Tabletop Exercises: Your Secret Weapon Against Cyberattacks
In this eye-opening episode of The Backup Wrap-up, we delve into the world of tabletop exercises and their crucial role in cybersecurity preparedness. Our guest expert, Mike Saylor from Black Swan Security, guides us through the ins and outs of planning and executing effective tabletop exercises. We explore why these simulations are essential for organizations of all sizes, and how they can dramatically improve incident response capabilities.
Listeners will gain valuable insights into selecting the right scenarios, involving key stakeholders, and creating a safe environment for learning. We also discuss common pitfalls to avoid and the importance of regular practice. Whether you're new to tabletop exercises or looking to enhance your existing program, this episode provides practical advice for strengthening your organization's cyber resilience. Don't miss this opportunity to level up your incident response game!
Speaker:
You found the backup wrap up your go-to podcast for all things
Speaker:
backup recovery and cyber recovery.
Speaker:
In this episode, we'll explore the critical role that tabletop exercises
Speaker:
play when preparing for cyber incidents.
Speaker:
Our guest, Mike Sailor, CEO of Black Swan Security, shares his expertise
Speaker:
on how to effectively plan, execute, and learn from these activities.
Speaker:
We discussed the key components of a successful tabletop exercise,
Speaker:
common pitfalls, and why regular practice is essential for building
Speaker:
organizational resilience.
Speaker:
He also has a few great stories from exercises that he's conducted.
Speaker:
I think you'll find this episode quite useful.
Speaker:
I.
Speaker:
And enjoyable.
Speaker:
By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been passionate about backup and recovery for over 30 years.
Speaker:
Ever since.
Speaker:
I had to tell my boss that we had no backups of the production
Speaker:
database that we just lost.
Speaker:
I don't want that to happen to you, and that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
If I could ask you to take just a quick second and press, subscribe
Speaker:
or follow so that you'll always get this content, that would be great.
Speaker:
I am w Curtis.
Speaker:
What?
Speaker:
Oh, yes,
Speaker:
us a comment.
Speaker:
yes.
Speaker:
Leave us a comment.
Speaker:
We love comments.
Speaker:
Um, I'm w Curtis Presson, AKA, Mr.
Speaker:
Backup with me, my vicarious movie watcher Prasanna Malaiyandi.
Speaker:
How's it going?
Speaker:
Prasanna.
Speaker:
I am good Curtis.
Speaker:
I, yeah, I would say I am a vicarious movie watcher, but sometimes I do
Speaker:
watch movies, but they're just like the Bollywood and Hollywood movies, not
Speaker:
Would, would, would you agree that you watch fewer movies than me?
Speaker:
Um, I think that's a statement for the entire world that would be factually
Speaker:
I.
Speaker:
Well, just because I watched three movies yesterday, two at two at the, uh,
Speaker:
at the theaters and, uh, one at home.
Speaker:
Uh, yeah, that's totally fine.
Speaker:
That's normal.
Speaker:
And because I watched Deadpool twice this weekend.
Speaker:
See, I have never met someone who falls asleep at movies so much
Speaker:
Okay, we're not talking about that.
Speaker:
We're not talking about that.
Speaker:
The fact that I had to go back to see Deadpool twice for two reasons.
Speaker:
One that I really enjoyed it the first time and second to figure out what I
Speaker:
missed when I dozed off in the middle.
Speaker:
Dosed off and you didn't even realize you dosed off either.
Speaker:
yeah, I didn't even realize I dozed off till I was watching it the second time
Speaker:
and going, uh, I don't remember this part.
Speaker:
Uh, it makes a lot more sense now.
Speaker:
Well, we should probably get to our actual topic here.
Speaker:
Uh, we once again have the CEO of Black Swan Security.
Speaker:
Mike Sailor.
Speaker:
How's it going, Mike?
Speaker:
It's going well guys.
Speaker:
How are.
Speaker:
Mike, I wanted to talk, uh, you know, we're, you know, in our continuing series
Speaker:
here on, uh, basically preparing for, you know, defeating ransomware, uh.
Speaker:
You know, being able to respond to it effectively.
Speaker:
And one of the topics that comes up a lot, it came up in our last recording, is
Speaker:
this idea of a, uh, a tabletop exercise.
Speaker:
And we, we talk a lot about that a lot, and I know that.
Speaker:
Back when, at my previous employer, when we started showing people what an
Speaker:
actual tabletop exercise looks like, they got really excited because I don't
Speaker:
think that a lot of people do this.
Speaker:
Um, I mean, when, when, when your company's brought in, I'm assuming that
Speaker:
these, well, well, lemme ask you this.
Speaker:
What percentage of the time are you brought in because there's
Speaker:
already been a cybersecurity event.
Speaker:
It is more often than people call us to do a tabletop.
Speaker:
Say that again.
Speaker:
We respond to incidents for
Speaker:
Right,
Speaker:
on their worst day,
Speaker:
right.
Speaker:
in helping them through tabletop exercises for their worst
Speaker:
Okay.
Speaker:
Right.
Speaker:
So you're normally, you're called for the worst day.
Speaker:
You, you wish you were called.
Speaker:
For the practice day.
Speaker:
Um,
Speaker:
Yeah.
Speaker:
and I, I, I wonder just Prasanna, what do you think, like, like what
Speaker:
percentage of companies actually do a, a tabletop exercise like this?
Speaker:
So I.
Speaker:
I am hoping, and I'm being gonna be, gonna be optimistic and say that
Speaker:
probably at least 70% of companies do a tabletop exercise in some part of their
Speaker:
organization, and it may not be a formal tabletop exercise doing everything end
Speaker:
to end, but they do some form of what could be considered a tabletop exercise.
Speaker:
But, okay.
Speaker:
So I should have specified a tabletop exercise for the
Speaker:
purposes of cybersecurity.
Speaker:
What do you think?
Speaker:
Yeah.
Speaker:
Yeah, I would probably say
Speaker:
Yeah, I think, I think you're being generous, but our listeners
Speaker:
are better than the average.
Speaker:
Our listeners are above average, and this is why they're listening to the show.
Speaker:
Uh, so, uh, let's just start from the beginning, Mike.
Speaker:
If somebody wanted to, they've, they've heard, they've heard that they should be
Speaker:
doing tabletop exercises for the purposes of being able to successfully respond to
Speaker:
a cybersecurity event, a ransomware event.
