TTX: Cyber TableTop eXercise
A cyber tabletop exercise is an excellent way to test an organization's incident response readiness. Tabletop exercises are good for talking through the who, what, when, where, and how of a situation.
Industry professionals tend to argue how frequent to perform it and the going consensus is annually. But i agree with REDLEGG's article requesting it to be done more frequently if not quarterly. Other than maintaining good cyber hygiene and adhering to a system development lifecycle process, tabletop exercises also comply with NIST SP800:84.
TTX should go through these processes:
- Introduction and defining the GOAL of the exericise
- Assess the situation (Predefined scenarios)
- Re-validate assumptions
- Identify security and organizational implications
- Develop a course of action
- Develop recommendations
Guestlist should include these teams:
- Executive management
- Information Security
- Information Technology
- Audit
- Physical security
- Risk management
- Legal
- Finance
- Vendors
- Public Relations
The TTX Facilitator leads the:
- Incident response tabletop exercise
- Hot wash session
- Lessons learned session
Hot wash session happens immediately after the tabletop exercise so that we can collect initial feedback and have the opportunity to ask for clarification if need be.
Sample cybersecurity tabletop exercises:
References:
- https://www.cisecurity.org/white-papers/six-tabletop-exercises-prepare-cybersecurity-team/
- https://www.redlegg.com/advisory-services/tabletop-exercise-pretty-much-everything-you-need-to-know
- https://blog.rapid7.com/2017/07/05/running-an-effective-tabletop-exercise/
- https://www.dhs.gov/cisa/national-cyber-exercise-and-planning-program
- https://www.umassp.edu/procurement/bids/umass-system-wide-cyber-security-tabletop-exercise