Table-Top-Exercises (TTX) – think about the worst-case scenario

Author
Reinhold Zurfluh
Published
11. September 2020

The COVID-19 crisis has demanded flexibility and rapid adjustments to the operation of IT infrastructures to ensure that business can continue. However, it would be too short-sighted to regard this as BCM preparation or as a validation of existing BCM processes. If, despite everything, you have survived this situation in good shape and are now heading out of the “lockdown”, then it is certain that you have done lots of things right! All the same, in this article you will learn that you should be preparing for another business-critical situation in a structured way, and how to approach it.

What we have observed is that only very few attackers have shown any consideration at all for the COVID-19 crisis and have exercised restraint. In fact, it's quite the opposite. Many attackers explicitly used this opportunity and the uncertainty associated with it to launch targeted attacks on companies and their staff (e.g. social engineering). As a result, companies had to (urgently) rethink their established processes, check them during ongoing operations and adapt them as necessary. As it turned out, this not only led to unfamiliar operating procedures but also created more opportunities for attackers. That is why we recommend that you also check how resilient the processes that were introduced at short notice are. A good way to do this is via a table-top exercise (TTX).

Table-top exercise – impossible thinking and learning from your mistakes!

TTX are activities that prepare for disasters. They involve playing through hypothetical but realistic situations of catastrophic events and include an assessment of the participants' readiness to respond and their ability to cooperate.

During a table-top exercise, the TTX simulator team in our case experts in cyber security and cyber defence guides the exercise participants through the process of handling a simulated disaster scenario, for instance, a targeted ransomware attack. In this process, the measures that the team would take in a particular emergency are reviewed and discussed with the participant. It is preferable to test the emergency plan in an informal, stress-free environment. The TTX simulator team provides a realistic scenario and the schedule. The participants bring along company-specific solutions for problems and react accordingly as soon as events occur, and make changes in the course of the exercise. The TTX simulator team particularly monitors and assesses the reaction of sudden changes because unexpected challenges are the most difficult thing to overcome in a crisis. The results and findings are then summarised in a report and appropriate recommendations are made.

This is what has to be kept in mind when designing TTXs

Below we have compiled some of our tried and tested points for designing a table-top exercise which we hope will act as a helpful checklist for you.

Planning and design

  • Clarifying the objectives and expected results:
    What do you want to achieve during the exercise? How can the results be used in the future?
  • Evaluating the appropriate TTX participants and the right TTX simulator team:
    The participants should be those people in the company who are involved in managing emergencies (of course, following consultation with decision-makers). You should also appoint observers who can contribute to the discussion and the knowledge that has been gained.
  • Designing the interactive scenario and the exercise plan:
    The scenario should be robust, credible and consistent with the target. The table-top exercise should include useful questions, a detailed game plan and different approaches to creating dialogue and interaction between all the participants.

Design and implementation

  • Creating an interactive, cooperative and trouble-free environment:
    The environment should foster an open atmosphere of trust and encourage interaction and discussion. Remember, the simulation is a space where there are no wrong answers, and all questions and contributions are legitimate. All TTX participants should be involved in the simulation and procedures need to be defined to achieve the best possible outcome.
  • TTX simulator team's critical questions:
    Experienced moderators are used to leading exercises on key questions and for valuable insights. The simulation follows a pre-defined script but allows flexibility for situation-specific adjustments, discussions and conversations.
  • Documenting unresolved issues, findings, difficulties and important omissions:
    Documentation and handling of the key points during the exercise is done in real-time. Visual aids and a timeline are used to record the implications of decisions and their impact when an event escalates.

Any crisis is a challenge even if it is just an exercise

The more realistic the scenario is, the greater the opportunities are for learning and improvement. TTX and the simulated incidents are appropriate for all companies. In the case of simulated cyber attacks, they are of course specifically targeted at staff in the incident response department.

The purpose of the exercises is to assess the reaction readiness of the TTX participants and to train them in dealing, for example, with cyber incidents. A table-top exercise helps with:

  • Optimizing your contingency plans
  • Strengthening the efficiency of cooperation in unforeseen situations
  • Clarifying roles and responsibilities and adapting them where necessary
  • Exposing weak interactions between functional elements

Depending on their set-up, participants are encouraged to discuss issues in-depth and make informed decisions about problems. This way the exercise stands in contrast to the rapid, spontaneous decision-making that takes place under real or simulated emergency conditions. A TTX's success depends on the active involvement of the participants and their appreciation of the TTX simulator team's recommendations with regard to their existing policies, procedures and plans.

For each TTX, the participants' feedback is used to improve the next iteration of the system, so that for each subsequent exercise an even better and more realistic prototype is utilised. The assessment and discussion that follows shows potential or even essential improvements to the existing response plans and the corresponding readiness to respond. Following on from the table-top exercise, it is advisable to schedule a workshop on disaster resilience and preparedness, so that the results can be discussed and improvements to the existing crisis management documentation can be introduced. To achieve this, a specific plan for short-term measures is drawn up so that the experiences and lessons that have been learned can be put into practice. Simple, practical suggestions for improvement assist with implementation of the measures.

Table-top exercises are not just the IT team's job

It is important to involve not just the IT department, but also representatives of other organisational units in the table-top exercise. Depending on the scope and scenario selected, these could be teams from support / help desk, marketing & communication, legal & compliance etc. To validate success, you can track the time from the start of the incident, detection, response, internal and external communication, and resolution. The aim is for each successive table-top exercise to be more effective than the previous one.

To ensure that the scenario that has been used also fits the specific situation, the TTX simulation team creates a threat model for the relevant products and services. Developing this threat model means that we can identify vulnerabilities and work together with the appropriate authorities to ensure that corrections are given priority. Finally, realistic TTX events can be deduced from the threat model, for example:

  • Spoofing
  • Manipulation
  • Ransomware
  • Cyber incidents
  • Disclosure of information
  • Denial of service
  • Privilege escalation
  • Insider threats
  • DC faults etc.

It will not remain just an exercise (unfortunately)

As we have seen over the past months and years, unfortunately, it does not stop at exercises. Cyber incidents are also being made on Swiss companies and are happening more and more rapidly, so part of your overall security plan has to include just ways to prevent these incidents but also reaction plans (including training).

It is claimed that Ben Franklin said: “If you fail to plan, you are planning to fail!” The way you react to an incident is just as important as the effort you make to avoid an incident. Cyber response plans that have been practiced in table-top exercises will help you to be better prepared and can increase your response and recovery capabilities should you ever fall victim to an attack by hackers.

Table-top exercise – now it's your turn!

As you have probably already realised, you need professional support in carrying out an effective table-top exercise. Our cyber security and cyber defence experts are your ideal partner! Their many years of experience with cyber incidents and TTX, as well as comprehensive, cross-divisional expertise, have already helped a great many companies to prepare for these incidents. And believe us when we say that after the exercise, everyone without exception is happy to have completed a TTX.

What about you? If you would like to complete a TTX now, please contact us. We will be happy to play through different scenarios with you!

Contact us now!

Share article