Speaker:
What's the first thing that they should be, uh, doing if they wanna do this?
Speaker:
What,
Speaker:
you get there,
Speaker:
yeah.
Speaker:
define what a tabletop exercise is?
Speaker:
Yeah.
Speaker:
Okay.
Speaker:
That sounds good.
Speaker:
Uh, so, so basically it's a, it's a prac, it's a practice run, right?
Speaker:
It's a practice run where you sit out there and you, you, you, well,
Speaker:
we're gonna define all the things that go into it, but basically you're
Speaker:
sitting around a table talking about.
Speaker:
This fake event that may happen to you at some point, and you basically
Speaker:
talk through, it's like, uh, you know what, um, to go back to movies.
Speaker:
It's like a table read, right?
Speaker:
Uh, you know, you're, you're film.
Speaker:
what a table read is
Speaker:
Oh, shut up.
Speaker:
Oh, come.
Speaker:
Okay.
Speaker:
All right.
Speaker:
A table read is where they get the script for the first time and they
Speaker:
all sit around a table and they just go through and read all the lines.
Speaker:
They don't, they don't act out anything.
Speaker:
They don't actually do the thing.
Speaker:
So it's like a table read, but for, um, yeah, I watch too much movies.
Speaker:
Um, so how, how, how's that for a, a definition, Mike?
Speaker:
It's pretty good.
Speaker:
And I think a good comparison would be, you know, uh, more of a simulation,
Speaker:
like a, a crisis or disaster simulation where there's, you got actors out in
Speaker:
the field and they've got the, the fake, you know, trauma, blood and makeup on,
Speaker:
and people are actually like physically interacting, going out and getting
Speaker:
victims and bringing back, triaging, wrapping 'em up, you know, assessing
Speaker:
them and, and that kind of thing.
Speaker:
That's more of a, a true simulation.
Speaker:
Right.
Speaker:
a tabletop to your, to your comparison to a, a a, a script review.
Speaker:
It's, it's, you're, you're reading from a, a manual, from a script, uh, in
Speaker:
the same room, uh, kind of stationary.
Speaker:
Right,
Speaker:
to apply some, some level of imagination, as you go through the script.
Speaker:
Um,
Speaker:
right.
Speaker:
but yeah, it's table tabletop because you, you, you're all at the
Speaker:
same table or, or virtually at the
Speaker:
hence the name.
Speaker:
Hence the name.
Speaker:
Uh, so good by the way.
Speaker:
Good job Prasanna.
Speaker:
I, I always,
Speaker:
That's why you keep me around.
Speaker:
I always forget to define stuff, so, all right.
Speaker:
So what, so back to my question before I was so rudely interrupted.
Speaker:
Um, what, so if, if we're thinking about doing this, what's the first
Speaker:
thing that we should be doing?
Speaker:
Well, in addition to understanding the, the difference between a tabletop
Speaker:
and a simulation, understanding the, the kind of categorically what are the
Speaker:
different parts of a tabletop, uh, and there's, there's really kind of five.
Speaker:
There's the, the.
Speaker:
Preparation, the planning, the execution, the review, and then the remediation.
Speaker:
and so the preparation part, you, you wanna make sure that
Speaker:
you've kind of got your ducks in a row before you go to the pond.
Speaker:
Uh, and so just jumping into a tabletop, let's do one tomorrow.
Speaker:
You wanna make the, it's not as, it's not gonna be as valuable as if you've done the
Speaker:
analysis of, are we ready for a tabletop?
Speaker:
And when you talk about cyber, cyber, cyber, tabletop exercises are related
Speaker:
to cyber incidents like ransomware or denial of service attacks, or the theft
Speaker:
of intellectual property or, uh, you know, employee misconduct type of thing.
Speaker:
All right, so what, what do we have in place?
Speaker:
As far as procedures and incident response plan, do we, do we know who the
Speaker:
key smart people effective people are?
Speaker:
Do we know management's expectations for communication and escalation?
Speaker:
Do we have management's blessing to have the authority to respond to this incident?
Speaker:
And who's gonna be in charge?
Speaker:
And so there's this, the litany of, are we even prepared to do a tabletop?
Speaker:
So that's the.
Speaker:
Yeah.
Speaker:
and for the prepared one too, Mike, I guess one of the things
Speaker:
is like doing a tabletop exercise.
Speaker:
You want it to be valuable, but it could potentially also be.
Speaker:
Expensive, quote, unquote, expensive, right?
Speaker:
Just because the number of people you're pulling in, who you're
Speaker:
pulling from their normal daily jobs, right, to do this exercise.
Speaker:
So you don't want it to just be like a waste of time for everyone.
Speaker:
Agreed.
Speaker:
Yeah, I, I, I, well, let me ask you this.
Speaker:
Let me, let me.
Speaker:
Let me argue with you and tell me why I'm wrong and that's okay.
Speaker:
Um, what if the purpose of this tabletop exercise is to show just
Speaker:
how badly we are prepared, uh, or poorly, just how poorly we are prepared
Speaker:
for, for a cybersecurity event.
Speaker:
Um, there could be some value in that.
Speaker:
It might be highly demoralizing and I agree that, that, you
Speaker:
know, Prasanna, it would be, um.
Speaker:
Expense.
Speaker:
There is a cost associated with it.
Speaker:
Uh, what, what do you think of that, Mike?
Speaker:
I've only seen that as, as a successful tactic one time in like 14 years.
Speaker:
Uh, and the reason for that is, you know, if, if you're the, the technology.
Speaker:
or the security executive, and your job is to protect the company and make sure
Speaker:
things can continue operation in the face or as a result of an incident or disaster.
Speaker:
let's say you've been asking for budget and resources for years and you're
Speaker:
not getting it for whatever reason.
Speaker:
So hey, let's do a tabletop to show the magnitude of deficiency
Speaker:
that we are are currently in
Speaker:
Right.
Speaker:
management can.
Speaker:
Can see that we, we need the help.
Speaker:
what that does then is it documents your deficiency.
Speaker:
Mm-Hmm.
Speaker:
now
Speaker:
to
Speaker:
discoverable, it's, it's also discoverable if you have an event and you get sued.
