TTX Simulation Exercises (I)

Introduction

A tabletop simulation exercise consists of a collaborative activity that allows experimenting how to react to a cybersecurity incident, both in the technical and executive aspects. For this, a fictitious situation of an incident is presented, where the participants respond within the proposed limits. Thus, several working groups with different roles and responsibilities meet to propose responses and actions, allowing to validate the pre-established plans and processes. For this, a facilitator typically presents a scenario made up of a series of events, and coordinates the discussions that arise from them [1]. The original idea comes from an adaptation of the so-called "war games" that for centuries have functioned as a resource for military leaders to practice planning and strategic thinking, improve their preparedness for hypothetical conflict scenarios, and enhance their situational awareness. Documented records of these practices date back to ancient India and the Roman Empire.

Scenarios based on real-life situations linked to implemented technologies can provide a realistic estimate of the impact of technical events on an organization's operations. Scenarios integrate theoretical and practical elements that establish an association between cybersecurity and business effects to provide a realistic view of the outcome of an event. Obtaining results based on the variability of controls, management decision making, infrastructure present, third party dependencies and disruptions from multiple parties in a sector or industry, allows a wide range of gaps in operational resilience to be identified. Establishing a systematic, repeatable and measurable model for incident response simulation exercises provides insights into the potential benefits of acquiring new technologies and managing their lifecycle [2].

Simulate to prepare

Simulations have been used in a variety of settings, even predating modern technologies, for a variety of purposes ranging from entertainment to learning and preparation for real situations, without compromising the integrity of people and resources. Tabletop simulation exercises for cybersecurity incident response practice are increasingly gaining ground among specialized team preparation and training practices.

Exercise development

In order to conduct an exercise of these qualities, a planning represented in a 10-step process, adapted to cybersecurity practice, is commonly accepted, taken from civil emergency response knowledge, which far exceeds in maturity level and history technological incidents [3]:

1. review documentation: study the incident response plan and its gaps.
2. Define a goal: define what is expected to be obtained after execution.
3. Determine team: select who will work on the design.
4. Develop the objectives: detail the specific objectives to be validated and fulfilled.
5. Define scenario: select the general scenario best suited to the goal.
6. Identify participants: select who will be part of each group and role.
7. Decide on logistics: define how it will be carried out (face-to-face/virtual/hybrid)
8. Develop events: create the pieces of information according to the scenario.
9. Define the coordination: choose a facilitator, an observer and a note-taker.
10. Report on actions: report the results afterwards and formally close the event.

Of all the tasks to be performed, the ones that require the most specific knowledge of cybersecurity are the analysis of existing documentation, and the creation of the scenario according to the agreed conditions. While the objectives of these exercises can be diverse, typically the main ones are centered among the following:

• Experiencing how to assess, decide, participate and communicate during a cybersecurity crisis.
• Identify gaps between formal procedures and actual behavior.
• Understand the difficulties of handling the operational issues of an incident.
• Recognize the priorities and actions needed to improve incident response capabilities.
• Improve decision making and execution of appropriate actions to restore situations.
• Exercise communication and coordination processes during incidents.
• Determine the effectiveness of manuals to address detection, response and recovery.

It must be decided at the design stage whether the exercise will be oriented to stress the operational functions of incident response (usually technology and cybersecurity areas) or the decision-making circuits (corresponding to managers and directors). Beyond this, there are different types of participants depending on their role. The protagonists are the players, the people with the most active role who debate by performing their functions, and discuss or initiate actions in response to the scenario. On the other hand, there are the observers, who although they do not participate actively, can visualize what is happening, and eventually support the players. Then there are the connectors, who are a liaison between players and organizers, are familiar with the scenario, and witness the discussions, documenting the results for the report. Finally there are the coordinators, who lead and facilitate practice, oversee the flow of events, monitor interaction, and maintain communication with the connectors.

In terms of dynamics, participants represent their different areas (business, technology, cybersecurity, legal, communications, etc.) and are presented with an incident scenario that affects the organization, resulting in multiple events unfolding over time. The participants act according to the information received (evaluate, prioritize, act) and may have instances of general interaction or between groups, for sharing and joint decision making.

In addition, certain variables must be defined that condition the design of the process, such as the type of base incident, which is the pillar on which the complete scenario is built, and can be selected a priori or proposed based on the analysis of the organization. These can range from cases of ransomware or compromise of cloud servers, to system failures, zero-day vulnerabilities, malware infection, denial of service, and information leakage, to mention just a few highlights.

Another variable that conditions the design is the industry to which the organization belongs, because there are regulated industries, with different standardization needs, and achievable by different laws, and adjustments or impositions related to this may be required. Examples of relevant industries with specific requirements are the financial, energy, pharmaceutical, food, or transportation sectors.

As for the action report, an executive presentation is usually made, which refers to a briefing on lessons learned, including a summary of the activities performed, and a report of results containing a work report detailing the development of what happened, analysis of activities, and recommendations, and including proposed actionables to improve the management of security incidents. In some cases, it is also possible to subsequently work on the creation or update of the incident response strategy manual (playbook) for integral action in real cases, as well as the creation or update of the related processes and procedures.

In a next installment we will focus on the two main modalities that characterize exercises of this type, one of them is traditional, based on direct live interaction (or in a hybrid mode adding remote people) and the other is the platform-based modality, which adds another level of interaction, extending the possibilities of the exercises.