It’s late, half the leadership team are out of the office, and the worst happens – your security team spots unusual activity on the network, and before you know it, your entire point-of-sale infrastructure is offline.
You’re a major retailer, and you’re under cyber attack – what would you do?
That’s the set-up for a tabletop cyber security exercise that Cyber Daily took part in recently, alongside several other technology journalists and hosted by cloud security firm Rubrik. We all took the roles of C-suite executives during an ongoing cyber security incident, dealing with the initial breach, the ongoing fallout from the attack, and eventual negotiations with the threat actor responsible.
As an old-school roleplayer myself, it’s easy to think of a tabletop exercise as being something not dissimilar to a game of Dungeons & Dragons – and more than a few DnD jokes were made on the day – but the reality, while in the same ballpark, is far different.
The event – which was cut down for convenience and time, but was still representative of the real thing – was a mix of scripted scenes outlining each step the fictitious organisation was taking during the incident, and discussions after each scene working out where things went wrong and what could have been better.
The idea is not to put executives on the spot, but rather to illustrate best practice, common crisis responses and mistakes, and to get people thinking about their own role and what they would do when the inevitable does happen.
There are no real surprises in the script, but according to Niraj Naidu, head of sales engineering A/NZ at Rubrik, who ran the event for us, many who do attend walk away surprised by how easy failure is.
“Attendees are surprised in almost every session. Rarely is this about the failure itself, but rather the discovery of significant gaps in process, technology tooling, people, and communication,” Naidu told Cyber Daily.
“Most leadership teams enter these exercises with a theoretical understanding of their recovery plans, yet they are often taken aback when they realise that their recovery time objectives do not align with the actual speed of their data and business service restoration capabilities.”
Naidu said attendants were often surprised by how something as simple as having their “emergency playbook” stored on a server already encrypted by a threat actor could cause a serious impact, or how having key personnel unavailable can contribute to negative outcomes.
“These exercises transform abstract corporate risks into very tangible – and often humbling – operational realities the business hadn’t fully considered,” Naidu said.
The event we took part in was abridged, running over one lunch time and with no extra input to place extra pressure on the participants. However, Naidu told us the real deal often lasts far longer, and features what are called “injects” where the scenario shifts, such as a “simulated leak on social media or a mock call from a regulator”.
The idea is to see how a team reacts to an escalating situation.
“It also allows for a much tighter integration between the boardroom and the security operations centre; rather than just discussing a recovery, a full-scale exercise provides the space to validate the technical path to restoration,” Naidu said.
“For organisations that need to prove their readiness to auditors or insurers, these more comprehensive sessions can be tailored to involve legal, PR, and forensic partners to ensure every facet of the incident response plan is thoroughly battle-tested.”
Anyone can ‘play’
Advanced tabletops, such as the one Naidu described above, are considered an essential cyber security readiness tool by many, but they may seem out of reach for small and medium businesses or organisations. However, Naidu stressed that this was far from the case.
“Cyber resilience should not be viewed as a luxury reserved for the enterprise. There are several ways for smaller organisations to build this muscle memory without needing a massive budget,” Naidu said.
“SMBs can make excellent use of free public resources, such as the ASD’s ‘Exercise in a Box’ toolkit, which provides structured scenarios specifically designed for smaller teams to work through at their own pace.”
Micro-drills – where a team spends something like 20 minutes each month working through what-if scenarios – also constitute an approachable application of tabletop exercises.
“By focusing their limited resources on protecting and recovering their ‘crown jewels,’ smaller firms can achieve a significant leap in resilience through simple, consistent, and focused role play,” Naidu said.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.