Speaker:
Um, but also politically, don't know of many, uh, many technology or security
Speaker:
executives that wanna put themselves in that position of documented failure.
Speaker:
and management is gonna see that as, oh, you're just trying to get leverage.
Speaker:
So it, politically it's a bad move.
Speaker:
I've only seen it, successful one time.
Speaker:
Um, and that was a pretty unique situation where the, the management
Speaker:
team was, was pretty collaborative and, uh, it wasn't for leverage.
Speaker:
It wasn't because they weren't getting the resources.
Speaker:
It was true learning experience for, for everybody.
Speaker:
And it was quite a while ago.
Speaker:
So that went really well.
Speaker:
E everybody went into it.
Speaker:
the same page with the same expectation of, of learning
Speaker:
and identifying weaknesses.
Speaker:
But today, in, in most of the environments that I experience, uh, or, or work
Speaker:
with, they, that wouldn't go over well.
Speaker:
Yeah, that's,
Speaker:
IT shop security guys,
Speaker:
that's,
Speaker:
they want, they want to, they wanna practice before they go to the game.
Speaker:
yeah, that, that's a really good point about the fact that you know that
Speaker:
it's discoverable and also that, um.
Speaker:
Politically, it, it is a, it is a difficulty, right?
Speaker:
It's one thing like, like I've done in, in, uh, you know, in my backup and
Speaker:
recovery days, I've documented, um, you know, I've basically demonstrated,
Speaker:
hey, we are unable to meet.
Speaker:
I.
Speaker:
The recovery time objective that you have specified.
Speaker:
Uh, and, and so that's kind of where, what I was thinking, but it's probably
Speaker:
a little bit different than here.
Speaker:
Um, and because in there what you're demonstrating is the deficiency
Speaker:
of the system that you had, you know, that, that you have not the
Speaker:
deficiency of the team itself.
Speaker:
Um.
Speaker:
in place.
Speaker:
Yeah, so it's okay.
Speaker:
So you're saying the first thing we do is we, so, so it sounds like we
Speaker:
need an incident response plan before we do, um, a tabletop exercise.
Speaker:
But you probably also need to figure out like what you're planning, like what
Speaker:
scenario you're planning to run, right?
Speaker:
So then you can make sure that you have those other steps, right?
Speaker:
Correct.
Speaker:
And, and there's hundreds of scenarios.
Speaker:
So one of the part of, part of that analysis, which scenarios do we
Speaker:
want to do, we want to base our, do we want to include on an instant
Speaker:
response plan, and then eventually te train on, in our tabletop, you need
Speaker:
to do an analysis of your business.
Speaker:
What, what's the most likely.
Speaker:
Threats and, and, and it could be any threat.
Speaker:
But then what, what impact would that have?
Speaker:
So you want the most likely, or the likely, but most impactful, uh,
Speaker:
threats then flesh out your playbook to then train on in your tabletop.
Speaker:
Is there a list of common scenarios somewhere?
Speaker:
I know it's gonna be unique for every company, but you like it's
Speaker:
one of those things where maybe you're not even thinking about
Speaker:
some of these scenarios, so I.
Speaker:
How
Speaker:
Be sure.
Speaker:
approach that?
Speaker:
Is that pulling in people like you who are experts at this and
Speaker:
can help them figure out what are
Speaker:
there's a.
Speaker:
scenarios?
Speaker:
Yeah.
Speaker:
a lot of different, uh, exercises and activities that can happen, uh, that lend
Speaker:
itself to, to good input to that exercise.
Speaker:
And one of those is a business impact analysis.
Speaker:
Go find out all the critical stuff in your business that helps your
Speaker:
business run and make money from that.
Speaker:
Then you, you, you often get those, um, those meantime to recovery type.
Speaker:
Metrics, like how long can this process be offline before we start
Speaker:
losing a lot of money, type of things.
Speaker:
So there's, that's great input.
Speaker:
Well then if, if you've got this list of critical things that if our
Speaker:
unavailable impact your financials or your operations or your reputation
Speaker:
or whatever it is, then from that you can then start to think, well, what
Speaker:
threats would impact that process?
Speaker:
And what are the common, what's, what, what are all the common themes
Speaker:
like, uh, internet access or email access, or our phone system or this
Speaker:
critical, you know, our, our ERP or financial system or, and then, and
Speaker:
then just keep working backwards.
Speaker:
Yeah.
Speaker:
Uh, and then
Speaker:
truly just more, most likely, statistically, most likely
Speaker:
threats that are out there.
Speaker:
Ransomware is huge, uh, in any environment where you've got end users that.
Speaker:
Interact directly with your production environment.
Speaker:
Uh, but ransomware has a couple of different flavors and one is delivered
Speaker:
via phishing emails and downloads, and the other one is delivered through.
Speaker:
Unauthorized access as a result of vulnerabilities or some other
Speaker:
weakness in your environment.
Speaker:
So again, what's the most likely scenario there?
Speaker:
Is it hacking into our network or are users clicking on
Speaker:
something they shouldn't?
Speaker:
And what controls do we have in place and what would the impact be?
Speaker:
And so I'm kind of going down that, that rabbit hole now, but.
Speaker:
Sitting back and, and thinking, for example, if, if we are a
Speaker:
company that develops new stuff.
Speaker:
So our intellectual property is very important to us.
Speaker:
The threat would be insider threat, stealing our intellectual property
Speaker:
when they go to a competitor or, uh, you know, nation state hacking us
Speaker:
to get our intellectual property.
Speaker:
Or we're transferring data, whether it's backup tapes or to a cloud, or to a, uh,
Speaker:
you know, we design the stuff, but we ship it off to a, a place to manufacture it.
Speaker:
And the process for doing that.
Speaker:
So that could be all be related to intellectual property theft.
Speaker:
Well, what's the impact?
Speaker:
Well, I'm sure there's financial impact.
Speaker:
There's market, market share impact.
Speaker:
There's legal impact, uh, reputation.
Speaker:
Um, and so is that more important than ransomware?
Speaker:
Shutting down our environment for two weeks or a
Speaker:
Yeah, that, that, that's a really good point.
Speaker:
You know, you, earlier you talked about, you know, what's highly likely
Speaker:
and what's impactful and that, um, you know, you, you need to do a balance.
