Incident Response Tabletop Exercises: What They Are and Why They Are Important

July 28th, 2021   |     |  security & compliance

Cyberattacks are more prevalent today than ever before. You see it in the news - data breaches impacting millions of users, ransomware bringing businesses to a screeching halt, companies around the world losing large percentages of revenue at the hands of hacker groups. No one is immune; Governments, manufacturers, financial and education institutions have all had their share of cyberattacks. According to Cybercrime Magazine, global cybercrime damages are expected to reach $6 trillion globally this year alone.

This begs the question - what can we do against these motivated, sophisticated attackers? Of course, we can (and should) implement security controls to reduce risk and address vulnerabilities. But, when it comes to cyber incidents, the unfortunate truth is that it’s not a matter of if - it’s a matter of when

This is where your incident response (IR) program is your best line of defense. And much like a squad of firefighters, incident responders must always be ready for action. And a key component to ensuring your IR program’s response readiness are tabletop exercises. 

What is a Tabletop Exercise?

Think of your local fire department. What do firefighters do in their “down time” when they’re not responding to emergencies? When they’re not putting out a fire, they’re preparing for one. This preparation includes running through simulated emergency situations to practice their response and ensure each member of the squad is prepared for any call they may receive.

This is the same idea behind an incident response tabletop exercise. A tabletop exercise is an interactive simulation of a real-world security incident scenario for the purpose of assessing the preparedness of your incident response program.

Six phases of incident response from malicious activity to updated policies and procedures.

Figure 1: Incident Response Lifecycle

Thinking in terms of the six phases of the incident handling process (see Figure 1: Incident Response Lifecycle) tabletop exercises fall within Phase 1: Preparation, which OneLogin defines as the activities that “enable the incident response team to respond to a potential incident.”

Tabletop exercises are designed to assess how prepared your organization is to carry out each incident response phase effectively. Depending on your organization’s goals or incident response program maturity, there are different types of tabletop exercises that may fit your organization’s needs:

Incident Simulation Tabletop

  • Test your organization’s incident response capability in a real-world security incident scenario through each stage of the incident response lifecycle.
  • This should involve a larger audience of personnel that would be involved in responding to the particular incident scenario.
  • OneLogin’s Computer Security Incident Response team (CSIRT) conducts simulated incident tabletop exercises twice a year. These exercises include a broader audience of representatives from teams that are relevant to the particular incident scenario. For example, members of the engineering team may be included to carry out simulated investigation or containment actions. Similarly, the legal, customer support, and privacy teams may be included to work through customer notification and compliance actions during the simulation.


Discussion-based Walkthrough / Workshop Tabletop

  • Intended as an informational activity to increase awareness of incident response policies, procedures, roles, and responsibilities.
  • While incident simulations are focused on applying IR procedures, discussion-based workshops are useful for informing your team of the IR procedures you’ve defined, or socializing any changes.
  • At OneLogin, CSIRT conducts discussion-based tabletop exercises biannually to supplement the simulated incident tabletop exercises.


Incident Response Plan

According to the Retarus Corporate Blog, more than 77% of organizations do not have an incident response plan. Many organizations may look at an incident response plan as just another compliance requirement, but a well-thought-out IR plan is a foundational component to an organization’s incident response preparation.

An incident response plan outlines the policies, procedures, roles, and responsibilities that provide the foundation of an incident response program. It is a document that answers the who, what, when, where, and why of incident response for everyone in your organization.

The incident response plan also provides the basis for your tabletop exercise. Tabletop exercises should be designed to test the application of the incident response plan within your organization, as well as its effectiveness.

Communication and Coordination

Incident response does not fall solely under one team. In reality, it is a cross-functional activity. Different departments across your organization use their specific knowledge and expertise to handle different aspects of an incident. For instance, engineering might be needed to shut down a compromised production server. Or your privacy and legal teams might collaborate to determine the ramifications of a data breach. Each team plays a critical role during an incident, and knowing who to engage and when is critical to limiting an incident’s impact.

Communication and coordination are muscles that incident responders need to train, and table top exercises provide a risk free venue to do so. Tabletop exercises support this by providing a safe learning environment for participants to understand each other’s roles and responsibilities within the context of incident response. This allows the incident response team to know who to involve at which point of an incident to ensure it’s handled effectively.

Lessons Learned

Lessons learned are perhaps the most valuable outcome of a tabletop exercise. Through carrying out your incident response plan, tabletop exercises provide an opportunity to uncover process or knowledge gaps in a risk-free environment before facing a real incident where such gaps could be costly.

As mentioned above, responding to an incident is typically a cross-functional activity that will involve personnel outside of your incident response or even security teams. By involving different teams, tabletop exercises not only serve to raise awareness of your organization’s incident response processes and procedures - they also provide an opportunity for a broader audience to voice their perspectives or interpretations.

By providing an environment where such issues can be identified, this feedback can then be incorporated into the incident response plan. Overall, lessons learned from a tabletop exercise provides further clarity around the needs and expectations from each key player when responding to an incident.

Be Prepared, Be Resilient

Through periodic incident response tabletop exercises, your organization will be well-prepared to handle incidents effectively and more resilient to the ever-evolving nature of cyberattacks.

OneLogin blog author
About the Author

Evan is an analyst on OneLogin’s Computer Incident Response Team (CSIRT) with a passion for helping organizations establish and mature their security posture. Prior to OneLogin, Evan provided information security consulting to large Cloud Service Providers (CSPs) and corporations including Microsoft and Google.

View all posts by Evan Cottingham

OneLogin blog author
About the Author

Evan is an analyst on OneLogin’s Computer Incident Response Team (CSIRT) with a passion for helping organizations establish and mature their security posture. Prior to OneLogin, Evan provided information security consulting to large Cloud Service Providers (CSPs) and corporations including Microsoft and Google.

View all posts by Evan Cottingham

Secure all your apps, users, and devices