Tabletop exercise scenarios: 3 real-world examples

Editor’s note: This article, originally published in 2006, has been updated to reflect recent trends. 

A tabletop exercise is an informal, discussion-based session in which a team talks through their roles and responses during an emergency, walking through one or more example scenarios. It’s a great way to get business continuity plans off the written page without the interruption of a full-scale drill: rather than actually simulating a disaster, a group within the company gathers for a few hours to talk through a simulated crisis.

The exercise is increasingly a staple of IT security preparedness programs. “I find that companies who have a healthy respect for their cyber risk are the ones doing tabletops,” says Dan Burke, Senior VP and National Cyber Practice Leader at Woodruff Sawyer. “Designing an incident response plan is beneficial, but putting it to the test will give you the practical insights that only come from experience.”

If you’re new to the idea of tabletop exercises and want a solid overview of what’s goes into one, check out our in-depth explainer on the topic. But if you have a handle on the basics and are thinking about how you can most effectively implement a tabletop exercise at your own organization, then read on. We’ve collected some tips on best practices from a range of security pros, who have also helped us put together some example scenarios that should give you some ideas for your own exercises.

10 tips for running an effective tabletop exercise

1. Make sure your tabletop exercise is your tabletop exercise.
2. Explore a scenario beyond just the technical aspects.
3. Get top-level management on board.
4. The facilitator is key.
5. You’re testing people, not technology.
6. Build your scenarios based on active threat intelligence.
7. Participants need to get into character.
8. Don’t let the party get too big.
9. Give your exercise the amount of time it deserves.
10. Create a safe space for experimentation—and failure

1. Make sure your tabletop exercise is your tabletop exercise. You shouldn’t just work through some generic breach scenario, but rather something tailored to your organization’s particular situation. “Conduct exercises based on events that are critical for your particular company,” says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. “Ask the top managers what their business is really afraid of, and what scenarios could destroy it.”

2. Explore a scenario beyond just the technical aspects. Tabletop exercises may be driven by the IT or security team, but participants should span the entire company. “Yes, there may have been a technical attack which requires a technical remediation,” says Ben Smith, Field Chief Technology Officer at RSA NetWitness, “but your tabletop exercise should also include representatives from your legal, regulatory, marketing, customer support, and even human resources functions. Employees on the front lines with the public during a recovery will need scripted and approved talking points and potentially new tools to represent your brand most effectively during a crisis.”

3. Get top-level management on board. No matter what you learn about your organization’s readiness in a tabletop exercise, you won’t be able to implement any improvements without leadership buy-in. “The most critical constituency in crisis management training and desktop scenarios is the C-suite, or those officers who will either make a final decision in a crisis or recommend them to the CEO,” says Timothy Williams, Vice Chairman with global security firm Pinkerton.

C-level execs don’t always participate themselves, but will often choose a representative to participate and report back on how the exercise went. Still, it can be worthwhile to try to get them to show up in person. “It’s sometimes hard to pin down executives to participate for longer exercises,” says Curtis Fechner, Engineering Fellow at Optiv, “but you can remind them that their participation will not be optional during a real incident.”

4. The facilitator is key. “Having a facilitator whose delivery is top notch is make or break,” says John Dickson, Vice President at Coalfire. “The best ones deliver tabletops in a conversational way and put participants at ease. They remind me more of a good talk show host more than a keynote speaker. Their ability to pivot is crucial: when a participant makes a point, an effective facilitator must be able to cite a relevant war story or example that reinforces that point.”

5. You’re testing people, not technology. Some participants in a tabletop exercise may complain that your scenario isn’t dealing with the technology they use on a day-to-day basis—but that misses the point, says Sounil Yu, CISO at JupiterOne. “The primary benefit of a tabletop exercise is to ensure that people can reliably perform in unexpected situations,” he explains. In fact, in many of the disaster scenarios that tabletop exercises aim to simulate, technology that staff has come to rely on may be unavailable, and overreliance on technology in response and recovery situations is exactly what team members need to learn to avoid.

6. Build your scenarios based on active threat intelligence. You may be tempted to just pull your tabletop exercise from the latest headlines, but you should dig deeper to create a truly realistic scenario. “For many notable threats like ransomware, there are a lot of firms sharing intelligence about how these attacks play out,” says Optiv’s Fechner. “Using media reports is okay, but you should focus on the actual threat intelligence reports produced by government agencies and private sector security companies.”

7. Participants need to get into character. Tabletop exercises are cousins to tabletop role-playing games like Dungeons and Dragons. Just as in those games, each participant should throw themselves into the role they’re playing in the fictional scenario under consideration—and just as in those games, those roles might be different from the player’s everyday life. “You should assign everyone a role to play,” says Jacob Ansari, CISO of Schellman & Company, an independent security and privacy compliance assessor. “Maybe everyone gets their normal job function—or, maybe you mix it up every now and again to gain some fresh perspective so you can uncover gaps in your plan.”

8. Don’t let the party get too big. Nate Drier, Managing Principal Consultant, and Rob Lelewski, Director of Proactive Services at Secureworks suggest that you aim to keep the number of participants in your exercise to less than 20. Groups much bigger than that are “ripe with opportunity for disinterest and disengagement,” they say.