Speaker:
Of course, there's nothing wrong with doing multiple tabletop exercises, right?
Speaker:
Um, do the, do the less likely but more impactful, the more likely, but less
Speaker:
impactful, um, what might be more likely.
Speaker:
more than one
Speaker:
Good.
Speaker:
exercise.
Speaker:
You know it, it sounds like this all day, all week thing.
Speaker:
Right,
Speaker:
Most tabletop exercises last maybe an hour or two.
Speaker:
And so if, if you've, if you've got the, the ability to allocate
Speaker:
resources to an entire day, you might be able to get two or three, uh,
Speaker:
right.
Speaker:
So we figure out, we figured out the.
Speaker:
You know how prepared we are and whether or not we're prepared to do this, we
Speaker:
have decided the scenario or scenarios that we're, uh, going to do what's next.
Speaker:
So now we need to determine, um, the format.
Speaker:
Is it, is it just the core team?
Speaker:
Uh, so.
Speaker:
The incident response lead, the subject matter experts, the stakeholders involved,
Speaker:
that, that would provide input and decision making, that kind of thing.
Speaker:
then there's the third parties, like external legal counsel and your
Speaker:
insurance company and law enforcement.
Speaker:
and then there's the observers, uh, other, other people in management or your board,
Speaker:
uh, or other employees that, uh, maybe.
Speaker:
be good to observe, uh, the intricacies of incident response and what's involved.
Speaker:
There's, there's a feedback on that's usually pretty good.
Speaker:
Like I had no idea it was that complicated.
Speaker:
and so that there, there might be value there, but most, most organizations that
Speaker:
are doing their first tabletop wanna kind of keep it tight in case they mess up.
Speaker:
They don't want everybody to know where they're.
Speaker:
Whether their deficiencies are, but that next stage after you've determined
Speaker:
the scenario is to, uh, identify or define who's gonna participate,
Speaker:
gonna run and moderate this.
Speaker:
Exercise, usually that's a third party.
Speaker:
Uh, have an objective, uh, you know, someone that's not been in the weeds every
Speaker:
day and doesn't know all the intricacies so they can, they can ask some good
Speaker:
questions and throw some good curve balls.
Speaker:
Uh, you know, just when your team knows what the all the plays are,
Speaker:
uh, the, the moderator can, can, uh, throw a monkey wrench in there and see
Speaker:
how, how, how, how the team reacts.
Speaker:
this start,
Speaker:
sure you have.
Speaker:
this starts to sound like d and DA little bit.
Speaker:
And I thought that's where you were gonna go earlier.
Speaker:
Uh, when you were gonna explain how a tabletop went.
Speaker:
It, it is very much like a, a role-based, uh, table game, uh, table based game.
Speaker:
And then, uh, make sure you've got a good scribe, somebody that can take good notes.
Speaker:
And one of the things that you wanna make sure you highlight
Speaker:
are what we call the aha moments.
Speaker:
Like, oh yes, you know, you can tell when there's an aha moment.
Speaker:
Those aha moments can be good.
Speaker:
Like, Hey, that's a great idea, or, I'm glad we did it that way.
Speaker:
And they could also be the, I didn't think of that.
Speaker:
and so we need to capture all the good and the bad and, and the, the curious.
Speaker:
Um, so you, you've gotta put that kind of planning into, um, into game day
Speaker:
So deciding, deciding who's deciding who's gonna be there
Speaker:
and who's gonna do what role.
Speaker:
Right.
Speaker:
And then, and then some, some ground rules.
Speaker:
Uh, so I always start with some ground rules and I make sure everybody that's
Speaker:
participating and agrees with those.
Speaker:
And, uh, one of those ground rules needs to be that this tabletop is a safe place.
Speaker:
We're here to, to talk and collaborate and, and, and, uh, go through this
Speaker:
exercise for the benefit of the company.
Speaker:
You know, there's no stupid questions.
Speaker:
No one's gonna be fired because you didn't know, or, or you, you challenge, uh.
Speaker:
Um, a decision or, or a comment, uh, it's meant to be
Speaker:
productive and, uh, constructive,
Speaker:
No blame
Speaker:
correct.
Speaker:
Yeah,
Speaker:
you actually
Speaker:
go ahead.
Speaker:
to execute or, so you've set, so you've found the people, you know
Speaker:
the scenario, you set the rules.
Speaker:
I'm guessing you just sort of play the game.
Speaker:
Right.
Speaker:
And so you, you start the tabletop with, uh, uh, and sometimes it's,
Speaker:
it's good to provide some statistics or maybe some background information
Speaker:
to support the, the magnitude or the gravity, uh, of the exercise.
Speaker:
So.
Speaker:
Maybe recent statistics on cyber or whatever that particular threat is.
Speaker:
Um, if you're gonna invite law enforcement, a lot of times they'll
Speaker:
bring those numbers and do a short presentation, uh, which has
Speaker:
always been good and interesting.
Speaker:
Uh, you lay out the ground rules, uh, you describe at a high level
Speaker:
what the scenario is gonna be.
Speaker:
Um, and then you start with step number one.
Speaker:
Uh, so and so observed this, or this event happened and it was
Speaker:
reported to whoever who then.
Speaker:
Uh, reviewed it, uh, categorized it, classified it as an incident
Speaker:
of whatever priority, and kicks off the, the incident response.
Speaker:
And then you hand it over to whoever that person is and say, so what do you do next?
Speaker:
I call Jim and this is what I do.
Speaker:
And then you go to Jim.
Speaker:
All right, Jim, you got the call.
Speaker:
What do you do next?
Speaker:
And you just, it, it's truly role playing.
Speaker:
Um, turn by turn and.
Speaker:
the list right of their playbook, if you will.
Speaker:
and there is a little bit of discussion.
Speaker:
All right, so why did you do that, Jim?
Speaker:
Or what do you think about that?
Speaker:
Or how do you think that could have gone differently?
Speaker:
Um, and so there is a little bit of interaction.
Speaker:
Uh.
Speaker:
In process, but for the most part, right?
Speaker:
Yeah.
Speaker:
Everybody's gonna talk about what their role and responsibility
Speaker:
and activities are, and, and we're gonna capture all that.
Speaker:
And if it, if it's lined up with the playbook that we
Speaker:
came to the game with, great.
