Editor’s note: The following is a sponsored blog post from Adobe.
Incident responders at Adobe are the front-line defenders working to investigate and respond to events or incidents that can lead to loss of or disruption to operations and services. Although our responders are geographically dispersed, they work in concert, with the sole intent of identifying and mitigating threats to and attacks against our network and systems. Given that cybersecurity incidents have the potential to cause irrevocable damage, our responders implement strategic planning processes and conduct advance preparedness trainings to minimize the impact of all kinds of security incidents.
At Adobe, we require different styles of trainings for our incident response (IR) team, keeping our responders’ skills fresh and helping them maintain a level of excellence. In this post, we’ll discuss a unique style of training: tabletop and incident-simulation exercises.
What is a Tabletop Exercise?
Traditionally, tabletop exercises are scenario- or discussion-based exercises designed to test a company’s incident response plans, processes and team members. Routine testing is essential to highlight gaps before incident responders are thrust into the heat of an incident. For instance, tabletops can help identify and establish cross-functional relationships with key stakeholders, flesh-out roles and responsibilities within the IR team and validate call trees and other processes.
Tabletops should be rooted in real-world scenarios that are directly applicable to your particular organization. If you have trouble coming up with a scenario, turn to any of the (unfortunately) plentiful number of security breaches in the news and ask, “How would we handle that?"
Tabletops should also have clear evaluation objectives. Tabletops that only require you to “check a box” generally do not produce clear objectives. Well-defined objectives provide clear focus for the test as well as the metric by which the exercise is evaluated.
What are the Different Types of Tabletop Training?
At Adobe, we not only use the traditional long-form discussion tabletop, but we also expand on the idea of tabletops by including quick, rapid-fire scenarios as well as full incident simulations.
Long-Form Discussions: The traditional form of tabletop exercise typically takes about 60 to 90 minutes to complete. Long-form discussions require the development of clear objectives that define the specific testbed. Participants receive a prepared scenario and work through decisions and tasks by simulating a real security-related event. Throughout the exercise, a facilitator provides input to direct the discussion flow. Observers note the strengths and weaknesses of each participant’s decisions, evaluate group interactions and recommend areas for improvement. Following the tabletop, participants provide feedback and evaluate the exercise based on the stated objectives. The facilitator then summarizes all observations, provides comments and develops action items based on areas of improvement.
Rapid-fire Scenarios: In contrast to long-form discussions, rapid-fire scenarios are extremely high level and meant to be understood and discussed easily and quickly. Rapid-fire scenarios generally take no more than five minutes, provide adequate time to review multiple scenarios, and allow multiple individuals to act in the role of an incident responder. Optimally, rapid-fire scenarios comprise a one-hour test that includes four to five individuals, including a mix of junior-, mid- and senior-level team members with various backgrounds and experiences. Conducting tests using rapid-fire scenarios allows for freer discussion and greater opportunity for junior team members to learn from more experienced mid-level and senior team members.
Incident Simulations: Complementary to other exercises, incident simulations emulate the actions of a live attacker. While actual simulations can vary in size and scope depending on the test’s specific objectives, they are highly effective at pushing the limits of end-to-end processes and procedures, such as detection and triage, escalation, incident handling, and forensic analysis. Simulations are also well-suited for teaching responders about the different environments within your company. Ideally, incident simulations involve real servers in your development — but never production — environment, which allows you to work with real-world data that would be present during a real incident.
Simulations can answer questions such as:
- Do you have the data that you think you have?
- Are your detection rules really working?
- Can you acquire the forensic images needed for analysis?
It’s better to know the answers to these types of questions before you’re in the middle of a real, high-stakes incident.
The Benefit of Incident Simulations
At Adobe, we’ve found that incident simulations are a great way to find gaps in our monitoring and detection processes, improve important IR processes and skills, and learn more about our diverse environments. Simulations also give our IR staff experience with both offensive and defensive security techniques, and emulating the actions of an attacker helps us better understand what artifacts are available to catch the bad actors. Not only has this insight increased our technical skillset, but it has also helped us identify gaps in our analysis capabilities. In turn, we’ve used simulations to test new toolsets we’ve developed to address those gaps. At the end of the day, simulations have been extremely valuable for our incident response team and continue to help us keep our infrastructure — and our customers’ data — secure.