Creating a tabletop exercise scenario

There are several types and ways to conduct exercises, drills and team training.  A tabletop exercise is one of the ways that I’ve found generates understanding, traction, and visibility.  It can be a bit overwhelming to create a good tabletop exercise.  Why? It requires an attacker mindset, creative use of evidence trails, technical accuracy and excellent presentation.

Attacker Mindset

You must become the attacker to devise an attack.  Your first obstacle is to define an end state and motive of what you wish to desire.  Disruption? Theft?  It should not be arbitrary.  Once you have your motive you then must develop an attack that’s technically accurate and realistic. I recommend outlining each sequence of the attack to create depth of the scenario (see table)- I’ve had scenarios surpassing forty sequences.

Evidence Trails

Your defensive ops team require tidbits of evidence to allow them to think critically and make decisions.  Ideally these evidence trails are slowly revealed through the course of the exercise and projects real-world activities.  These evidence trails must be customized to the defensive operations tools and procedures- if the defensive ops team utilizes netflow data and HIPS events then fictional flows and events may be presented to them.  I recommend having a potential evidence trail with each sequence of attack in a table.  This will help the scenario stay organized and will allow you to decide how the scenario is ultimately presented to the participants.

Technical Accuracy

The tactics and tools used both by the fictional attacker and the participants must be grounded in accuracy.  A zero day exploit in Adobe Reader is fair; a “zero day exploit” which “takes down the network” is not.

Excellent Presentation

The presentation must be done plainly and convince and inform all levels of audience.  I recommend separating out the attack sequence from the observations and responses of the participants.  Once the table top is complete, you may then walk the participants through each sequence of the attack.  They then tie in their observations and reactions based on exactly what happened.  That’s where the lessons can be learned.

A mocked up attack timeline.  This is used to help build the basis of the exercise.  It helps generate the depth and scope of the attack, the evidence trails, and allows you to then craft how the tabletop exercise itself may be carried out.
Date Time	Event	Evidence / Artifacts
4/15/11 13:41	Attacker A uses google searches to locate a series of employee email addresses	Screenshots of google hits
4/16/11 08:41	Attacker A sends a crafted phishing message to the identified email addresses	SMTP email gateway logs
4/16/11 8:45	Victim B erroneously clicks malicious link / successfully compromises PC “DougH”	HTTP gateway log Windows prefetch entry File: C:\windows\tasks\svchost.exe
4/16/11 8:46	PC “DougH” establishes C2 with example1.dyndns.org:443	HTTP gateway log
4/16/11 8:46	PC “DougH” downloads p.zip from rapidshare.com/	HTTP gateway log File: c:\windows\tasks\p.zip c:\windows\tasks\p.exe
4/16/11 8:46	PC “DougH” executes p.exe (pwdump) and transfers results via FTP to example2.dyndns.org	Windows prefetch entry

Establishing Defensive C2

Sustained defensive operations should expect an incident at any time. This has tought me that well crafted, exercised, and useful C2 is required. This is particularly important for operations which have small teams, geographically separated personnel or lack a 24x7 operations center.

The below techiques may seem banal but it's striking at the seemingly lack of recognition by the community on how vitally useful they are. Offensive operations are deliberate in both their actions and their C2. Defensive operations require those same characteristics. I loosely define communications plans as a formalized C2 structure at both an organizational and technical level.

A successful communications plan allows for adaptability, high tempo operations, preparedness, and leadership understanding. These aren't buzzwords, they are achievable and necessary. It is a foundation for medium to large scale incident response operations.

Individual preparedness
All personnel mobile phones should include contacts which are needed during incidents. This includes team members, leadership, external parties, or preplanned meeting locations (see below). Such a list should reside on each team member’s mobile phone. As a contingency, keeping a subset of the most critical contacts on wallet-sized cards and carrying them on your person can provide coverage when cell phones are unavailable.

Keeping these lists up to date can be a nuisance; testing them through scheduled call trees can make sure they remain up to date and useful.

Secure comms
Think in terms of both standard as well as worst case options. If you can no longer trust your hosts or networks how can you properly share and collaborate with team members? How can the defensive team access workstations, servers, or security controls? How can you inform leadership? When and how can you engage law enforcement? Have preparations on how to securely share documents or files with in-team, in-company, or external parties. As maturity develops, different categories of communications may be used. For instance, open email may be satisfactory in some incidents while encrypted attachments are needed in other cases. Out of band communications may also be desired in certain circumstances. Quickly deploying an airgapped network for defensive operations may be needed. Having these defined ahead of time will prevent “just-in-time solution building”. Finally, staff will gravitate towards communications medium they typically use; treat this familiarity as a strength when building a communications plan.

Control
Defensive operations rely on access to equipment. This includes workstations, phones, servers, and other security systems. These control channels - including hands on a keyboard in a data center, coordinating collection of evidence, remote access, application access, and log retrieval - and their contingencies should be considered in the communications plan.

Preplanned Meeting Locations
You know those meeting spots where everyone is trained to walk to in case of a fire drill? Having such preplanned locations (either physical or virtual) can be essential in unknown or complex situations. Many organizations telephone systems can create predefined conference bridges. These conference bridges can act as a central preplanned meeting place for geographically dispersed teams. These bridges can act as a staging and coordination center and can be invaluable. If you do use such systems, be mindful that they may be VoIP and not necessarily out of band.

Various communication media can be used in different ways. Technical staff can achieve a higher performance tempo through utilization of secure and instant communications through services such as jabber, skype or SILC. Such virtual conference rooms can act as a copy/paste medium to spread critical log file entries or other plaintext to team members in real time. If timestamps are enabled its backlog can also serve as a useful historical timeline of response activities. This medium is excellent as it is both realtime and can be used in conjunction of other media such as physical or telephone meetings.

Recognize that heavy incident response operations will utilize a variety of communications at once. These channels can often clash and cause delays or confusion. The response staff should reserve their own communications channel for coordinating activities - determining the vector, scope, and seriousness of the situation. Other channels should be pursued to communicate findings, reports, and recommendations to higher leadership, business partners, law enforcement, etc.

Some conclusions:

• Comm channels are key and often underappreciated during response activities.


• Comms plans are essentially C2 activities. These C2 channels need clear paths from top leadership to defenders to defender equipment- if a defender can't initiate analysis or containment then it's going to be a bad day.


• Comms plans should address realistic contingincies surrounding confidentiality, integrity, and availability.


• This isn't an exercise of paper but of preparedness.