Speaker:
But in many cases, I would say at least half.
Speaker:
got some action items that come out of this to make things better.
Speaker:
You know, one of the thing,
Speaker:
oh,
Speaker:
one of the things that I've seen from, um, common cyber events has been that it,
Speaker:
it doesn't start, the cyber event doesn't start with, you get this big message on
Speaker:
your screen, you've been attacked, right?
Speaker:
It starts with, you know, the.
Speaker:
West wing air conditioner unit is not working the way it's supposed to.
Speaker:
Right?
Speaker:
It's like you have this random, random thing.
Speaker:
It's like, oh, that's odd.
Speaker:
Why is that happening?
Speaker:
Uh, when, why it's happening is that you have an underlying security event, right?
Speaker:
That's happening.
Speaker:
Um, I, I wonder what, when you, when you do these, when you do a tabletop.
Speaker:
Is that the kind of thing you give them, or do you give them a little bit more
Speaker:
blatant, you know, um, you know, you, you've, you, you know it's happened.
Speaker:
So one of the, one of the good things about a moderator that's been through
Speaker:
a lot, uh, is that to your point, you know, this, this weird thing
Speaker:
happened and we want to address, we want to triage this, we wanna stop the
Speaker:
bleeding, stop the, stop the incident.
Speaker:
But at the same time, there's gotta be some people.
Speaker:
Tasked with determining root cause, worst patient, zero.
Speaker:
Uh, what were the things, the, the symptomatic things or the observable
Speaker:
things that could have been escalated prior to this bad thing really happening?
Speaker:
so to that point, and I think your analogy's a good one.
Speaker:
Is that we're not just addressing truly techno uh, technology based, uh, events
Speaker:
and metrics and observable things.
Speaker:
We also want to go back to the people, the eyes and the ears
Speaker:
see something, say something.
Speaker:
So do we have a good security awareness program?
Speaker:
did Bob or Sally see that air conditioning thing misbehaving some time ago?
Speaker:
Weeks, days, months.
Speaker:
is there a way to, is, is there even a mechanism for them to report that?
Speaker:
Because if they just make a comment to a coworker or a supervisor, well then
Speaker:
there's gotta be a way to communicate that to people that need to know.
Speaker:
So is, is there even a mechanism for that?
Speaker:
But to your point, right?
Speaker:
So we, we want to.
Speaker:
We want to expand the value, uh, of the tabletop as far as we can
Speaker:
without diluting the, the focus.
Speaker:
Um, but those observable, teachable, um, expandable moments, uh,
Speaker:
are, are definitely brought up.
Speaker:
Um, and so that's a good, I'm glad you brought that up.
Speaker:
'cause that's a absolutely, it's, it's the moderator's job.
Speaker:
Uh, to know how far outside the true storyline we can go, how
Speaker:
far off the path can we go and still add value to the exercise?
Speaker:
And so it looks like the moderator has a critical role to play in
Speaker:
the actual execution of the,
Speaker:
Mm-Hmm.
Speaker:
of the tabletop exercise.
Speaker:
And I know you mentioned sometimes a lot of this comes with experience.
Speaker:
How do you even find the right moderator?
Speaker:
Right.
Speaker:
Because like you mentioned, you probably don't want someone who's
Speaker:
internal who knows the details of the systems and the inner workings.
Speaker:
You want someone who's experienced in cyber instance incidences or
Speaker:
whatever else you're focused on.
Speaker:
But how do you, as a company, like I'm going out and seeking
Speaker:
out a moderator, how do I know?
Speaker:
Like what are the questions I would ask to be able to determine, is that a good
Speaker:
moderator for my tabletop exercise or not?
Speaker:
Usually there's, there's profiles for, for tabletop moderators.
Speaker:
They're also call 'em breach coaches.
Speaker:
Uh, and they, they run from the, kind of the gamut, from true cyber focused.
Speaker:
You know, former CISOs and, and people that have been in the trenches, uh,
Speaker:
that actually had to wear those shoes.
Speaker:
Uh, and then some other breach coaches are on more of the
Speaker:
advisory or even legal side.
Speaker:
Like one of my, one of my favorite breach coach collaborators is
Speaker:
an attorney and he's been a cyber attorney his whole career.
Speaker:
He is never spent a day in it.
Speaker:
Uh, but he's been involved in hundreds of breaches, so he's seen.
Speaker:
The battleground, and he is been through the game he's seen what,
Speaker:
what's worked and what's not.
Speaker:
And then based on all that experience, also giving some good advice on how
Speaker:
to, how to make them more resilient to, to future, uh, incidents.
Speaker:
So my advice would be, uh, and you can search, usually it's called,
Speaker:
you know, tabletop exercises.
Speaker:
You know, the, the, the service providers out there usually list it.
Speaker:
Like that.
Speaker:
and then for those that are providing the service from that company, you've
Speaker:
got a, a profile, usually like a resume that you can, you can review.
Speaker:
And it seems like the, the.
Speaker:
Actual experience with actual events would be a really big, because
Speaker:
like you said, they can draw on all of these different things that
Speaker:
have happened to them, um, both in terms of how the event got started.
Speaker:
And things that happen throughout the event, right?
Speaker:
It's like, okay, well now you just lost power or whatever,
Speaker:
whatever types of things that happened throughout a cyber event.
Speaker:
Um, you've got to have a lot of experience to be able to
Speaker:
draw on those kinds of things.
Speaker:
And, and I'll, I'll, I'll make an example that, that you
Speaker:
can probably truly relate to.
Speaker:
'cause that backup tape drive works the same every day and it works good.
Speaker:
And you know, you know the hiccups.
Speaker:
I guarantee you that does not work the same on the day.
Speaker:
You have an incident.
Speaker:
You've gotta restore something.
Speaker:
It's just, that's a Murphy's Law
Speaker:
Yeah.
Speaker:
someone.
Speaker:
Moderating your, your tabletop, that's familiar with how Murphy's Law works?
Speaker:
Yeah.
Speaker:
I.
Speaker:
I often, uh, say that the success rate of backups is inversely proportional to the
Speaker:
degree to which you need that data, right?
Speaker:
Absolutely.
Speaker:
Yeah.
Speaker:
Absolutely.
Speaker:
Yeah.
Speaker:
Um, all right, so we've, we've, so we've done our event, right?
