As security practitioners, we have the seemingly impossible task of defending an ever-changing environment. It seems like every time we get close to compliance, new vulnerabilities and threat vectors are discovered. So, we continually practice and plan, knowing that we have to be right all the time, whereas the bad guys just need to be right once. This is why proactive security practices play such a vital role in an organization’s security posture.

At Cisco Security Incident Response Services, we offer a variety of proactive services to our customers. These proactive services are a way for our customers to improve and test their organization’s security in a controlled and safe environment. This helps our customers by preparing them for an incident before it breaks out, identifying gaps and weaknesses that they may have in their environment or policies. These services also help build a relationship between our consultants and the customer team, giving both parties a better understanding of the environment and its capabilities before it’s needed.

Among these offerings, the one we would like to talk about in this blog entry is Tabletop Exercises (TTX) and a new way to deliver them. Tabletop exercises are a method of testing our customer team’s incident response (IR) preparedness through a simulated event. They come in many forms with a scenario presented via slides being the most common format. Since these exercises are meant to test our customer organization’s IR plan and team, slides have shown themselves to be an effective way of maintaining focus on a presented scenario while giving room for dialogue.

Driving More Engagement in Tabletop Exercises

Despite their many benefits, the execution of tabletop exercises can be a dry ordeal. Depending on the audience, tabletop exercises can have an awkward pause or two while we wait for a response. Add in the sometimes-droning discussion over policy, procedures and appliance capability and we find the words like riveting, exciting, or funare seldom used. This can cause some team members to ignore parts of the exercise and disengage completely, leading them to miss or forget the lessons learned.

For a while this was accepted as an inherent cost of doing business (after all, the importance of testing your organization’s IR plan and team far outweighed the boredom associated with death by PowerPoint), that is until we came across the blog entry “Dungeons & Dragons, Meet Cubicles and Compromises” by John Strand of Black Hills Information Security. The blog entry discusses a new method of performing tabletop exercises in which the scenario is presented and performed in a more dynamic game-like format àla Dungeons & Dragons.

We liked what we saw and decided to run with it. The key to this format was that it injected some much-needed levity into tabletop exercises. The idea was that by making the experience more dynamic and immersive, customer participation would improve. This should in turn help the exercise become more memorable and effective. The participants have more fun, and the organization is more likely to become more secure. It sounded like a win-win.

Implementing the idea was easy as Strand’s blog entry provided more than enough directions and an example. A 20-sided dice is used to determine success, with 1-10 being unsuccessful and 11-20 being successful. Add some modifiers based on policy and plans, and we’re playing ball… or dice…in this case.

We added some ideas of our own to align the format with our methodology and we really felt like we had something. By having the modifiers be based on the tools and processes involved with that particular incident response step (our scenarios are based on the NIST Incident Response Life Cycle), we emphasize the different considerations for each step. For example, in the detection step we would give points to the client depending on their solution, documentation and training (see example slide). In some steps we made it possible to fail regardless of how well prepared the environment was to reflect zero days and new attack vectors (i.e., since a +10 would be an instant success, we would max it at +7). The addition of these customer-based modifiers made the exercise more immersive and helped drive home the importance of preparedness.

Inspired by the “choose your own adventure” books we read as kids, we added branching decision paths to reflect how a failure at one step of the incident response process will have consequences in the following steps. Better tools and processes will increase the chances of a success, which in turn lead to a smoother incident response; poor tools and processes increase the chances of a failure, meaning there would be “bumps” in the road. These bumps ranged from the loss of team members (pulled by upper management, legal, etc.), to a failed containment resulting in reinfection, and more. Branching was easy to implement: we created “buttons” by having the box around “success” and “failure” jump to different slides. After a bit of testing, tinkering, and some dry runs; we had a working version!

Something we should note is that this is not a replacement to traditional tabletop exercise format. The traditional format still has its strengths and uses. This game-based format is simply another method of delivery for what we believe to be a vital process.

Our Cisco Incident Response Services team delivered the new format to some customers and it was well received. The level of participation from the customers were higher than usual and (we believe) the exercise as a whole was more memorable. We are still testing the format and we will continue to give customers the option of using the traditional slideshow format (the traditional format being more suited for some situations). So, the next time you’re considering testing your security team and plan out, why not give us a call? Even though this table top format uses dice, we never take a chance on security.


Learn more about Cisco Incident Response Services



Paul Lee

Cisco Incident Response Consultant