1. Introduction
When dealing with incidents, crisis, or disasters, one of the most imperative steps in the plan is to be properly prepared. Preparation plays a major part of incident handling as it enables organizations to improve efficiency of decision making in the heat of the moment during an attack, which leads to quicker recovery, minimizing impact and costs. It is also key for incident handlers to be able to act confidently and reduce the risk of making mistakes when carrying out their work throughout an incident.
One way to prepare for an incident and evaluate the documentation, processes and preparedness of the client’s participants is to carry out a Table-Top exercise with the goal of working through the scenario, with an open discussion in a collaborative low-stress environment.
The output of the exercise is to develop the incident response capabilities. After the Table-Top exercise the participants will have gained an understanding for what their strengths and weaknesses are in terms of handling an incident properly, be able to update their documentation, revise their processes and train their personnel to enhance their incident response capabilities.
2. Table-Top Exercise
2.1 Visual Overview
2.2 Objectives
The exercise is conducted with the goal of improving client incident response readiness by evaluating processes, routines and documentation.
On a high level the objective is achieved through having the client’s participants test the incident response process in a “safe” environment without stress and through giving a detailed report which highlights points of improvements in the process.
Aim to have an answer to questions such as:
- Are there pre-defined roles and responsibilities and is the coverage sufficient for the incident scenario?
- Did the staff assigned to the roles have all permissions and privileges to handle the incident in a satisfactory fashion?
- Are the points of escalation and contacts documented and defined?
- When to isolate hosts on a network
2.3 Plan & Prepare
NTT will set up an initial meeting with the client to decide on suitable exercise scenarios based on the client’s wishes and NTT experts’ 20+ years of Threat Intelligence experience. The goal is to have a scenario tailored to be relevant to the client’s environment and needs, while revolving around handling incidents such as:
- Threat actors’ intrusions to deploy ransomware or steal intellectual property
- Nation-state attacks
- Insider-threats
- Successful phishing attempts
- User executing malware on corporate device
Where technical emphasis can be put on specific areas, for example:
- Workstations
- Domain-controllers
- Email-servers
- ICS/OT
- Office 365
- Cloud infrastructure
After the scoping call NTT will produce the material necessary for the scenario walkthrough.
2.4 Exercise Session
The Table-Top exercise is designed to fundamentally test the processes and routines that together are the basis for the incident response capability.
NTT experts will lead the client’s participants through the scenario, enable conversations to identify potential gaps in processes and documentation, helping to achieve an understanding of their respective strengths and weaknesses in the context of incident response. Taking the incident step by step, our consultant will walk you through the events as they unfold depending on your own incident response actions and detection capabilities.
The client’s participants will get time to discuss amongst themselves without NTT interaction to find their own genuine course of action if this were to be outside of a simulation. During the time of the scenario taking place, NTT experts will document and map out the decision making, points of escalation and threat hunting processes of the client’s participants.
2.5 Report
The reporting covers the scenario setup and walkthrough, in detail, to bring visibility to the incident response process in action during the specific engagement scenario, complete with an incident response checklist.
Analyzing the events, processes and decisions with the expertise of NTT personnel with the result of getting actionable points of improvement for the process and routines.
Moreover, comparing the incident response capability and process in the scenarios to established industry frameworks that are relevant for the scenario ensuring a benchmark to compare to global industry standards, for example, NIST 800-61 or MITRE ATT&CK.
The report can also be used to have a detailed look into how the process and routine of incident response can play out in a real-world scenario.
2.6 Scope information & Requirements
2.6.1 Requirements
NTT will require participants in the scenario session that own relevant functions within the incident response process, moreover the participants will have mandate to help choose relevant scenarios for the client’s purposes.
NTT will require an overview of the IT environment, e.g., what OS is running on endpoints, servers, geographical split of sites, high value assets, documented incident response process routine, relevant documentation and lastly, what are some of your currently known pain points that you wish to address and improve.
2.6.2 Scope Information
A standard Table-Top exercise is a fixed fee engagement that will not exceed 80 hours. An estimation of the distribution of effort is as follows for each step of the engagement:
Activity | Estimation (days) |
---|---|
Preparations ahead of Tabletop | Six (6) |
Tabletop exercise | One (1) |
Produce a Single (1) deliverable report at the completion of the engagement | Three (3) |
Total | Ten (10) |
For client’s that require a Table-Top exercise that goes beyond a standard scope of service (eg. extensive custom scenario use-cases, groups of participants, longer expected duration), a custom engagement can be scoped by the NTT team to accommodate as required.
Table-Top exercises are delivered remotely during business hours of central European time (CET).