Speaker:
Um, and we, you know, you had, you had a good scribe captured those aha moments.
Speaker:
Um, now what, and no one cried.
Speaker:
Maybe somebody cried.
Speaker:
Um.
Speaker:
I've,
Speaker:
But
Speaker:
happen.
Speaker:
I'm sure, I'm sure this is so hard.
Speaker:
Um, I could just see that.
Speaker:
Um,
Speaker:
Well one of the things, one of the things too, and before we get off the,
Speaker:
uh, off of the execution part, uh, I wanna stress the importance of, um.
Speaker:
Accountability.
Speaker:
So even though it's a safe place, we don't want to happen is walking
Speaker:
through a scenario and somebody go, well, let's just assume we do.
Speaker:
We do have that, and let's move on.
Speaker:
Let's just assume, don't we need to move, we need to work through this because we
Speaker:
need to know how it's gonna flesh out.
Speaker:
So I wanna stress that, that when you're playing this game, don't just
Speaker:
No, it's not.
Speaker:
right?
Speaker:
Uh, because.
Speaker:
And I've got a, a case study where we assumed, or I say we, it was the,
Speaker:
the response leader, let's assume we have that and let's move on.
Speaker:
And kind of, um, uh, not directly, but I tried to passively come back to
Speaker:
it multiple times during the tabletop and each time it was met with, let's
Speaker:
assume we have that and move on.
Speaker:
Not, not six weeks after the exercise.
Speaker:
They actually got hit with that, that particular incident in real life.
Speaker:
And that assumption, uh, really came back to bite him because they
Speaker:
assumed this in the tabletop, it was not captured as a remediation item.
Speaker:
Um, and that was one of the downfalls of their, of their incident response.
Speaker:
That,
Speaker:
was false.
Speaker:
Right.
Speaker:
that reminds me,
Speaker:
that is true.
Speaker:
Yeah, I like that.
Speaker:
And I, I can see that, I can see wanting to do that.
Speaker:
It's like, okay, we don't have that person here.
Speaker:
Let's just assume that we have the thing right.
Speaker:
Nope, he's not here.
Speaker:
What do we do if he's not here?
Speaker:
right.
Speaker:
He's
Speaker:
Yeah.
Speaker:
He gets hit by a bus.
Speaker:
Yep.
Speaker:
Yeah.
Speaker:
and I've done that too.
Speaker:
All right.
Speaker:
You're the incident response team leader.
Speaker:
Let's go through this.
Speaker:
And halfway into the incident response, I go, all right, you fell sick.
Speaker:
'cause that pizza you ate for lunch took you out.
Speaker:
And so who's, who's, who's, who's the assistant coach.
Speaker:
And we actually ran into a problem there.
Speaker:
'cause three people thought they were the assistant coach.
Speaker:
And so there's a
Speaker:
Uh.
Speaker:
of, you know, right.
Speaker:
Who's gonna take charge.
Speaker:
But then, sorry.
Speaker:
So after, after we finish the execution and we've got.
Speaker:
and good notes.
Speaker:
We, we wanna review, we want to debrief.
Speaker:
We wanna make sure that what we heard, what we collected, uh, what we documented,
Speaker:
uh, was, uh, concise and, and accurate.
Speaker:
And then naturally, as, as, you know, maybe, maybe I'm saying something, I'm
Speaker:
responding to something or I'm walking through my activity, my playbook and
Speaker:
my part's done, I hand it off to you and now I'm listening to your response.
Speaker:
Naturally as, as people with responsibility and instant response.
Speaker:
I'm gonna think about what you're saying and, well, what
Speaker:
could I have done different?
Speaker:
Or, or maybe I've got thoughts about what you're saying.
Speaker:
So the, the debrief gives an opportunity for the participants to add more comment
Speaker:
or thought or, you know, something came to mind or, you know, um, me
Speaker:
add to that or let me correct that.
Speaker:
And so the debrief is important.
Speaker:
Before everybody leaves, we want to capture all that before the end,
Speaker:
before people go back to their day job.
Speaker:
All right, well then the scribe and the moderator to over the, the coming days
Speaker:
to make sure that there aren't any un un untied strings or unle questions.
Speaker:
And we're gonna, you know, there's an opportunity to, to ping the,
Speaker:
the participants one more time, uh, because maybe they also made
Speaker:
reference to something and, all right.
Speaker:
Well.
Speaker:
Lemme know when you get back to your desk, you know, type of thing.
Speaker:
So we, we've, we've got a period of time to wrap this up, and then
Speaker:
we want to document this in a summary with detailed action items.
Speaker:
All right?
Speaker:
This is what came out of the, the tabletop.
Speaker:
Uh, we, we, we need to update this.
Speaker:
Uh, we need to find a resource when, when Bob doesn't show up, we need
Speaker:
to talk to our insurance company about having a, a good contact.
Speaker:
We need management's approval for, uh, when to involve law
Speaker:
enforcement, whatever it is.
Speaker:
We've
Speaker:
Yeah.
Speaker:
this action plan we need, we need that stuff to be addressed.
Speaker:
It came out of this incident response as things that we need
Speaker:
to do to be more effective.
Speaker:
It has to get done, and that is as important as conducting the exercise
Speaker:
because you now know where your weaknesses are where, where, where you need to
Speaker:
improve in order to be effective.
Speaker:
Without that stuff, you're going to fail the response to whatever that incident is
Speaker:
and more than likely back to Murphy's Law.
Speaker:
That particular incident that you just trained on that you didn't fix is
Speaker:
gonna happen sooner than it would've.
Speaker:
Yeah.
Speaker:
Uh, well, you know what, this brings brought up a thought for me.
Speaker:
You know, we talk a lot about doing disaster recovery testing, and,
Speaker:
um, so my question is, what is, is there a, is there a, is there a pass
Speaker:
or fail for a tabletop exercise?
Speaker:
You know, what's considered a success is something, is, you know, I, I would think.
Speaker:
I don't know.
Speaker:
I'll, I'll stop talking.
Speaker:
What would be considered a success and what be, what
Speaker:
would be considered a failure?
Speaker:
There is, and, and what what success is would depend on what the incident is.
Speaker:
So if like it was incident, if it was intellectual property theft, success
Speaker:
would be determining how it happened.
