As a Secureworks® incident responder and a volunteer firefighter, the author has a unique perspective on incident response. This blog series highlights overlaps between cybersecurity tabletop exercises and firefighter training to prepare for emergency situations.
At 2:00 PM on a Saturday, a first responder encounters a vehicle rolled onto its roof with a passenger inside. While this situation seems urgent and tragic, it is actually part of a vehicle extrication course. First responders such as firefighters and medical personnel train to safely move and transport patients during a simulated vehicle accident. In the fire service, training is often as realistic as possible. Training officers who design the exercises acquire old vehicles to simulate wrecks, conduct live-burns in a fire tower built specifically for this purpose, and use a fog machine to fill a room with “smoke” and disorient firefighters. Similarly, scenario-based cybersecurity tabletop exercises should simulate realistic incidents.
Within an organization, the training officer tailors the contents of the tabletop exercise to the organization’s specific needs. It is important for the training officer to know the audience and have a deep understanding of the business and IT functions. When selecting a topic, the training officer may consider the following questions:
- What keeps us up at night?
- What questions have the board of directors been asking, and what concerns do they have?
- What is the most prominent threat to organizations?
- Where is the organization’s security weakest?
- Are there known security gaps in the environment that we can highlight?
The most effective tabletop exercises target legitimate organizational applications or staff. Including generalizations or applications that are not used by the organization could cause participants to question the scenario, resulting in an ineffective training session. The training officer should use their resources and insights to make the scenario as realistic and effective as possible:
- Include doctored screenshots.
- Record calls, compose email messages, and build chat sessions from the “threat actor.”
- Call the service desk and the organization’s primary external number to determine how they respond.
Fire training exercises often include an unexpected or surprising twist that tests the participants or heightens the incident’s importance. Similarly, an organization’s training officer should develop five or six details or challenges (often called injects) that are relevant to the scenario and introduced at an appropriate time. The appropriate time is often after participants finish discussing how to handle the previous inject.
After creating the content, the training officer conducts the exercise.