Cyberattacks, ransomware and corporate data exfiltration by nefarious actors are frequent headlines affecting major companies from around the world. Are organizations truly prepared for a cyberattack? Simply having a cybersecurity incident response (IR) plan is no longer enough to protect organizations. The IR plan and IR team’s actions are only theoretical until thorough testing, and further refinement is done. Industry experts strongly recommend running a tabletop cybersecurity exercise multiple times per year. Practice makes perfect, and the result is a more resilient response when it matters most — a real cyberattack.
The goal of a tabletop cybersecurity exercise is to evaluate your organizational IR plan and IR team’s reaction to a cyberattack through a verbal exercise — offering practice for your IT team against an attack without the risk of causing any actual interruption to business. It allows for the discovery of any gaps in the IR plan. Tabletop exercises are best when the cyberattack scenario is realistic, based on the business, its assets, tooling and vulnerabilities, and the assets a malicious actor might target. It’s essential to have a plan based on a thorough understanding of the business, its risks and the attacks that’ll affect it.
During a tabletop exercise, the most likely, real-world attack scenarios get practiced, and appropriate response procedures are documented, which will enable IR teams to act quickly in real events. Being under cyberattack is a very stressful situation with an unknown financial impact on the business and its reputation, and it’s essential to restore functions promptly and minimize the damage. An untested plan and team are a risk. Are teams intimately familiar with all the IR steps, are there any unknown gaps, and costly mistakes that could be made from an untested team without sufficient training and experience?
The exercise reduces overall organizational risk from a cybersecurity attack. Security leaders can ensure board and key stakeholders of the organization’s readiness and preparedness by periodically vetting the IR plan and team’s effectiveness. Tabletop exercises demonstrate the necessary cooperation and communication with key people across departments within the organization; it’s not just an IT-only exercise. It helps demonstrate a team’s effectiveness and ability to make timely and critical decisions based on a vetted IR plan.
The most important takeaway from your cybersecurity tabletop exercise is a retrospective report and analysis, including how your IR plan held up and the team’s performance. The goal is to continually improve the IR plan and the effectiveness of the IR team in preparation for the next exercise.
Benefits of an outside-in view
The exercise must be crafted based on real-world attacks likely to affect the business. Having an outside-in view from trusted cybersecurity experts and partners will help develop a scenario that challenges information security teams based on real-world methods used by cybercriminals. Ideally, they should include insights and research from industry leaders in cybersecurity based on real-world IR to actual attacks that they’ve assisted their customers overcome.
From the outside of the exercise, an industry expert will have an honest and objective view. These partners assess the current state and provide design recommendations for the future state of the organization’s IR plan. They will point out necessary improvements to advance IR. They also provide a technical roadmap on potential automation methods with third-party platforms to simplify organizational response to attacks. A trusted expert can likewise prepare implementation documentation, such as workflow, layout, role access matrix and notifications to assist the IR team. Beyond recommendations, governance, risk and security experts can create customized buildouts and implement new platforms within the infrastructure.
With vast cybersecurity knowledge, industry experts create and conduct user training in new countermeasures, which will bring your IR team to the next level. Are there tools and methods you aren’t currently using but might benefit from for more effective detection and response? Security leaders should look to a third-party service to help enhance cybersecurity defenses, readiness and resilience based on their organization’s goals.
Further build organizational resilience and readiness
An industry expert offers further security challenges to increase organizational readiness and resilience against cyberattacks and increase organizational cybersecurity maturity.
Security leaders, in particular, should implement a next-generation red teaming service. This technology creates a simulation of real attack payloads against an organization to test its ability to detect and respond to real cybersecurity incidents, delivering regular SEIM rule updates as an ongoing service that security leaders consume into their enterprise defensive strategy. The technology should include intelligence experts’ research adopting the methods of cybercriminals to optimize an organization’s defense strategy. The service should also draw upon extensive research and knowledge carried out by its intelligence experts, following trends, system weaknesses and worldwide cyber events. Moreover, methodologies in the service should come from actual observations and findings from real incident response events that its people have engaged.