Cyber Tabletop Exercises
& Lessons Learned
David Dumas, CISSP, CISM
[email protected]
ISSA New England Chapter Board Member
ISSA Distinguished Fellow
February 18, 2014
Overview & Scope
 This presentation provides a security overview
Why run a cyber tabletop exercise
How to plan, design and write a cyber tabletop exercise
Sample materials are provided
Lessons learned are weaved in throughout the talk
The views expressed herein are my own and do not necessarily reflect
the views of my employer.
ISSA Presentation
Why Run Cyber Tabletops
 Cyber risk falls into a hybrid category
– We know it exits and we must prepare, but we don’t fully understand
it’s consequences to the business
 Drill like you fight
 It may be in your policies
 It’s good for marketing and for cyber insurance annual
 It is a good practice in some standards; may be in regulations
– NIST SP 800-53 for Federal agencies to conduct exercises or tests for their
systems’ contingency plans at least annually
ISSA Presentation
Help & Ideas to Consider
 NIST SP800-84
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
 Vendors that do tabletops
 The exercises can be games
– Cyber Flag exercises sharpen DoD cyber operations and defense
• Connecticut ISSA Chapter holding a national game soon
 My suggested process to learn how to do these exercises
– Participate in one, help write and run one, then run your own exercise
ISSA Presentation
Pre-Planning and Design for Your Exercise
 Initial guidelines based on my experience
Type of
of Injects
Months to
Length of Number of scenarios Plan the
Exercise Participants Needed Exercise
1 hour
2 hours
4 hours
50 - 200
ISSA Presentation
Design Your Cyber Tabletop Exercise
 From NIST SP800-84
– Determine the exercise topic based on the focus of
the plan/issues being exercised
– Determine the exercise scope based on the target
– Identify the objectives of the exercise
– Identify the individuals that should participate in the
exercise and invite them to the event
– Identify the writing staff for the exercise
– Coordinate the logistics for the exercise event
ISSA Presentation
Objectives for Your Cyber Tabletop Exercise
 The tabletop exercise should be designed to meet the
following objectives*:
Provide feedback
Clarify responsibilities
Identify roles
Enhance skills
Assess capabilities
Evaluate performance
Measure and deploy resources
Motivate employees
* Security Executive Council white paper on “The Value of Tabletop
ISSA Presentation
Pre-Planning and Design for Your Exercise
 Pick something that needs fixing or help in funding…not
things that are already working well
 Use credible scenarios - things that could really happen
 Understand the politics and that groups don’t like to be
singled out for findings and gaps
 Determine writer subject matter experts (SME)
– (3/group) Moderator, Scribe, Attendee coordinator
– Find the best of the best in your company
ISSA Presentation
Pre-Planning and Design for Your Exercise (2)
 Research the ghosts in the closet – examples
 Research good, credible ideas – continue to listen
inside and outside your company for ideas…Last
ISSA meeting helped with an initial infection idea
 Train-the-trainer approach works well – find the
best SMEs and get them onboard by asking their
manager and showing career growth for them
 Pick the groups to work with and focus on
(developers, IT , PR/media relations, legal, privacy,
security, customer infrastructure, etc.)
 Write up questions for each inject that gets to the
heart of the issues and brings out the ghosts in the
– Ask the tough questions and find single points of failure
ISSA Presentation
Sample Summary of Logistics List
 From NIST SP800-84
Select a date for exercise conduct
Reserve a conference room that will accommodate all participants
Determine the need for audio/visual equipment
Reserve audio/visual equipment, if applicable
Identify the writing team
Identify participants
Invite participants
Coordinate the development of the facilitator guide and participant guides
Arrange for the printing of name tents
Ensure conference room is available in sufficient time before the exercise
to perform setup
– Arrange for refreshments, if appropriate
– Copy all files as a backup onto a CD-ROM, USB flash drive, or other
removable media
ISSA Presentation
Exercise Logistics Planning
 My list
– Pick a date far in advance – people are busy
– Decide if this will be in person or remote or a hybrid
– Determine the number of phone bridges to use, international,
size, should be moderated, one for the writers as a back
channel too.
– Instant Messaging sessions needed for the writers as a back
channel – discuss issues, pace of the exercise, Q/A and save
the chat sessions to review later for feedback on the event
– Data files, videos, etc. can be used for details and forensics
– Email distribution lists are necessary for keeping track of the
attendees and one is needed for the control group to discuss
issues as an alternate back channel
– Determine the participant list
ISSA Presentation
Exercise Logistics Planning (2)
 Email invitees to hold the calendar date in advance,
ensure that the critical attendees can make that date
 Location logistics need to be done in advance
Number of rooms
Intranet connections
Power for laptops
Phone lines
Speaker phone in each room
Projector to display the injects/scenarios
Lunch/snacks, water, restrooms near by
Hotels nearby
Travel information
Management expense approvals to do this face-to-face
Unique internal email distribution lists and phone bridges
ISSA Presentation
Documents to Write
 Design and write the following documents per
NIST SP800-84
– Facilitator Guide
• The purpose for conducting the exercise
• The exercise’s scope and objectives
• The exercise’s scenario, which is a sequential, narrative account of a
hypothetical incident that provides the catalyst for the exercise and is
intended to introduce situations that will inspire responses and thus
allow demonstration of the exercise objectives
• A list of questions regarding the scenario that address the exercise
– Participant Guide
• The participant guide includes the same information as the facilitator
guide without the list of questions.
