30 Tabletop Exercises in 30 Minutes

With cybersecurity being one of many hats that very busy technical leaders wear, many organizations may not feel they have time to or the skills to conduct their own cybersecurity tabletop exercise.  NIST guidelines and CIS Control 17 set a minumum standard of annual tabletop exercises; recent guidelines issued by the FBI in Operation Winter Shield advise quarterly tabletops. To get started or add variety to tabletops, consider conducting a quick single-event tabletop exercise with a discussion time limit of 30 minutes to an hour.   

Examples of questions to ask during a short tabletop include:  

  • Who would be involved in the response (internal and external)?  
  • What is each of the responders’ role?  
  • What actions with the responders take?  
  • Who would communicate/what/to whom?  
  • Do current plans adequately aid in the response?  
  • What resources or new plans are needed to better prepare for this type of event? 

Bring any incident response, disaster recovery, and/or business continuity plans as well as relevant playbooks to this discussion, and plan on a quick roundtable to address one type of event.  To increase participation, consider likelyhood, events experienced by a nearby organization, etc. Below are 30 ideas for short tabletop exercises, to discuss with IT staff and/or senior leadership.   

  1. Tornado (example: destroys Main Distribution Frame) 
  1. Flood in building with technical equipment (ex: pipe burst) 
  1. Power outage 
  1. Fire in building with technical equipment 
  1. Earthquake 
  1. Fiber cut 
  1. Internet outage 
  1. MDF space overheating 
  1. Third party software data breach 
  1. Accidental sensitive data sharing 
  1.  Intentional sensitive data sharing 
  1.  Sensitive data found on dark web 
  1.  Compromised accounts found on dark web 
  1.  Staff email account hacked by outside threat actor and used for phishing attempt 
  1.  Student account hacked and used for phishing attempt 
  1.  A student/patron hacks internal system 
  1.  Cloud software outage for a critical system 
  1.  Widespread outage impacting cloud services (ex: AWS, Google, Cloudflare, etc.) 
  1.  All devices locked by ransomware 
  1.  Malware on devices 
  1.  Financial social engineering (ex: unpaid invoice) 
  1.  Social engineering help desk call 
  1.  Unauthorized access to network equipment area 
  1.  Disgruntled IT employee fired 
  1.  Keylogger discovered on IT employee device 
  1.  Large volume of login attempts on critical system 
  1.  Data deleted from critical system 
  1.  Backups lost 
  1.  Lost admin or IT employee device 
  2. Stolen admin or IT employee device 

Additional ideas for exercises may be inspired by current events or experiences from other organizations. Taking the time to practice builds that crisis muscle memory, allowing a more rational and through response during an actual event.

Additional Resources:

Operation Winter SHIELD, Federal Bureau of Investigation

Sans Institute “You came with *that* plan? You’re braver than I thought!, Steve Armstrong-Godwin, YouTube

MSIP 6 Standards, MOREnet