A recent survey of 8,000 IT professionals and business leaders discovered that nearly 75% expected to face a disruptive cyberattack in the next two years. Strikingly, the same report found that only 35% of organizations are adequately prepared for an attack. The rest only have foundational protections.
Does your organization need to improve its cybersecurity maturity? Conducting an incident response tabletop exercise is an excellent way to answer that question and improve team readiness. This guide shares helpful scenarios for enterprise organizations.
Incident Response Tabletop Exercises: Why They’re Worth Your Time
Tabletop exercises are discussion-based role-playing activities where an organization’s stakeholders respond to an imagined risk scenario. For example, executives and IT team members might simulate a ransomware attack that locks down critical customer data.
Incident response tabletop exercises specifically revolve around how your organization reacts in the event of cyberattacks or operational emergencies, such as:
- Data breaches
- Social engineering attacks (phishing, pretexting, etc.)
- Insider threats
- Ransomware attacks
- Natural disasters (e.g., flooding)
- Company emergencies (network failure, etc.)
TTX can reveal how prepared your team is, how effective your policies are, and what changes or improvements you need to make before a worst-case scenario occurs.
Ideas for Incident Response Tabletop Exercises
These scenarios can provide a starting point for your cyber incident response exercise. Customize the details so they feel natural for your corporate environment and roles.
1. Software Vulnerability
Researchers discover a potentially high-impact vulnerability in a commonly used code repository. There are no widespread reports of zero-day exploits in progress, but the Cybersecurity and Infrastructure Security Agency recommends taking immediate action. The vulnerability probably applies to your software platform, but you’re not sure if your systems have been breached.
2. Insider Threat
One of your organization’s senior software engineers is upset at the company’s new return-to-office rules. To get back at the company and profit financially, the employee uses his access credentials to steal sensitive customer financial information and eliminate records of his network activity.
3. Third-Party Breach
One of your software vendors informs your team that they recently discovered a data breach that probably happened two months ago. Your organization’s usernames and passwords for the platform were among the data stolen.
4. Business Email Compromise
An employee from your purchasing department received an email from what appeared to be the CFO’s business email address. The message instructed the employee to deposit $10,000 in the bank account of a “supplier” to clear up an urgent problem with import duties for raw materials. The CFO denies sending any such message.
5. Phishing Attack
An employee suspects that their system login credentials may have been stolen. An email from “the IT department” said that the employee needed increased permissions to view files for an upcoming project. The email asked for the employee’s password to finish setting up the new permissions. Soon afterward, the employee started to feel suspicious.
6. Nation-State Attack
The FBI and CISA issue an alert that Russian-sponsored hackers are actively targeting your industry and have already infiltrated several well-known brands. Your IT team notices suspicious network traffic and believes one of your servers may have been compromised. You don’t know which server is affected or what level of access the hackers have at the moment.
7. Cloud Misconfiguration Error
An IT technician privately makes your CISO aware that one of your cloud storage units housing sensitive data is improperly configured as public instead of private. Some files are encrypted, but others aren’t. At the moment, it doesn’t appear that the files have been accessed from outside your organization.
8. Data Center Fire
Your organization uses a hybrid cloud model with an on-prem data center. At 3:00 a.m., you receive a call from your security provider informing you that fire alarms are going off at the data center. Some guards report smelling smoke.
An Example Cyber Incident Response Exercise
Incident response tabletop exercise examples are more effective when they include details, unexpected twists, and multiple stages. In this example, a financial services provider falls victim to a data breach.
The Scenario: Email-Based Malware Attack
Cyber attackers exploit a network vulnerability in the systems of a prominent trust service provider for financial organizations. Your company uses this TSP extensively for payment processing.
The threat actors obtain a list of customers and their email addresses, including members of your billing department. The hacking group decides to target your company using a business email compromise and social engineering attack.
Day 5 (Morning): Targeting Your Organization
An email marked “urgent” lands in the inboxes of key members of your accounts payable department. It appears to come from your TSP’s IT department, and network security systems don’t flag it.
