Cybersecurity training plays an important role in preparing your SOC and incident response teams to effectively follow playbooks in the event of a breach. But what happens when nightmare scenarios occur? This cyber breach decision making tabletop exercise puts your security team to the test by challenging them with multiple, simultaneous breaches that will force them to make tough decisions fast.

This post is the second of three tabletop cyber security exercises put together by the Cyberbit incident response experts. If you’d like to go directly to the other exercises, click the desired link below.

Tabletop Cyber Security Exercises:

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Attack Playbook
Cyber Crisis Management

Cyber Breach Decision Making

Objective: examine, practice and improve how decisions are made during a cyber breach, especially regarding prioritization of alerts and actions

Time: 2 hours

What happens when your enterprise is attacked on several fronts by the same adversary or several adversaries simultaneously? How can you tell which incident to address first, and what would be the impact of your prioritization decision? Our experience at Cyberbit is that in crisis times, most incident response and SOC teams work according to “first in, first served” without investing a lot of thought in prioritization and business impact. Decision making tabletop exercises are a great tool to examine and challenge decision-making processes and provide the team with tools to assess and evaluate how they prioritize incoming alerts to make sure the alerts that pose the greatest threat to business operations are addressed quickly.

This exercise focuses on training one organic team, either SOC or incident response, in a multiple cyber-attack scenario of your choosing. The recommended time for this exercise is around 2 hours and happens in seven stages.

At the beginning of the exercise, the trainees are debriefed about the organization. In each stage of the exercise, the training manager presents two to three alerts to be addressed by the team. Like the first exercise we’ve presented in this article, alerts should present a fair amount of details and come from different cybersecurity tools. Yet, unlike the first tabletop exercise, in this one, you will be simulating two competing attack scenarios, which force decision makers to allocate and prioritize resources. Examples of competing scenarios are Large-scale digital fraud attempt during a ransomware attack, web defacement during a wide DDoS attack, and Trojan-based data leakages from multiple hosts in the network.

Every 15 minutes, the exercise manager presents a group of alerts related to the stage. As the exercise evolves the team needs to identify the different attacks and start allocating resources to remediate each of them. Make sure that you deliver the alerts and in an escalated manner together, forcing the team to make hard decisions regarding their focus. Also, arrange at least two “executive interruptions”, during which you will act as an executive who demands answers regarding the attack containment status, forcing the team to divert efforts to side tasks.

Post-Exercise Debrief: Cyber Breach Decision Making

The cyber breach decision-making exercise is followed up by a debriefing stage, in which the training manager will present the scenario and its objectives, and will discuss the following questions:

  • What drove the decision-making process? Which parameters were used to make the decision?
  • How can we avoid prioritization mistakes in the future? What procedures do we need to change/define?

Additional Tabletop Cyber Security Training Exercises

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Attack Playbook
Cyber Crisis Management

To learn more about creating the framework for training your SOC team, download the free white paper: The Ultimate Cyber Training Framework


See a Cyber Range Training Session in Action