"Showtime, A-holes!" ~ Star-Lord, Guardians of the Galaxy 2
Honestly, I couldn't think of a better way to start this article than using one of my favorite Star-Lord quotes (F.Y.I. it's also the title of an original score for the movie Guardians of the Galaxy by Tyler Bates), and I also find it considerably fitting given the content discussed here.
So, what are we discussing? Well, “Mr. Blue Sky” (Electric Light Orchestra), we will be talking about tabletop exercises. What's a tabletop exercise?
“Come A Little Bit Closer” (Jay & The Americans), and we can dive deeper into this. A tabletop exercise is a security training event revolving around a security incident. The goal of the activity is to have a plan of action should a security incident occur. Mostly, the goal is to break “The Chain” (Fleetwood Mac) of panic that arises from not being prepared. Think fire drills.
Ok, let's play!
Before we can “Bring It on Home to Me” (Sam Cooke), we should discuss the rules of the game and what's needed to play. The first thing we need to talk about is the type of event you will be considering. Is it a ransomware event? Is it data theft? Is it a physical security breach?
If you are having problems trying to decide which event to choose, start with a ransomware event (this is something that most individuals would have least heard of) then from there, you can move into the category, "what is the worst thing that could happen?"
Once you have selected the type of event, choose the people who will be participating. Are they system administrators? Seasoned security professionals? Executives? HR? Legal? Marketing? The experience level of the individual dictates the terminology that would be used during the event (keep it so it applies to the group, so the exercise has value).
The experience of the group should dictate how deep the training should go. “Ain't No Mountain High Enough” (Marvin Gaye & Tammi Terrell) for a group of seasoned veterans.
Ok, before we go any further, what's with all the music references? So, the title of the article is the name of a song (and a quote from the movie too) from the Guardians of the Galaxy soundtrack, so I wanted to incorporate some of the other titles also. “O-o-h Child” (The Five Stairsteps), things are gonna get easier if you go along with it.
Now that we have the event and the audience/participants selected, it’s time to shine a “Flashlight” (Parliament) on what to do from there. First, find some event in the news to use as a reference during the training. This makes the event more relatable and shows a real-world consequence of what can happen.
Let's say you select a ransomware outbreak as the tabletop exercise, grab stories showing payouts, complete loss of data and the total economic impact to the companies/agency hit. This is especially important for the non-technical people in the group as it can help them understand the importance of the event.
From there you want to grab documentation on industry best practices. What does the rest of the industry say about responding to the type of event you have selected? This is to be used as a reference, not a "here's what we are going to do" sort of thing. Remember, tabletop exercises are only useful if there is a dialog.
Alright, I have my event, resources and audience selected. Now what?
Schedule a location in your office (meeting room, etc.) and block off enough time for each audience member to limit distractions.
Ok, that's all done, how do I kick this sort of thing off?
Before the meeting begins, you want to make sure you have all your documentation printed out, and every seat has something there for someone to take notes (pen and paper). Also, try to have a whiteboard in the room and sticky notes available (you will understand why soon).
Once everyone is in the meeting, I like to go around and introduce each person and their role within the company. It's incredibly important that you take note of what their role is within the company. You don't want to tell people what their role is; you want to utilize their role and their existing capabilities. Remember the goal is to plan in case of a security event; “Ego” (Tyler Bates) has no place in this sort of meeting.
Alright, I have documented everyone in the room, and their capabilities/roles have been recorded. Now what?
From here, what I like to do is provide everyone with the article of an attack from the news. I like to read the article but replace the company's name (the one in the news item) with the company name of the employees in the room (this makes it a little more personable). Once I complete reading the article, I like to tape it to the top right side of the whiteboard. Under that article on the whiteboard, I like to use a marker to label the article as "a potential outcome." This keeps the potential outcome in people's minds.
After that, I like to write in the center-left side of the whiteboard the name of the attack (assuming you are hosting a ransomware tabletop exercise, you would write "ransomware"). Then I draw a line between the attack to the article. This should indicate the timeline for doing nothing. Then I like to explain to the room "this is what happens when you are not prepared, and the purpose of the meeting is to ensure we have a plan, so it doesn't reach this point."
From there, it's a simple exercise; you want to build a timeline from the time of the attack (you have to assume the attack happens) to a level of normality.
Take it one step at a time; the attack happens, then IT is notified, then this member does X then this member does Y. Leverage the documentation you have on best practices (don't force them on people as you may discover a better way of handling something within your organization).
Use the sticky notes to represent the people in the room and where they fit in. If you have people who are not in IT, help them define their role in the response. As an example, if HR is present, work with them to understand the communications aspects (how do we notify employees, etc).
By the end of the exercise, you will have a fully documented plan (created visually then transferred into a document) that can be delivered to each person who attended.
The ultimate goal isn't to “Surrender” (Cheap Trick) to an attack, but to be prepared when one will occur.