– After Action Report
• Built from the findings and gaps and survey results
ISSA Presentation
Exercise Planning
 My list
– Run the exercise by your manager to make sure it
hits the mark and is not too severe. You will not be
aware of all the politics so you need a sounding
– Post exercise survey – make it short and ask for
any final comments and suggestions along with
any findings or gaps (40% return rate is good)
– Prepare an executive presentation on the top
findings and gaps
– Document next steps and work towards their
closure with the responsible business where the
findings and gaps reside.
ISSA Presentation
Things To Do and Remember
 Drill yearly on something
– People and roles change a lot – continue to build contacts
– The latest threats need to be analyzed for business impact –
example: malware
– If you don’t have a lot of time, do small tabletops
 Dress rehearsal is necessary for the writers,
scribes and attendee coordinators
– Turn on IM, email, bridges and test one inject all the way
through so that everyone knows what they will be doing
 Politics can determine if people will speak up or
stay quiet
– Some groups are coached to not expose bad news so that
the group does not look bad
– The key to unlocking this is a good writing team that knows
where the ghosts are and spins this into the injects and
questions to answer
ISSA Presentation
Things To Do and Remember (2)
 Keep the exercise content secret to be effective
but let everyone know that there will be an exercise
during the specific date/time
 Make data files for full/regular exercise to dig into
the details more and engage the technical staff
 Stay current on hacking trends and exploits and
weave these into the exercise
– Botnets, DDoS, APT, destructive malware, Phishing,
application vulnerabilities, encryption exploits, social
engineering, Web servers, data breaches in the news, etc.
 Also mention that this is an exercise verbally and
on each email sent out
 Have fun so they will play again
ISSA Presentation
Other Options to Consider
 Weave in competitions to capture high-value assets in
your company as an option
 Recall low-tech items like the card in the wallet and car
glove box for key numbers, emails and bridges
 Use moderated bridges so unannounced attendees are
kicked off and tracked
 If you are in person, use the close proximity to your
– Stop in as the Press and ask questions
– Determine that email and phones are out and force them to walk to
the other conference rooms to work together
ISSA Presentation
Ideas To Run Tabletops On
Privacy Breach in the US and Internationally
Large malware infection
APT with loss of intellectual property
Denial of Service outage
Natural weather related disaster
Man-made disaster
Use of backup and alternate work sites
Loss of power for an extended time-frame
Loss of critical internal infrastructure
Workplace violence
BYOD data privacy incident
Loss of cloud services
Supply chain disruptions and inability to meet customer demand
Blended exercise with physical and man-made incidents
ISSA Presentation
Tabletop Roles to Assign for Each Group
 Exercise Coordinator – the leader of the exercise, they help
where necessary and communicate on the timing of the next
injects and resolve any issues that come up, they can act as
the Press for questions too
 Moderator – part of the writing team, they read the injects, and
run the Q/A
 Scribe/Proctor – part of the writing team, they take notes and
help as new participants are brought to the remote bridges
 Attendee Coordinator –part of the writing team, the record the
new attendee’s name and email so they can receive the future
exercise injects.
 Spokesperson – a volunteer from the participants to present
on the findings and gaps from their group
Note: You need 3 staff from the writing team for each group that you
have in the exercise.
ISSA Presentation
Dress Rehearsal Checklist
 Go through the tools
– Facilitator Guide and scripts
– Data files
– Spreadsheet of attendees
 Go through the process for the exercise
– Open bridges early
– The leader sets up IM chat for the writers
– Someone needs to test the email distribution lists (pre-populate the internal
exercise lists)
– Join the call 10 minutes early on the main bridge
– The leader does the introduction
– Start the exercise with everyone on the full bridge
– The main distribution list can be used to send the final questions to everyone
– Closing by the leader
– Thank everyone
ISSA Presentation
Dress Rehearsal Checklist (2)
 Opening remarks:
Roll call
This is only an exercise! A cyber drill.
Discuss how the bridges will be used.
You may invite in others as needed to the exercise.
Participants are free to make decisions as they see fit.
As the scenario is played out, participants will be prompted with
questions to help guide where the events go.
