Using Tabletops and Simulations to Build Better Incident Responders

Author: Todd Harper, Manager — Incident Response Team

Incident responders at Adobe are the front-line defenders working to investigate and respond to events or incidents that can lead to loss of or disruption to Adobe operations and services. Although Adobe responders are geographically dispersed, they work in concert, with the sole intent of identifying and mitigating threats to and attacks against our network and systems. Because cybersecurity incidents have the potential to cause irrevocable damage, our responders implement strategic planning processes and conduct advance preparedness training to minimize the impact of security incidents. In an earlier post, we talked about the different types of training Adobe requires for its incident response (IR) team. As a quick refresher, we detailed how each style of training keeps responders’ skills fresh, as well as helps maintain the level of excellence Adobe is known for in the industry. In this post, we’ll discuss another style of training: tabletop and incident-simulation exercises.

What is a Tabletop Exercise?

Traditionally, tabletop exercises are scenario- or discussion-based exercises designed to test a company’s incident response plans, processes, and team members. Routine testing is essential to highlight gaps before incident responders are thrust into the heat of an incident. For instance, tabletops can help identify and establish cross-functional relationships with key stakeholders, flesh-out roles and responsibilities within the IR team and validate call trees and other processes.

Tabletops should be rooted in real-world scenarios that are directly applicable to your particular organization. If you have trouble coming up with a scenario, turn to any of the (unfortunately) plentiful number of security breaches in the news and ask, “How would we handle that?”

Tabletops should also have clear evaluation objectives. Tabletops that only require you to “check a box” generally do not produce clear objectives. Well-defined objectives provide clear focus for the test as well as the metric by which the exercise is evaluated.

What are the Different Types of Tabletop Training?

At Adobe, we not only use the traditional long-form discussion tabletop, but we also expand on the idea of tabletops by including quick, rapid-fire scenarios as well as full incident simulations.

Long-Form Discussions: The traditional form of tabletop exercise typically takes 60 to 90 minutes to complete, long-form discussions require the development of clear objectives that define the specific testbed. Participants receive a prepared scenario and work through decisions and tasks by simulating a real security-related event. Throughout the exercise, a facilitator provides input to direct the discussion flow. Observers note the strengths and weaknesses of each participant’s decisions, evaluate group interactions, and recommend areas for improvement. Following the tabletop, participants provide feedback and evaluate the exercise based on the stated objectives. The facilitator then summarizes all observations, provides comments, and develops action items based on areas of improvement.

Rapid-fire Scenarios: In contrast to long-form discussions, rapid-fire scenarios are extremely high level and meant to be understood and discussed easily and quickly. Rapid-fire scenarios generally take no more than five minutes, provide adequate time to review multiple scenarios, and allow multiple individuals to act in the role of an incident responder. Optimally, rapid-fire scenarios comprise a one-hour test that includes four to five individuals, including a mix of junior-, mid- and senior-level team members with various backgrounds and experiences. Conducting tests using rapid-fire scenarios allows for freer discussion and greater opportunity for junior team members to learn from more experienced mid-level and senior team members.

Incident Simulations: Complementary to other exercises, incident simulations emulate the actions of a live attacker. While actual simulations can vary in size and scope depending on the test’s specific objectives, they are highly effective at pushing the limits of end-to-end processes and procedures, such as detection and triage, escalation, incident handling, and forensic analysis. Simulations are also well-suited for teaching responders about the different environments within your company. Ideally, incident simulations involve real servers in your development — but never production — environment, which allows you to work with real-world data that would be present during a real incident.

Simulations can answer questions such as:

• Do you have the data that you think you have?
• Are your detection rules really working?
• Can you acquire the forensic images needed for analysis?

It’s better to know the answers to these types of questions before you’re in the middle of a real, high-stakes incident.

Benefits of Incident Simulations

At Adobe, we’ve found that incident simulations are a great way to find gaps in our monitoring and detection processes, improve IR processes and skills, and learn more about our diverse environments. Simulations also give our IR staff experience with both offensive and defensive security techniques and emulating the actions of an attacker helps us better understand what artifacts are available to catch the bad actors. Not only has this insight increased our technical skillset, it has also helped us identify gaps in our analysis capabilities. In turn, we’ve used simulations to test new toolsets we’ve developed to address those gaps. At the end of the day, simulations are extremely valuable for the Adobe incident response team and help us keep our infrastructure — and our customers’ data — secure.