The Importance of IR Tabletop Exercises during times of Conflict and Crisis
Updated: Mar 30
With the present situation between Russia and Ukraine, cyberattacks have increased dramatically, with new malware hitting various business sectors every day. In times like these, it is critical for any business to make sure they have a plan in place for what to do and how they will respond if their systems come under attack and upgrade their plans if needed. The most effective way to accomplish this is through IR (Incident Response) Tabletop Exercises.
What exactly is an IR Tabletop Exercise?
IR (Incident Response) Tabletop is an exercise where those responsible for responding to an incident sit at a table (virtually or in-person) and practice what every member or group within an organization will do in case of a security incident. Typically these exercises follow an Incident Response Plan or IRP; however, in some cases, an IRP is developed from an IR Tabletop Exercise.
During the exercise, attendees have to think, make decisions and act as if the scenario were real. This places the attendees in a life-like situation and exposes gaps in a plan and the organization's response framework.
How is an IR Tabletop Exercise performed?
To create and perform an effective tabletop exercise, the organization's most frequent and hazardous threats must be clearly defined and understood. Next, hypothesize a real-world scenario of how an attack or breach could infiltrate your environment. Finally, create as many questions as necessary to adequately and accurately stimulate debate amongst the IR team members. Example questions can include (but are not limited to):
What is your organization's policy for an attack or breach?
What is the first move your organization needs to take when an attack or breach occurs?
Who are the responsible parties for each issue uncovered by the breach, and why?
What roles will other entities within your organization or outside of your organization (i.e., legal, IT, finance, law enforcement…) play?
What resources are readily available if they are needed?
Why are IR Tabletop Exercises needed?
Organizations that take business continuity and mitigation of cyber-attacks seriously need to ensure they are prepared for all situations at any given time. Regular IR Tabletop Exercises are an effective way to ensure overall preparedness. Additionally, global regulatory bodies are becoming more stringent about compliance standards. They are making it mandatory for organizations, especially those dealing in specific national infrastructures and banking, to test IR Plans regularly through Tabletop exercises. Testing response plans regularly has several other advantages, regardless of regulatory requirements, including the following:
IR Tabletop Exercises should focus on business-impacting attack scenarios relevant to the business' geopolitical realities. When scenarios are played out, many within an organization may have never imagined a scenario or thought their way through it until they've been exposed to it during a tabletop exercise.
During these exercises, people are put under the same pressure as if a scenario were real and therefore forced to think how they would in a real crisis. There is no room for disagreements on what the next steps should be, as all of them would have been rehearsed and ironed out during the tabletop exercise.
Tabletop exercises make it clear to management whether any specific members of the IR staff should be re-trained in their responsibilities in case of an attack.
Tabletop exercises increase coordination and communication between departments as the exercise involves all key persons working their way through a crisis together.
Tabletop exercises are a cost-effective way of ramping up an organization's security without disrupting day to day business or the functionalities of IT systems.
A formal SWOT (Strength, Weakness, Opportunity, Threat) audit report is typically prepared at the end of an IR tabletop exercise. This audit clearly lists out the strengths and weaknesses of the processes, the organization's ability to respond, and more. The audit and other output can then become a solid blueprint on which the business can build its capabilities through the rest of the year and beyond.
While on the surface, IR Tabletop Exercises can seem like a tedious chore, in reality, they can be a fun and stimulating exercise that is as engaging as any game and puts the IR Response team in a preparedness mindset. Performing them more often keeps the response team in that mindset.
Why are IR Tabletop Exercises so important, especially now?
In recent years, Russia has been the known assailant behind many cyber attacks of all kinds, spanning across a breadth of industries. As the world watches the way Russia is currently waging war on Ukraine and sanctions are being inflicted by single countries and global alliances, the Russian economy is suffering. Their only recourse is to use their knowledge and ability to execute cyber-attacks to regain access to a number of things that have been closed off to them by these sanctions.