Cyberbit website use cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy. Continue
  • All Blogs
Cyber Attack Playbook Exercise

Tabletop Exercise: Cyber Attack Playbook

Yaniv Bar-Dayan | Oct 3, 2017

Time is precious, but so is cybersecurity training.

So the Cyberbit incident response experts put together a series of three tabletop cybersecurity training exercises that are quick and easy to implement. If you’d like to go directly to the exercises, click below.

Tabletop Cyber Security Exercises:

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Breach Decision Making
Cyber Crisis Management 

Cyber Attack Playbook Exercise

Cybersecurity training plays an important role in preparing your SOC and incident response teams to effectively follow playbooks in the event of a breach. Cyber attack playbooks and procedures play a significant role in the modern SOC environment. SOC analysts and incident response teams respond to incidents by following the appropriate cyber attack playbook. They must know them by heart and during a breach be able to carry them out smoothly to reduce response time and assist in making the right decisions under pressure. Yet once a SOC team encounters a real-life attack – ransomware, malware, DDoS, etc., and the cyber attack playbook gets put to the test, things often don’t play out as planned. One of the major reasons is that this is the first time the analyst has a chance to actually implement the playbook. Playbook tabletop exercises give teams an opportunity to do a dry run through incident response playbooks and are a great tool to allow incident response teams to become more acquainted with the different playbooks and their pitfalls.

Objective: Training and drills for one organic team (SOC or incident response) in any cyber-attack of choice.

Time: 1.5 hours

This exercise focuses on training and drilling one organic team, either SOC or incident response, in any cyber attack scenario of your choosing. The recommended time for this exercise is around 1.5 hours and happens in six stages.

At the begging of the exercise, the trainees receive the entire SOC cyber attack playbook booklet and a laptop with internet connection to allow them to conduct online research as needed. In each stage of the exercise, the training manager presents one to three alerts to be addressed by the team. Each alert should include enough details to provide sufficient insights, but not too many details to bog down the preparation process. We recommend that alerts come from different cybersecurity tools – firewalls, endpoint security, UEBA, DLP, or any other necessary tools. Alerts should contain the following fields: alert topic, severity, time, relevant IPs (source, destination, host), users involved, and up to two additional crucial data points needed for the response process.

Each stage should take around 15 minutes. The exercise manager begins by presenting the alerts related to stage. As the exercise evolves, the team needs to identify the attack, the appropriate procedure and the steps to be performed at every stage.

The exercise is followed by a debriefing stage, in which the training manager will present the scenario and its objectives, and will discuss the following questions:

  • Do the cyber attack playbook stages accommodate all different scenarios?
  • Are there any missing or irrelevant steps in the playbook?
  • Are there other teams or persons in the organization who should be included in the playbook?
  • What should we be aware of while following the playbook and what are the possible pitfalls we should avoid while executing it?

Post tabletop cyber attack playbook exercise

You took the time, conducted the training, and summarized everything in thorough notes during the session and in the debriefing stage. What’s next? In the few days after completing the tabletop cybersecurity training exercise, write up a full cyber security training summary, including the scenario, goals, outcome and lessons learned. The summary will allow you to benchmark the data against future trainings and distil the next concrete steps to take. Next, ask yourself what can be improved in two areas: people skills and procedures. Based on that, make executive decisions such as scheduling skill workshops for team members and improving playbooks and procedures.

Lastly, don’t stop there. If you think tabletop cybersecurity training is beneficial for your incident response team, consider investing in simulation training to improve technical and operational skills of your individuals and your team.

Additional Tabletop Cyber Security Exercises:

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Breach Decision Making
Cyber Crisis Management

 

Learn more with our Cyber Security Simulation Training Guide.