As security practitioners, we have the seemingly impossible task of defending an ever-changing environment. It seems like every time we get close to compliance, new vulnerabilities and threat vectors are discovered. So, we continually practice and plan, knowing that we have to be right all the time, whereas the bad guys just need to be right once. This is why proactive security practices play such a vital role in an organization's security posture.
At Cisco Security Incident Response Services, we offer a variety of proactive services to our customers. These proactive services are a way forour customers to improve and test their organization's security in a controlled and safe environment. This helps our customers by preparing them for an incident before it breaks out, identifying gaps and weaknesses that they may have in their environment or policies. These services also help build a relationship between our consultants and the customer team, giving both parties a better understanding of the environment and its capabilities before it's needed.
Among these offerings, the one we would like to talk about in this blog entry is Tabletop Exercises (TTX) and a new way to deliver them. Tabletop exercises are a method of testing our customer team's incident response (IR) preparedness through a simulated event. They come in many forms with a scenario presented via slides being the most common format. Since these exercises are meant to test our customer organization's IR plan and team, slides have shown themselves to be an effective way of maintaining focus on a presented scenario while giving room for dialogue.
Despite their many benefits, the execution of tabletop exercises can be a dry ordeal. Depending on the audience, tabletop exercises can have an awkward pause or two while we wait for a response. Add in the sometimes-droning discussion over policy, procedures and appliance capability and we find the words likeriveting, exciting,or funare seldom used. This can cause some team members to ignore parts of the exercise and disengage completely, leading them to miss or forget the lessons learned.
For a while this was accepted as an inherent cost of doing business (after all, the importance of testing your organization's IR plan and team far outweighed the boredom associated with death by PowerPoint), that is until we came across the blog entry "Dungeons & Dragons, Meet Cubicles and Compromises" by John Strand of Black Hills Information Security. The blog entry discusses a new method of performing tabletop exercises in which the scenario is presented and performed in a more dynamic game-like format