Speaker:
Having enough evidence to prosecute whoever did it
Speaker:
right, that would be success.
Speaker:
in, uh, ransomware success would be a hundred percent or majority.
Speaker:
Recoverability without having to pay a ransom while also figuring out
Speaker:
how the ransom infection happened.
Speaker:
That would be ideal success.
Speaker:
But there's, there's levels of success as well.
Speaker:
Uh, simply getting the, the company back up and running with minimal financial
Speaker:
impact, uh, would be considered success.
Speaker:
Uh, and so defining success is one of those criteria that you
Speaker:
definitely want to, uh, lay out at the beginning of an incident.
Speaker:
Uh, based on what's going on, here's what we're gonna focus on.
Speaker:
Mm-Hmm.
Speaker:
our target is, and that's collaboration with management.
Speaker:
That's not just it, you know, setting the, setting the bar and, and,
Speaker:
and shooting for that objective.
Speaker:
It needs to be collaborative.
Speaker:
and then absolutely there's failures.
Speaker:
I.
Speaker:
is not being prepared, not understanding the business, not, not having good,
Speaker:
not having identified the right resources that you need to be effective
Speaker:
in response, not getting along.
Speaker:
I've seen that several times in an incident response tabletop, people
Speaker:
just, I'm not working with you anymore.
Speaker:
I, I quit.
Speaker:
I haven't had it, and I quit.
Speaker:
But there's definitely people that, that have had some, some contentious
Speaker:
or, you know, some animosity and you put 'em in a room in a.
Speaker:
And you're, you're, you're pointing fingers, all right, you're next.
Speaker:
And they're like, yeah, I'm not playing anymore.
Speaker:
And, and I've seen that.
Speaker:
Wow.
Speaker:
Yeah, that would be a.
Speaker:
that brings, brings sli a uh, uh, a risk that needs to be addressed.
Speaker:
Maybe that person shouldn't have that responsibility.
Speaker:
And I think at least doing this exercise, right, so you've gone
Speaker:
through this entire process.
Speaker:
You figured out the remediation steps or the gaps that you have today.
Speaker:
think that's such a huge step forward for a company because now you can figure
Speaker:
out, okay, how do I address those?
Speaker:
What are the skillsets I need to bring in?
Speaker:
What are things I need to modify my processes in order to make
Speaker:
sure that I am able to recover from some of these incidents?
Speaker:
And it is really huge too in, in, in very well established environments
Speaker:
that have never been tested.
Speaker:
They're, they're so complacent with how everything's always worked.
Speaker:
Everything's fine.
Speaker:
Everything's worked well forever.
Speaker:
I.
Speaker:
I've been here for 20 years.
Speaker:
Well, that's great.
Speaker:
It's worked well from your perspective without any outside influence.
Speaker:
Let's add some of that.
Speaker:
Hmm.
Speaker:
Yeah.
Speaker:
perspective outside influence and see how things go.
Speaker:
Yeah, I, I, um, you know, talking about, you know, the way people interact, it,
Speaker:
it, it would seem, and while, while it is a safe space, you know, you're,
Speaker:
you're observing and you, you get to see how different people do under pressure.
Speaker:
Um, you know, I'm, I'm thinking back to, I used to work for this company
Speaker:
that used to u that used to ask.
Speaker:
Really bizarre interview questions.
Speaker:
Not as bizarre as the, like how to put an elephant in a refrigerator.
Speaker:
I dunno if you're familiar with that series of questions.
Speaker:
They were more like you're writing a shell script and instead of pound bank,
Speaker:
Bens h at the top, you put Pound bank, Ben Echo what would happen, right?
Speaker:
And it, and it was for, it had two purposes.
Speaker:
One was.
Speaker:
If you could successfully answer the question, um.
Speaker:
Then it showed that you had a really good knowledge of internals,
Speaker:
but if you couldn't answer the question, it was just as important
Speaker:
to see how you responded to that.
Speaker:
Right.
Speaker:
And if basically, and we had interviewers just walk out
Speaker:
like, this is a stupid question.
Speaker:
This is, no one would do that.
Speaker:
No one would put Ben Echo at the top of the script.
Speaker:
Shell script, this is stupid.
Speaker:
And they would just literally walk out.
Speaker:
Okay, you failed the interview.
Speaker:
Right.
Speaker:
And so I would, I would think that that's, that, you know, you talked about dynamics,
Speaker:
you talked about pe, people getting, uh, you know, animosity to each other.
Speaker:
And, and I'm sure that at some point there, even though we're not supposed
Speaker:
to, I'm sure there's been some yelling and a few tabletop exercises.
Speaker:
Would that be a fair assumption?
Speaker:
There has and, and, well, not yelling, but definitely raising the voice.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Um, yeah.
Speaker:
And, and.
Speaker:
So I think the only, the only truly failed tabletop exercise, in my opinion, would
Speaker:
be one that, that just, you just never do.
Speaker:
Right?
Speaker:
Um, and I think that that's what multiple people, I, I think that's what a majority
Speaker:
of people are doing or not doing, is that they're just not doing these for fear.
Speaker:
Of those things for fear of being exposed, for fear of whatever.
Speaker:
But the only thing I can say to them is, well, you know, um, it, you know,
Speaker:
it, it, it remind, have you seen, um, Glen Gary, Glen Ross, the movie?
Speaker:
Um, okay.
Speaker:
It, it.
Speaker:
If you watch nothing else, just watch the opening scene with, uh, Alec Baldwin.
Speaker:
And, uh, there's a li he's, he's, he's yelling and screaming at
Speaker:
these, um, at these salesmen.
Speaker:
And he basically, he said, one of the lines he says is, you, you, you
Speaker:
can't handle what I'm, what I'm, what I'm saying to you right now,
Speaker:
if you can't handle this, how are you gonna handle the abuse that you
Speaker:
get when you go out on a sales call?
Speaker:
Like if you can't handle a tabletop.
Speaker:
Imagine an actual cybersecurity event where you didn't do a tabletop and
Speaker:
you're, you're not prepared at all.
Speaker:
Um, which I think is the majority of situations.
Speaker:
Right.
Speaker:
Um.
Speaker:
And, but I think there's a misconception there in that tabletop is this
Speaker:
point in time thing, uh, that they don't, that they're afraid of.
