Lap 14: Cyber Incident Response Planning and Tabletop exercises
Cyber Incident Response (IR) Planning creates a blueprint for handling breaches, while Tabletop Exercises (TTX) are discussion-based simulations testing that plan, identifying gaps in roles, communication, and procedures (like detecting ransomware or phishing) in a low-pressure environment, making teams familiar with their tasks and improving readiness before a real attack hits.
Why it matters:
Ensure that the organization is prepared to respond if an incident occurs.
Cyber Incident Response Planning (IRP) is the foundational strategy and playbook for an organization's response to cyber threats, detailing:
- Preparation: Building tools, policies, and training.
- Detection & Analysis: Identifying and understanding an incident.
- Containment, Eradication & Recovery: Steps to stop the attack, remove threats, and restore systems.
- Post-Incident Activity: Reviewing and improving the process.
- Key Components: Defined roles (IT, Legal, Comms), communication channels, escalation paths, and technical/procedural steps for specific threats like ransomware or phishing.
Tabletop Exercises (TTX) brings stakeholders together (IT, leadership, legal, PR) to walk through realistic, scenario-based cyberattacks (e.g., DDoS, data breach) to:
- Test the Plan: See if the written IRP works in practice.
- Evaluate Readiness: Assess people, processes, and technology performance.
- Identify Gaps: Uncover weaknesses in communication, decision-making, and procedures.
- Build Muscle Memory: Familiarize teams with their roles under stress.
- Improve Collaboration: Strengthen coordination across departments.
Main Points:
- Communicate with your providers. Reach out to your third-party providers, such as your ISP, to ensure you have communication paths established in case you are the victim of a cyber event.
- Designate a crisis-response team, with main points of contact for a suspected cybersecurity incident and roles/responsibilities, within the organization, including technology, communications, legal and business continuity.
- Conduct a tabletop exercise, to ensure that all participants understand their roles during an incident.
Actions to Take:
- Plan First: Develop a robust Incident Response Plan (IRP).
- Simulate: Run a tabletop exercise using a realistic scenario (e.g., ransomware).
- Discuss: Participants discuss their responses, focusing on "how would we do this?".
- Analyze: Review the discussion to find weaknesses and missed steps.
- Refine: Update the IRP and provide targeted training based on findings.
This cycle ensures the plan stays current and teams remain prepared for evolving threats, moving from theory to practiced performance.
Related Resources:
Texas School Safety Center: https://txssc.txstate.edu/tools/at-toolkit/4-tabletop-exercises
CISA Tabletop Exercise Packages: https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
Maryland Center for School Safety: https://schoolsafety.maryland.gov/Pages/RES-Training-TTX.aspx
Cybersecurity Plan Controls:
|
Texas Cybersecurity Framework: IR |
NIST Cybersecurity Framework: IR |
|
Center for Internet Security (CIS) v8: C17 |
CISA Cybersecurity Performance Goal (CPGs): 2.S |
|
K12six Essentials Cybersecurity Protection: 5.2 |
TEA cyber initiative: |