There are no right or wrong answers or decisions. While we
encourage participants to think through decisions to best remediate
problems, this exercise allows for “off the wall” responses or
directions to discover how it will impact the Enterprise.
Emails will be sent to you to read and we will discuss the questions
for each inject on your team.
We will wrap up the exercise and leave time at the end for closing
questions and comments so stay around for the entire time.
Any questions before we begin?
The leader sends out the first inject to the email distribution list
ISSA Presentation
Dress Rehearsal Checklist (3)
 Closing remarks:
– The leader will provide a survey at a later date and you can add in
more information at that time if we don’t have time for all of your
feedback now…or if you think of something later on
– Review the objectives for the exercise
– Wrap-up questions and lessons learned documented by all on the
• We are trying to summarize the key things learned from this experience
highlighting what worked and any gaps or things missing.
• We plan to roll all this up for a future security executive meeting so please be
frank and open about the experience and the findings.
– The leader reads the questions and we all listen and take notes
– Wrap-up and thank everyone for their participation and the
– The leader will send out a survey to the participants to collect their
feedback on the exercise.
ISSA Presentation
Sample Layout for Your Conference Rooms
ISSA Presentation
Sample Amenities For Your Conference Rooms
7:00 AM
7:00 AM
7:00 AM
7:00 AM
7:00 AM
7:00 AM
Analog Line, Speakerphone
Analog Line, Speakerphone, TV, VCR, Overhead Projector, Whiteboard
Analog Line, Speakerphone, Whiteboard
Analog Line, Speakerphone, TV, VCR, Overhead Projector, Whiteboard
Analog Line, Speakerphone, Overhead Projector, VGA, Whiteboard
Analog Line, Speakerphone, Whiteboard
ISSA Presentation
Sample Attendee List
Participant Name
David Dumas
Email Address
[email protected]
Office Phone
Cell Phone
ISSA Presentation
Org. Leadership Biz Unit
John Doe
Network Security
Sample Participant Overview and Introduction
 Divide participants among the tables representing each of the
 Moderator will introduce themselves
 Go around tables and have participants introduce themselves
 Select an in-person Spokesperson for the summary/conclusions
at the end of the day
 Participants will read the company and situation background.
 Moderators will discuss how the events of the scenario will
unfold and how questions will be presented to help guide the
 The leader will send out a series of “events” via email at predetermined intervals for the participants to respond to. The
emails will contain questions for the participants to answer within
a specific amount of time.
ISSA Presentation
Sample Inject/Scenario
This is only an exercise - Inject 8 (7 minutes to read and discuss)
Date: December 24, 4 PM
The US Government is calling to see what is going on and how they can
help. Major customers are calling for information and the help desks are
DHS, FBI, NSA and CIA are all calling your company contacts to ask what
is going on and how can they help.
What can we share with DHS, FBI, NSA, and CIA?
Can we talk with all Gov’t branches, or should communication be
Should we have a spokesperson for government communications?
This is only an exercise
ISSA Presentation
Sample Build of the Injects/Scenarios
13 Event
2:30 PM
Media Spin
Moderator Notes
13 Event
(Sent to all)
Date is now: March 16, 2014
(Ask all)
Date is now: March 16, 2014
The security staffs have been
working 24X7 for 4 weeks with
little rest and no relief in sight.
Where can you find
alternative help?
How will you deal with
limited resources to get
this incident under
Is this OK to outsource
for more staff?
Who in the company can
be cross-trained quickly to
help with the incidents?
ISSA Presentation
Sample Final Q&A at the End of the Exercise
– What did you learn from this exercise that worked well?
– What did you learn from this exercise that was broken?
– Is there a need to update an incident response plan from this
– Did you have all the tools, procedures, contacts, etc. necessary
to battle these incidents at the office and at home?
– Did you assign an incident commander and find all the
necessary personnel?
– What tools and hardware/software are you missing?
– What are you lacking for secure communications?
– What security staff training is missing?
– What type of training is needed for regular employees?
– Any suggestions for your existing processes and procedures?
– Do you have single points of failures?
ISSA Presentation
Sample Post Exercise Survey
1. Was it acceptable to be remote on bridges for the exercise
2. Was the exercise too short (Y/N)?
3. Did the participants figure out the correct people to call to
the bridge to handle the incidents (Y/N)?
4. Do you feel that the exercise met the objectives:
– Test the impact of a data breach/APT/Malware on your infrastructure (Y/N)?
– To engage the appropriate teams to ensure that the existing processes,
procedures and communications mechanisms for defending your internal
networks and assets are sufficient (Y/N)?
– To ensure strong and successful internal coordination (Y/N)?
5. Do you have any suggestions for improving the exercise
that you participated in (Please list)?
6. What do you feel were the major findings and gaps
uncovered from the exercise (Please list)?
ISSA Presentation
ISSA Presentation

similar documents