Tips to Improve Your Incident Response Tabletop Exercise

Incident response tabletop exercises are a great way to mature your overall security posture. As with most mock exercises, the more thought and effort you put into the execution, the more you will ultimately get out of it. Today, we explore tips to help improve your next incident response tabletop exercise.

1. Treat it Like the Real Deal

This seems obvious, but if you go into an incident response tabletop exercise treating it just as a way to check the box and meet a compliance requirement, you are not getting much out of it. The more realistic you can make the exercise, the more you can learn, grow, train your staff, and ultimately, gain. Include any teams you would include in an actual response scenario (“when possible”), including your executive team, the IT/Security team, and public relations team.

Also in this vein, try and keep everyone engaged and professional. It can be easy for something like this to take on an informal or comedic tone, but that can degrade the value everyone gets out of it. If you run the exercises with realistic incidents and expect real responses/actions, hopefully everyone will take things seriously. Additionally, if everyone is focused and engaged, it can be easier to identify weak spots in your incident response plan and incorporate changes or updates.

2. Call in an Expert

Any format of tabletop exercise is better than doing nothing. However, by calling in an expert to assist, you can get a different, unbiased vantage point that can assist in running the process. By having a third-party “emcee” things, it often helps teams stay more focused, professional, and realistic. An outside consultant can provide helpful tips and tricks, brings an objective viewpoint to proposed processes, and help detect any blind spots in your current plan or actions. Here at Triaxiom, we can customize a table top exercise from setting up a series of real-life scenarios to administering the exercise itself to simply advising/coaching during an exercise carried out internally. We bring an offensive security point of view and a hacker mentality that can give a red team flavor and add some realism to an exercise.

3. Practice Makes Perfect

As with most things, practice makes perfect! Keep practicing and your response plan/actions will improve over time. Try focusing on individual phases of an incident or on particular teams within the organization first, then combining everything in an end-to-end exercise. If you want to take it a step further, explore a red team engagement where no one knows the attack is coming and truly gauge your team’s response time with a pseudo-real world scenario. This is a great way to understand how all of your training has come together.

The security landscape is constantly changing. By going through tabletop exercises and simulations with your team, you keep them prepared at all times. The more prepared you are for a potential security incident, the more effective and efficient your response will be, which can be critical when responding to a real incident. Mistakes can cost the organization dearly, in expended resources, reputation damage, and downtime. Interested in learning how we can help? Reach out today and we would be happy to assist!