develop outside the exercise flow should be addressed or noted for later discussion. Someone also should be assigned to take notes on the exercise.
Once completed, participants should discuss the exercise while it is fresh in their minds. This is the best time to capture details on what worked, what didn't, and any revisions that need to be made to the incident response plan. If a follow-up exercise is needed, schedule it during this review time.
To design a tabletop exercise, base it on the scenario occurring, what could happen during said incident and the responses to address it. Detail each situation, including its objectives, team members involved, and any equipment or additional materials needed.
Incident response tabletop exercise template
This downloadable incident response tabletop exercise template can be customized to your organization's unique incident response tabletop exercises.
During each scenario, exercise facilitators might introduce specific situations -- called injects -- that can change or alter the sequence of events. Injects challenge exercise participants and encourage them to modify or adapt their incident response approaches during what could be rapidly changing circumstances.
The following table outlines a ransomware tabletop exercise, including the scenario events and responses, as well as a column for exercise observations. Note that exercise leaders would have access to both columns, while participants would only see the scenario column.
| Scenario event | Response | Observations |
| Firewalls or intrusion prevention systems alert security team about an issue. | Security team examines alarms, makes initial assessment of attack vector and contacts the incident response team. | |
| Employees report they are unable to access files and systems, saying a code is needed to access them. | Security team examines code patterns captured by perimeter security systems. | |
| Security team is alerted of a suspected ransomware attack. | Security team initiates incident response plan and alerts incident response team members of the plan launch. Incident response team alerts senior leadership of the attack and advises employees to log off systems and back up files. |
|
| Security team examines systems, determines access to them has been blocked. | Incident response plan activities isolate the malware for examination and quarantining. | |
| Employees are still unable to access files and systems. | Incident response team asks senior leadership and others to identify negative impact within their departments -- for example, inability to handle customer inquiries and place orders. | |
| Senior leadership and others inform incident response team that the attack is causing operational problems. | Incident response team continues to assess the situation and examines malware captured by the antimalware system. | |
| Senior leaders determine whether the company needs to shut down until the attack is remediated. | Incident response team determines the company's BC plans may need to be launched. | |
| Senior management delays launching BC plan, informs incident response team. | Employees are advised they can remain in their offices or leave, told to await further updates. Incident response team determines the nature of the attack, attempts a fix. |
|
| Employees still unable to access files and systems. | Incident response team finds the encryption used in the attack is too difficult to decrypt, advises senior leaders. | |
| Senior leaders instruct IT to recover the damaged files and systems from backup copies. | IT and incident response teams begin system recovery, clean affected systems and reload backed-up assets. | |
| Employees report they can access systems and files. | Incident response team notifies senior leadership. A message is sent to employees that systems have been recovered. Post-incident activity launches. |
How to conduct an incident response tabletop exercise
An incident response tabletop exercise should follow the steps and procedures laid out in an incident response plan. The NIST Computer Security Incident Handling Guide, for example, outlines the following four steps:
- preparation
- detection and analysis
- containment, eradication and recovery
- post-incident activity
Incident response tabletop exercise schedule
Just as incident response plans should be reviewed and updated annually -- at a minimum -- so should incident response tabletop exercises. Keep the incident response plan and tabletop exercises up to date and as current as possible. Add scenarios as needed to account for new and emerging threats, and to review steps and procedures with new and existing team members.
Plans and exercises should also be reviewed and revised, if needed, any time changes are made to the company's business, infrastructure or compliance needs.
