As a Secureworks® incident responder and a volunteer firefighter, the author has a unique perspective on incident response. This blog series highlights overlaps between cybersecurity tabletop exercises and firefighter training to prepare for emergency situations.
It’s 2:00 AM on Friday, and your phone rings. When you’re a firefighter or an on-call cybersecurity professional (or both), you immediately assume that there’s an emergency you need to handle. In an emergency, a timely and effective response is critical. For both types of first responders, scenario-based training is one of the best ways to prepare for these situations. This training is often conducted via “tabletop” exercises that simulate real-world incidents. These exercises are planned by a training officer and are customized to a specific audience.
The training officer holds an integral role in a fire department: planning, preparing, and conducting training exercises. Clarifying roles, regularly practicing skills and procedures, and building trust across the team can save lives. Organizations should also identify a training officer who plans and prepares tabletop exercises and other training activities. This individual ideally understands all aspects of the organization, from business operations to technical IT functions. As with firefighting, failing to respond appropriately to a cybersecurity incident can have serious consequences. Secureworks® incident responders recommend that organizations conduct tabletop exercises on a quarterly basis.
Part of the training officer’s responsibility is to develop an optimal scenario for the intended audience and prepare the content for the exercise. Tailoring the exercise to a target audience ensures that the training is educational and applicable. The training officer might consult with third-party vendors or handle all aspects of development. In a fire department, the training officer often collaborates with other agencies, including other fire departments, emergency medical services (EMS), and the police. Regardless of who develops the exercise, the training officer should be the only individual within the organization who knows the scenario.
Secureworks incident responders regularly conduct tabletop exercises for organizations and typically focus on four types:
- Executive exercises are tailored to executives or managers within the organization (e.g., CEO, CIO, Executive Director). They often cover the following types of business-level decisions:
- What regulatory notifications do we need?
- Do we have a ransomware policy?
- Should we pay the ransom?
- Should we disconnect from the internet?
- How does this incident affect our brand?
- Do we have the right staff to handle an incident of this magnitude?
- Technical exercises focus on technical staff, which typically includes IT and security personnel who already have an assigned responsibility during an incident. These scenarios should determine how the Cybersecurity Incident Response Team (CIRT) will respond during a similar real-world incident.
- Cross-functional exercises address business and technical decisions that must be made during an incident. The audience includes the technical staff and business functions such as HR, finance, legal, and communications.
- Functional exercises provide the technical staff with hands-on responsibility. Participants may be asked to perform specific actions such as isolating a system or extracting a disk image from a workstation or server.
After determining the appropriate audience, the training officer develops content and then conducts the exercise.
Learn more about tabletop exercises and other Secureworks proactive incident response services. Contact us for additional information.