Are you ready for an incident? Are you confident that your team knows the procedures, and that the procedures are actually useful? An incident response tabletop exercise is an excellent way to answer these questions. Below, I've outlined some steps to help ensure success for your scenario-based threat simulations.
First, identify your audience. This will help inform which type of exercise you'll want to run. Will it be an executive exercise or technical in nature? It does not make sense to invite your entire C-Suite to a technical exercise, just like it would not go over well to have your technical incident responders drive an exercise that focuses on executive oversight and compliance. This does not mean that there cannot be overlap (some exercises can combine both executive and technical aspects), but the exercise must be managed closely to ensure it's a good use of time for everyone. You can also involve counsel at this point. Legal counsel provides invaluable guidance and advice for navigating an increasingly complex regulatory environment.
Now that your scope and audience have been set, it is time to define your scenario. This is where many exercises go off the rails. You must set a realistic scenario that truly exercises your organization. Remember, this is a time when you will be pulling together many people who have cleared off their schedules for a few hours. Make it worth their time. Use the maturity of your organization's incident response (IR) capabilities and the threats to your business to help guide the selection of a scenario for the exercise. For instance, a defense contractor will not have much need to practice a case of adware infection on a handful of machines, and a restaurant will not greatly benefit from preparing for a nation-state threat. You have to find the sweet spot to ensure a successful exercise. It should not be out your team's reach, yet it also shouldn't be a softball. And if you intend to conduct multiple exercises over time (which we highly recommend), you will want to keep the audience engaged and ensure they do not dread the effort.
With the audience set and the scenario defined, you can move into scripting the exercise itself. While it is good to set an outline for the time you have everyone together, leave enough flexibility to improvise when needed. This phase of your planning should not involve every potential exercise participant. Limit this to a handful of trusted agents. This is not a case in which more is better. Having all participants help write the test only ensures that the results will be artificially inflated and the assessment will be inaccurate. Unwavering candor is necessary to help the organization truly know where it stands in its preparedness. You would much rather discover deficiencies during practice than during a live event.
Now that you have fully prepared, the steps that remain are executing the exercise and reporting the results. You should not be afraid to call out areas for improvement in your program. Narrow your assessment down to specific facets of incident response; we like to look at clients' incident response plans, their adherence to those plans, coordination among IR teams, communications (internal and external), and technical analysis. As mentioned before, it is helpful to go over the results with your legal counsel and seek advice for how to proceed with improvements.
At the end of the day, you may not be able to address every finding. As with any aspect of security, your decisions on what to address and how to go about it should be risk-based. We wish you luck in assessing your program, and our experts are happy to help when needed.
You can learn more about the role tabletop exercises play in incident response by watching this Whiteboard Wednesday, and be sure to keep an eye out for more posts around the role legal counsel plays in IR. If you are interested in partnering with Rapid7 to help you develop a robust incident response plan at your organization, check out our incident response services.