Scribd
Upload
99 views22 pages

Cybersecurity Tabletop Exercise Overview

This document provides an introduction to tabletop exercises (TTXs) and incident response playbooks for cybersecurity. It discusses the goals and components of TTXs, including using scenarios, facilitation guidelines, and after action reports. Playbooks are presented as a way to document incident response procedures and processes. The document provides examples of a playbook structure and procedures. It describes how to combine TTXs and playbooks into longer, more in-depth defensive and detection exercises over multiple days. Templates and examples are offered to help organizations design and run their own TTXs and playbooks.

Uploaded by

Tom Donald Clarke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views22 pages

Cybersecurity Tabletop Exercise Overview

This document provides an introduction to tabletop exercises (TTXs) and incident response playbooks for cybersecurity. It discusses the goals and components of TTXs, including using scenarios, facilitation guidelines, and after action reports. Playbooks are presented as a way to document incident response procedures and processes. The document provides examples of a playbook structure and procedures. It describes how to combine TTXs and playbooks into longer, more in-depth defensive and detection exercises over multiple days. Templates and examples are offered to help organizations design and run their own TTXs and playbooks.

Uploaded by

Tom Donald Clarke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security DDTTX

Intro to Tabletop Exercises

Amanda Berlin & Jeremy Mio


CyberSecurity Conference Training, llc
Agenda

❖ Intro into TTX


❖ Playbooks
❖ Combining Playbooks into TTX
❖ Overview of Defensive and Detection TTX
❖ Webcast Loot!
Overview of a Tabletop Exercise [TTX]

❖ Overview of the concept


❖ Goals and Objectives
❖ Importance of an After Action Report [AAR]
❖ 15-min TTX
15-min TTX - Instructions and Example

❖ Break the scenario into meaningful learning points


❖ Read it loud and clear for all to hear! 🎅
❖ Have a discussion page to facilitate a conversation on main IR talking points:
➢ Identification and Detection
➢ Containment and mitigation
➢ Preventative and Communication

Objective is to have a productive and engaging discussion and identify gaps to prioritize
Organizational resources/tasks.

DO: DON’T:
★ Designate a single individual to facilitate ★ Stray from scope of the exercise aka
★ Be sure to include applicable members of scope creep
other business units ★ Forget to complete AAR and follow up
★ Keep track via discussion guide ★ Be THAT Person
TTX Scenario

Malware containing a backdoor is discovered on the surveillance


cameras used in sensitive locations, including the conference room
used by senior executives. It was determined that the cameras were
active during several meetings, including one with team managers
during contract negotiations.

How do you respond?


TTX Scenario Discussion

➔ How would you find out the capabilities of the malware?


➔ How could you identify all potentially compromised cameras?
◆ Are they inventoried?
➔ How would you find and fix the vulnerabilities exploited?
➔ Are you able to find out if these devices were patched regularly?
➔ How would you disclose this incident to the impacted parties?
➔ What steps would you take to prevent this from happening again?

NIST Functions:

❏ PR.PT-4: Communications and control


networks are protected
❏ DE.AE-2: Detected events are analyzed to
understand attack targets and methods
❏ DE.DP-4: Event detection information is
communicated to appropriate parties
TTX Scenario - After Action Report [AAR]

Refer to the example AAR

❖ Record who was involved


❖ Sometimes observers are the best - ease
business units in with time
❖ ALWAYS document major strengths! It will be
depressing if you do not!
❖ Make sure to accurately identify BOTH short
term and long term recommendations AND
KEEP TRACK.
❖ Always have a sign off of upper management or
managers of various teams. - higher the better!
Overview of Playbooks for Incident Response

❖ Overview of the concept of Playbooks


❖ Review the example playbook
❖ Overview of playbook structures
Why Playbooks?
Playbook Overview
Example Playbook Structure

● Objective Statement
○ Example: This playbook provides instructions for handling end-user reported phishing campaigns
against <company name> employees. The goal is to prevent the introduction of "hackers" into the
company infrastructure, which may lead to data theft and reputation loss.

● Scope and Applicability


○ Example: Phishing emails against <Company> employees

● Methodology and Procedures 🥩🥔


● Reporting
Procedures

Handling Employee Phishing Reports


● Additional Investigation steps
○ Step 1: Obtain & Search for IoCs
○ Step 2: Is it a Campaign?
● Response Procedures:
○ Alerting Employees
○ Flagging “Bad” Emails
○ Removing Emails from User Inboxes
○ Sinkholing DNS
○ Blocking Download URL
○ Report Malware
○ Threat Hunt queries
● Final Steps
Combining TTX and Playbook’s

● ONLY use tools and processes with playbooks during TTX.


● ONLY conduct procedures that are documented within each
playbook.
● RECORD all major procedures not documented

EXTRA: Roll dice for successful procedure and/or process


Next level: Technical TTX & Playbooks
Privilege Escalation (windows):
Powershell Malware Dropper Attacks

The Attack:

Credit: Scott Sutherland - https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/


Privilege Escalation:
Powershell Dropper Attacks
Overview of Defense and Detection TTX
Overview of Defensive and Detection TTX

● Taking 15-min TTX and expanding them into 4 hours TTX over 2
days.
● Choose you industry sector and company roles
● Build out our playbooks and tooling (budget restricted)
● Compete in technical labs with playbooks
● Build and present after action report
AI Chain Panda Chips St. Putin’s Glory

HP: ## HP: ## HP: ##


AC: ## AC: ## AC: ##
Blockchain Startup Manufacturing Hospital
❖ Size: Startup
❖ Size: Global ❖ Size: Medium
❖ Budget: High
❖ Budget: Low ❖ Budget: Medium
❖ Strength: Extra Skill
❖ Strength: +X on all egress detection ❖ Strength: +X user awareness rolls
❖ Weakness: Roll twice to pass actions and
❖ Weakness: -X on all rolls due to budget ❖ Weakness: -X on all rolls and 30 seconds
-X on all rolls due to too many buzzwords
and most systems on XP for action

Imhotep Bank Zippe Nuclear

HP: ## HP: ##

AC: ## AC: ##
Banking Energy
❖ Size: Global ❖ Size: Medium
❖ Budget: High ❖ Budget: High
❖ Strength: +X on all IR rolls ❖ Strength: +X on all roles
❖ Weakness: Roll for insider threat if fail ❖ Weakness: Roll for Nuclear Disaster if fail and can’t
and completely flat network use open source software
Feats
All Knowing (Assets & Inventory) Security Training
+X modification with IR attached to specific system +X on every roll
issues
Disaster Recovery
Strong Industry Partnerships Restores/backups always succeed
+X for preventative controls or to gain new
intelligence Communications
Instant change control decision from leadership in
Technical Leadership your favor
+X on all rolls requiring C-level decisions
Detection Dan Power
Knowing Dave Kennedy (aka summoning spell) +X on all rolls related to threat intel
Orb of Awesome on threat actor
Privacy Protection Power
Cultural Flexibility +X on preventing data loss
Ability to change decision if it doesn’t work out the
first time Unicorn Cloud Magic
100% uptime, +X on all restores
Legal Team Ninjas
+X for any breach notification or legal decision
Webcast Loot!

● 2 15-min TTX aligned to NIST and other frameworks


● After Action Report (AAR) Template
● Playbook Template
○ 2 Playbook examples
○ Includes detailed technical detection
For additional Wisdom or offers of Gold
CyberSecurity Conference Training, LLC
[email protected]
[email protected]
@infosystir

[email protected]
@cyborg00101

You might also like