table-top exercise (TTX / TTE)

Tabletop Exercises: SixScenarios to Help Prepare Your Cybersecurity Team2

Exercise 1 The Quick Fix
Processes tested: Patch Management
Threat actor: Insider
Asset impacted: Internal Network
Applicable CIS Controls™:
CIS Control 2: Inventory and Control of Software Assets,
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers,
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs


Exercise 2
A Malware Infection
Processes tested: Detection ability/User awareness
Threat actor: Accidental insider
Asset impacted: Network integrity
Applicable CIS Controls:
CIS Control 8: Malware Defenses,
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services,
CIS Control 12: Boundary Defense

Exercise 3
The Unplanned Attack
Processes tested: Preparation
Threat actor: Hacktivist
Asset impacted: Unknown
Applicable CIS Controls:
CIS Control 8: Malware Defenses,
CIS Control 12: Boundary Defense,
CIS Control 17: Implement a Security Awareness and Training Program,
CIS Control 19: Incident Response and Management


Exercise 4
sThe Cloud Compromise
Processes tested: Incident response
Threat actor: External threat
Asset impacted: Cloud
ApplicableCIS Controls:
CIS Control 10: Data Recovery Capabilities,
CIS Control 13: Data Protection,
CIS Control 19: Incident Response and Manageme

Exercise 5
Financial Break-in
Processes tested: Incident Response
Threat actor: External Threat
Asset impacted: HR/Financial data
Applicable CIS Controls:
CIS Control 4: Controlled Use of Administrative Privileges,
CIS Control 16: Account Monitoring and Control,
CIS Control 19: Incident Response and Management

Exercise 6
The Flood Zone
Processes tested: Emergency response
Threat actor: External threat
Asset impacted: Emergency Operations Center Processes
Applicable CIS Controls:
CISControl 7: Email and Web Browser Protections,
CIS Control 19: Incident Response and Management

https://www.cisecurity.org/wp-content/uploads/2018/10/Six-tabletop-exercises-FINAL.pdf

• Running an Effective Incident Response Tabletop Exercise

Are you ready for an incident? Are you confident that your team knows the procedures, and that the procedures are actually useful? An incident response tabletop exercise is an excellent way to answer these questions.
I've outlined some steps to help ensure success for your scenario-based threat simulations.
First, identify your audience. This will help inform which type of exercise you'll want to run. Will it be an executive exercise or technical in nature?
Now that your scope and audience have been set, it is time to define your scenario.
Use the maturity of your organization's incident response (IR) capabilities and the threats to your business to help guide the selection of a scenario for the exercise
You must set a realistic scenario that truly exercises your organization.
For instance, a defense contractor will not have much need to practice a case of adware infection on a handful of machines, and a restaurant will not greatly benefit from preparing for a nation-state threat
Now that you have fully prepared, the steps that remain are executing the exercise and reporting the results.
we like to look at clients' incident response plans, their adherence to those plans, coordination among IR teams, communications (internal and external), and technical analysis.


The purpose of the TTX was to practice incident response procedures related to Information Security in order to identify potential weaknesses in people, process, and technology

https://blog.rapid7.com/2017/07/05/running-an-effective-tabletop-exercise/