Despite executive decision making being a critical factor in crisis response, many can’t connect tabletop exercises to the reality of how their own organization would respond when the worst happens. The injects on which they are built often assume too much and know too little about the real technical, procedural and human factors of their cybersecurity operations. The exercise run leans towards fiction for this critical aspect.
What do I mean by this?
In a tabletop, the narrative of the overarching scenario typically represents a real risk - a supply chain attack, cloud compromise, or ransomware attack, for example. Internal crisis management teams, law firms and management consultants make these interesting and impactful.
Yet, for cybersecurity incidents, how effectively a team responds is decided in the details. How long was the risk present? What did the attacker access in that time? What could the attacker have accessed in that time? How sure are you? Getting decisions such as these right in a real crisis - means testing them.
This means realistic exercises. Table-tops and their constituent injects, therefore, would be significantly more impactful if they reflected what the Security Operations Center (SOC) team would do.
Unfortunately, timing and budget historically have made this hard. Why? In a real crisis, the critical decisions are made by the C-Suite and their crisis management teams. In an exercise, having stakeholders wait while cybersecurity defenders undertake technical actions in a range is unworkable. Threat hunting takes time. Response is multi-stage. Teams chase false flags. All the while, the senior team you assembled for the exercise are waiting, which may happen in real life in an actual crisis, but isn’t realistic in the condensed timing of a tabletop exercise.
So, if your organization hasn’t seen an attack that maps to the desired scenario, how can you bring realism to it?
Team exercises in RangeForce’s cloud-based cyber range help. Your security operations team experiences real attack chains, tools, networks, time pressures, processes and more – all in the safety of the range. This captures actions, decisions, speed of response, priorities and processes run. Most importantly, this is done weeks in advance enabling more effective tabletop planning. Injects become an illustration of what would happen to your organization in a crisis, not what might.
RangeForce’s exercises measure time to detect (TTD), time to respond (TTR), and time to attend and analyze (TTA); as well as granular detection, disruption and defense actions, mapped to MITRE D3FEND. These metrics could be directly fed into injects in a number of ways, for example:
This knowledge opens up more authentic crisis scenarios for executive teams based on more realistic injects. By simulating the business decisions resulting from the actual actions of their organization around escalation, payload impact, lateral movement and more, they build better decision making abilities. With scenarios altered to take into account how their technical team prioritised and ran processes - tabletops are a true picture of incident response.
Ultimately, using this data for greater context - the outlay of resources in tabletop exercises is maximized. More than this, you build a more accurate form of crisis readiness, one honed on facts, not fiction.
Qualify for a free range exercise here