• CSNP

Getting Started with Table Top Exercises for Incident Response


Woman writing on white board

Author Elaine Harrison-Neukirch


In the past year, many organizations have moved to a remote workforce. Team sizes and resources are decreased due to employees having Covid or being quarantined. Over the same time period, Ransomware attacks have increased to a daily occurance. These are a few reasons that Table Top Exercises (TTE) should be a staple in Incident Response planning. They provide “practice” for the incident response team and stakeholders who have roles and responsibilities in the event of a real-life incident.


What is a Table Top Exercise?


A Table Top Exercise is an informal session, led by a facilitator. Attendees include key stakeholders and the incident response team. The goal of a TTE is to enable teams to “practice” incident response. A specific scenario (ex: a security event such as ransomware or a hacked system) is presented and discussed. The group determines the roles and responsibilities required for the specified scenario. They also decide what actions should be taken.


Why are Table Top Exercises important?


These sessions enable stakeholders to better understand the roles and responsibilities they will be assigned in the event that the scenario becomes reality. Often, discussions uncover gaps in the incident response plans. These can be corrected before a real life event occurs. Playing out the scenarios assures the team is comfortable with their assignments and will lend to less hesitation in responding to an actual event.


Who should be involved?


Anyone who has been assigned a role and responsibilities for an actual incident response event should be included. There may be a need for multiple TTE sessions. When my company ran through a TTE for a ransomware scenario, the initial session was for only IT teams. The next session included C-Level executives and directors, as well as others involved in the operational side.


How to get started


New to table tops? Not a problem. There are many resources available. These are a few of my favorites:

A quick Google search will unearth many other resources you can use when planning your first TTE. Reach out to group members of any security groups that you belong to, as well as your LinkedIn network. You most likely have a connection who has done one or many of these and would be happy to help.


Components of a Table Top Exercise

  1. The Scenario - Pick a scenario that your organization sees as a viable threat. Ransomware is a hot topic, especially in the healthcare and education sectors.

  2. The Facilitator - Who will lead the TTE? Select someone who is familiar with both the IT and Operations sides of the organization. This person may be helpful in determining which stakeholders should attend the initial session as well as addition