Exercise 1 The Quick Fix
Processes tested: Patch Management
Threat actor: Insider
Asset impacted: Internal Network
Applicable CIS Controls™:
CIS Control 2: Inventory and Control of Software Assets,
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers,
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Exercise 2
A Malware Infection
Processes tested: Detection ability/User awareness
Threat actor: Accidental insider
Asset impacted: Network integrity
Applicable CIS Controls:
CIS Control 8: Malware Defenses,
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services,
CIS Control 12: Boundary Defense
Exercise 3
The Unplanned Attack
Processes tested: Preparation
Threat actor: Hacktivist
Asset impacted: Unknown
Applicable CIS Controls:
CIS Control 8: Malware Defenses,
CIS Control 12: Boundary Defense,
CIS Control 17: Implement a Security Awareness and Training Program,
CIS Control 19: Incident Response and Management
Exercise 4
Processes tested: Incident response
Threat actor: External threat
Asset impacted: Cloud
CIS Control 10: Data Recovery Capabilities,
CIS Control 13: Data Protection,
CIS Control 19: Incident Response and
Exercise 5
Financial Break-in
Processes tested: Incident Response
Threat actor: External Threat
Asset impacted: HR/Financial data
Applicable CIS Controls:
CIS Control 4: Controlled Use of Administrative Privileges,
CIS Control 16: Account Monitoring and Control,
CIS Control 19: Incident Response and Management
Exercise 6
The Flood Zone
Processes tested: Emergency response
Threat actor: External threat
Asset impacted: Emergency Operations Center Processes
Applicable CIS Controls:
CIS Control 19: Incident Response and Management
https://www.cisecurity.org/wp-content/uploads/2018/10/Six-tabletop-exercises-FINAL.pdf
- Running an Effective Incident Response Tabletop Exercise
Are you ready for an incident? Are you confident that your team knows the procedures, and that the procedures are
I've outlined some steps to help ensure success for your scenario-based threat simulations.
First, identify your audience. This will help inform which type of exercise you'll want to run. Will it be an executive exercise or technical
Now that your scope and audience have
Use the maturity of your organization's incident response (IR) capabilities and the threats to your business to help guide the selection of a scenario for the exercise
You must set a realistic scenario that truly exercises your organization.
For instance, a defense contractor will not
Now that you have fully prepared, the steps that remain are executing the exercise and reporting the results.
we like to look at clients' incident response plans, their adherence to those plans, coordination among IR teams, communications (internal and external), and technical analysis.
The purpose of the TTX was to practice incident response procedures related to Information Security
https://blog.rapid7.com/2017/07/05/running-an-effective-tabletop-exercise/