Speaker:
'cause they're afraid that they're gonna fail.
Speaker:
But really the intent of doing a tabletop requires that you do
Speaker:
some planning ahead of game day.
Speaker:
So that.
Speaker:
Right.
Speaker:
better prepared to play the game and that that preparation is where
Speaker:
someone like me would really walk you through you need to be successful in a
Speaker:
tabletop and make sure that that's in place before we we go play the game.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
And I think if you define the success of the tabletop is a successful
Speaker:
tabletop helps uncover, um, weaknesses that we can then go address.
Speaker:
Right.
Speaker:
That would be a successful tabletop.
Speaker:
Yeah.
Speaker:
It
Speaker:
And if, and
Speaker:
expected.
Speaker:
yeah.
Speaker:
tabletop I've ever done has had opportunity for improvement.
Speaker:
Yeah, it's just like when, uh, Pana, you know that I say this a lot that we,
Speaker:
when we used to do disaster recovery exercises, we define success as.
Speaker:
Because we would do a DR test where, uh, I was the one in charge of backups, but
Speaker:
I was not the one running the DR test.
Speaker:
And a, a, a success was they, they made it from A to to Z using
Speaker:
nothing but my documentation and never having to ask me a question.
Speaker:
Never once did we succeed by, by that standard, right?
Speaker:
Everyone has, uh, deficiencies.
Speaker:
In every part of it, in the job of doing this.
Speaker:
And I like, by the way, I like you talk, you said it, it, it's, a lot
Speaker:
of people see it as a point in time.
Speaker:
Another thing is that you don't just do one tabletop and then move on.
Speaker:
You do regular tabletops.
Speaker:
What, what do you think is a, is a, a good frequency for people to do that?
Speaker:
As often as possible, uh.
Speaker:
At, at a minimum once a year,
Speaker:
Uh.
Speaker:
you pick, because once a year is really as, as often as.
Speaker:
You know, collectively the business reassess itself.
Speaker:
You know, that's where we update our strategy, uh, both on the business
Speaker:
side and the technology side.
Speaker:
That's where we look at our, if, if we've got audit work or risk
Speaker:
assessments, we look at all those things.
Speaker:
So once a year is, is common.
Speaker:
Twice a year would be great.
Speaker:
Quarterly would be amazing.
Speaker:
And if you're doing 'em quarterly, you're really cutting this down to.
Speaker:
You know, a a, a well-oiled machine, you know, doing 'em once a year.
Speaker:
That's probably two hours on game day plus maybe an hour or two of,
Speaker:
of planning ahead of, and then all the logistics of, you know, people.
Speaker:
People's schedule and everything, if you do them quarterly, you can
Speaker:
break u Usually it's a smaller group.
Speaker:
you can really focus tactically on whatever the scenario is and just, you
Speaker:
know, just record it in a team session and you don't even have to have a, a scribe.
Speaker:
Um, and it becomes this, this, this, uh, scheduled event that, that you just,
Speaker:
know, it's, it's like going to practice
Speaker:
Yeah, and you're developing muscle memory.
Speaker:
Did, did you just say muscle memory
Speaker:
I did say
Speaker:
at the same time?
Speaker:
Look at that.
Speaker:
I love it.
Speaker:
I love it.
Speaker:
That's a great way to.
Speaker:
the other thing to consider with tabletops is, uh, it's actually a
Speaker:
benefit in, in a couple of ways.
Speaker:
You're, and especially if you expand the, the participation to
Speaker:
include your insurance company and law enforcement, some others.
Speaker:
improving the perceived effectiveness of your organization to people that want
Speaker:
to help you, you learn something too.
Speaker:
Like a lot of organizations think, I'm not gonna call my insurance
Speaker:
company until I fee, I think I'm gonna have a claim or, recover, so
Speaker:
I'm gonna have to pay the ransom.
Speaker:
So I gotta call my insurance company.
Speaker:
But if you ask the insurance company when, when should we call you?
Speaker:
They're gonna tell you as soon as you think you have a problem.
Speaker:
Yeah.
Speaker:
we've been through a lot of this stuff and we can also help guide you.
Speaker:
Right.
Speaker:
say Bob didn't come to work that day and he's on your incident response
Speaker:
team and he's your database expert.
Speaker:
what are we gonna do now?
Speaker:
Well, your insurance company probably has a vendor on their approved list that's
Speaker:
a database expert that can help you.
Speaker:
And there's, I mean, they're a great resource and a lot of, a lot
Speaker:
of organizations don't realize, or they're hesitant to involve.
Speaker:
Insurance company.
Speaker:
Their insurance company.
Speaker:
When, when something bad happens, they're afraid it's gonna, it's gonna ding them
Speaker:
like getting your windshield repaired.
Speaker:
Yeah.
Speaker:
they're, they're afraid it's gonna impact their, their
Speaker:
premium next year or whatever.
Speaker:
But really what it's doing is adding, it's adding value.
Speaker:
Um, and, and there's a perception there from your insurance company that you guys
Speaker:
are, what, you're being diligent, uh, ahead of, uh, a true incident happening.
Speaker:
All right.
Speaker:
Well, thank you.
Speaker:
Uh, thank you once again, Mike.
Speaker:
You are welcome.
Speaker:
All right, and thanks, Prasanna.
Speaker:
You enjoying this?
Speaker:
I am, I'm learning something new.
Speaker:
It's kind of
Speaker:
I, I love learning.
Speaker:
I love learning
Speaker:
whenever I think about tabletop exercises, for some reason I think about the, uh,
Speaker:
the game battleship for some reason.
Speaker:
you song.
Speaker:
My battleship.
Speaker:
I like it.
Speaker:
All right, well, thanks again to our listeners.
Speaker:
We love you.
Speaker:
Uh, you're why we do this.
Speaker:
Um, and uh, that is a wrap.
Speaker:
The backup wrap up is written, recorded, and produced by me w Curtis Preston.
Speaker:
If you need backup or Dr.
Speaker:
Consulting content generation or expert witness work,
Speaker:
check out backup central.com.
Speaker:
You can also find links from my O'Reilly Books on the same website.
Speaker:
Remember, this is an independent podcast and any opinions that
Speaker:
you hear are those of the speaker and not necessarily an employer.
Speaker:
Thanks for listening.
Listen On
