Industry Perspectives Blog

Practice Makes Perfect: Improving Incident Response With Tabletop Exercises

One sentiment shared by nearly everyone in the security industry is that nothing will stop a determined attacker. Breaches will occur, and they can be challenging to predict. This is precisely why every organization needs to test their incident response capability; so that when faced with the inevitable breach, leaders and their teams can exercise practiced actions rather than making decisions on the fly. With a strong incident response program, an organization can efficiently take steps to mitigate risk and minimize damage.

Tabletop exercises are one of the best ways of ensuring that an incident response plan is well thought-out and as effective as possible. These exercises often take the form of presentations or roundtable discussions that involve people pivotal to the incident response process, including senior leaders from the legal, security and communications teams. The goal is to test the program in place using simulated scenarios and ensure everyone is prepared for whenever an incident may occur. The threat landscape is constantly evolving, so holding tabletop exercises regularly will keep everyone up to speed on any needed changes to the organization’s response strategy.

Tabletop Scenario

As mentioned, simulated scenarios are a big part of tabletop exercises. The scenario for each organization will be different depending on the company size, industry and more. For the purposes of this blog post, let’s imagine a scenario that begins when a security analyst for an $8 billion multinational manufacturer notices an antivirus alert. She opens a relatively low priority incident ticket, and almost a week goes by.

Six days later, analysts at the organization discover that a file containing approximately 1,500 usernames and password hashes has been copied. The situation escalates quickly when, the following day, the FBI notifies the company that they have obtained a file containing what appears to be internal emails between high-level employees in the company.

It’s official now – the organization has been compromised. What comes next?

A good first step is to work with technical teams to make an initial assessment of the scope and nature of the incident. Importantly, all data related to the incident should be collected and preserved. Potentially compromised systems should not be used at all, including for communications, so be sure to have all important phone numbers documented in a paper-based copy of your incident response communication plan. The Legal Department – and the General Counsel in particular – will likely be making many phone calls within first 24 hours of discovering a breach, so having contact information available on a traditional piece of paper can be a real boon if electronic access is cut off.

Speaking of Legal, at this point in the incident response process the CISO and the Legal Department should be working together closely to determine the implications of this data being exposed. The GC, or the CISO at the GC’s directive, should also be communicating to executive staff, ensuring they are kept in the loop and have a full understanding of the issue while also preserving the attorney-client privilege on such communications. Engaging outside counsel specializing in incident response work should also be considered, along with a public relations firm if communications specialists are needed.

At the same time, the organization should be working on identifying potential victims and determining how and when they should be notified. Required notification periods can be very short; the GDPR, for example, requires all organizations to report certain types of data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. Rather than roll out information as more details are learned, an organization should endeavor to have all the critical facts sorted out before making an announcement or issuing any type of release. Preparing a short and general statement for early media outreach isn’t unheard of, especially if the breach has gone public, but it is crucial that all communications remain consistent throughout the response and remediation process.

Preparation Equals Speedier Recovery

Upon learning of the breach, the teams at the manufacturer knew the appropriate actions to take because of regular practice. Over the next 30 days, computer experts carried out the time-consuming process of repairing the technical damage, Legal ensured that all appropriate agencies were notified as per local, national and international laws, Communications prepared information for affected individuals and media, and a long-term plan was developed to enhance defenses for similar future attacks.

One of the reasons the manufacturer was so successful at responding to and recovering from the breach is speed. Investigations and analyses associated with an incident will invariably take time, but the basics can be – and should be – decided on before the incident ever occurs. Through tabletop exercises, organizations can ensure their key staffers are confident to take the right actions as soon as they hear of a breach, and without wasting time.


One final thing to consider when preparing, practicing and testing incident response plans is to be a tough critic. If a team is not getting anything out of tabletop exercises, chances are that something is being overlooked. There should always be an area that can be improved or something that needs to be addressed. Everyone in the room is responsible for spotting weaknesses, so leaders should encourage participants to speak up.

FireEye can help with tabletop exercises, and can better put detection and response capabilities to the test with our penetration testing and Red Team Assessments. We also know just how challenging incident response can be, especially when it comes to responding with speed. This is why we offer the FireEye Mandiant Incident Response Retainer (IRR). With the FireEye Mandiant IRR, organizations can have a trusted partner on standby, enabling them to respond to cyber incidents faster and more effectively.

In a world where breaches are inevitable, being prepared with a tested incident response plan is paramount.