The message states that the TSP’s normal billing portal will be undergoing maintenance for several days, so this month’s invoices will be emailed directly. There is a contact number that staff can use for questions (which is controlled by the threat actors).
Day 5 (Afternoon): Executing the Attack
A second message from the same TSP references the platform’s downtime and has a PDF “invoice” attached. When hovering over the attachment, the file looks identical to other invoices from the TSP. One of the members of your accounts payable team opens the email and starts the process of sending payment to the TSP.
During the course of the afternoon, the employee’s computer seems more sluggish than normal, but still similar to when it downloads a large update. Your network, billing platform, and data storage systems continue operating normally.
Day 7 (Morning): Suspecting a Problem
The next day, the TSP’s real billing department reaches out to your accounts payable staff to ask why a payment was sent without using the online portal. The TSP confirms that the payment portal has not been taken down for maintenance and that no emails were sent out to customers.
It takes several hours for your accounts payable department to sort through the issue, especially because the department head is having wisdom teeth extracted at the dentist. Your IT team doesn’t hear about a potential cyberattack until the early afternoon.
Day 7 (Afternoon): Facing Problems
Several of your employees start having issues accessing files in your data storage system. Your IT department also gets reports of network connectivity problems. Some features in your billing software stop working.
Shortly afterward, your IT department discovers that a large volume of customer data was downloaded from your cloud storage platform, including account numbers, credit card details, email addresses, and contact names. All copies are missing from company servers.
Day 8: Receiving Ransomware Demands
Employees arrive in the morning to computers that are on, but the company’s software doesn’t open. Instead, a ransom note demands a $10 million payment to restore access and return the stolen files.
Day 9 (Morning): Receiving Customer Complaints
Your customer service team is being inundated by angry calls from clients who can’t access their accounts or use your organization’s online services. The clients demand to withdraw all of their money from your institution immediately.
Key Questions During This Incident Response TTX
At each step, ask questions about your related policies and procedures, not just how well participants perform their roles. Here are some examples:
- Does your email server follow Zero Trust best practices for attachments?
- How often do you address training topics like email hygiene and phishing attacks? Do administrators have more frequent training?
- How do you manage vendor security?
- How often does your IT team review network activity and security logs?
- What alternative avenues do you have for critical services if your primary system/platform/software goes down? Would you need additional employees?
- What is your backup schedule for critical data? Do you have redundant storage locations?
Asking questions helps you find holes in your risk management processes and disaster response plans ahead of time. That way, you can develop practical solutions that prevent or mitigate the impact of cyberattacks.
Essential IR Tabletop Exercise Scenarios for Enterprises
When selecting incident response tabletop exercise scenarios, consider the unique circumstances of your organization and the common risks associated with your industry.
For example, healthcare organizations face a different set of cybersecurity, operational, and regulatory challenges than banks. Unsecured endpoint devices (e.g., smartphones and tablets) can be a major vulnerability for hospital networks.
Keep in mind that emergency incidents aren’t limited to cyberattacks. Depending on your operations, you should also prepare incident response tabletop exercises for physical threats, such as:
- Active shooters
- Bomb threats or vehicle-based attacks
- Building fires or chemical leaks
- Flooding, tornadoes, wildfires, and other extreme weather events
- Attacks on your power station infrastructure
Common risks to enterprises often involve human error, such as phishing attacks, software misconfigurations, forgotten security updates, weak passwords/no MFA, and insider threats. Also, a growing number of global cyberattacks target vendors and supply chains.
Use Incident Response Tabletop Exercises To Prepare for the Unexpected
Reactive cybersecurity is outdated and poorly equipped for today’s risk climate. You need to take a proactive approach with effective risk mitigation, real-time system monitoring, and event playbooks.
Incident response tabletop exercises make your team more flexible and strategic. Compyl’s intelligent automation, compliance tracking, and auditing tools further improve your ability to respond quickly to emergent threats. Request a demo and strengthen your cyber readiness today.