9. Give your exercise the amount of time it deserves. This may seem obvious, but a tabletop exercise isn’t something you can just knock out over quick lunch. “Trying to rush through in an hour leaves little time to discuss anything in detail,” says Optiv’s Fechner. “Factor in various distractions and you’d only be looking at about 20 minutes of actual discussion. I prefer a three- to four-hour exercise for most audiences.”

10. Create a safe space for experimentation—and failure. While tabletop exercises are crucial for improving overall security in the long run, the players shouldn’t feel pressure to “win” the scenario. “It is important that participants understand that the exercise is in the interest of improvement,” say Secureworks’s Drier and Lelewski. “It is expected that there are gaps. Tabletops provide a blameless forum where the team can collectively discuss holistic strengths and weaknesses.”

As Schellman’s Ansari acknowledges, this can be challenging because employees are often “performing” in front of their bosses. “The coordinator needs to establish some clear ground rules that give people the freedom to act in this situation,” he says. “It is, after all, a fictitious scenario and one designed to uncover weaknesses in the plans themselves, training, coordination, or other essential aspects.”

Three sample tabletop exercise scenarios

1. A phishing attack exposes a zero-day vulnerability
2. A supply-chain attack is detected
3. Reckoning with an escalating ransomware attack
4. A disgruntled employee starts a data center fire
5. An explosion at a nearby chemical plant releases deadly toxins
6. A pandemic flu hits

As we noted above, a tabletop scenario should hew as closely to your company’s specific darkest fears as possible. That said, we solicited some potential scenarios from our experts to give you a sense of how these might play out. Note how they escalate. As Brett Wentworth Senior Director, Global Security at Lumen Technologies puts it, the job of a tabletop moderator consists of “walking the participants through a scenario, letting them react in an open fashion, reporting back on their actions—and then having ‘injects’ to add more curveballs.”

Scenario #1: A phishing attack exposes a zero-day vulnerability

Wentworth outlined our first scenario, which starts with a phishing attack and ramps up from there.

Segment 1: An employee clicks on a link in an email asking them to take a mandatory security awareness training and inputs their credentials in the site the link leads to. Looking back at the email, they see some odd formatting, a spelling error, and a banner indicating the email originated outside the organization. Their computer begins to run more slowly, and the employee follows established processes and contacts the incident response (IR) team. The players taking on the IR role will outline the steps they’d take in response.

Segment 2: A connection is seen from an IP address in Eastern Europe to the site linked to in the phishing email. This host was also apparently scanning internally for a protocol associated with commonly used software package (we’ll give it the fake name Acme123) and has interacted with servers running it.

Segment 3: Traffic fitting the pattern of malware callbacks is seen communicating from an Acme123 server with another IP, this one in Asia. Suddenly, industry news breaks about an Acme123 zero-day vulnerability.

Segment 4: One server shows it had signs of a new malware exploiting the zero day, but it’s not clear whether data was exfiltrated. The teams at this point must commit to forensics, notify employees, contact law enforcement and impacted customers, and update execs.

Scenario #2: A supply-chain attack is detected

This scenario, from Secureworks’s Drier and Lelewski, outlines an attack reminiscent of the recent high-profile SolarWinds hack.

Segment 1: The sales department of a target organization has acquired a new software leads-tracking tool. It is installed on-premises in a virtual machine provided by the vendor. The acquisition skipped the vendor due-diligence process, and was approved by sales leadership. In the weeks following its deployment, there’s an uptick in users submitting trouble tickets because of locked accounts due to password failures. In addition, some alerts are generated on encoded PowerShell activity on several workstations.

Segment 2: A security analyst on the team notes that several gigabytes of encrypted data were sent to a VPS hosted in Russia. Additional alerts are popping up, noting tools such as Mimikatz and Secretsdump. A file named exfil.zip is found with a recent timestamp, sitting on the same share that the business-critical R&D team uses.

Segment 3: A news story breaks, detailing that the leads-tracking tool was compromised by foreign state actors, and contains a backdoor that uses a domain-generation algorithm to establish command and control over outbound port 443. The story details that the threat actors are after intel from your specific industry vertical, and are not affiliated with ransomware deployments.

Scenario #3: Reckoning with an escalating ransomware attack

This example scenario comes from JupiterOne’s Yu. He outlines a ransomware attack that starts out bad and gets worse.

Segment 1: The company is hit by a standard ransomware event affecting the majority of enterprise systems, with a demand of 1 percent of the company’s annual revenue to be paid within 48 hours. (The scenario should require a decision on this demand within the timeframe allotted for this segment.)

Segment 2: Regardless of decision on Segment 1, the ransomware attacker escalates with the public release of sensitive stolen content and a threat to release more unless the company pays up (or pays again, as the case may be).

Segment 3: It is discovered that the hacker has leveraged information from the content they stole to attack the company’s customers, resulting in material breaches for those organizations.

Segment 4: A relevant government agency starts an investigation because, as it turns out, the ransomware attacker is under United States Office of Foreign Assets Control sanctions. This entangles the company, already in the midst of a business crisis, deep into an international drama where events spin further out of the company’s control.

Scenario 4: A disgruntled employee starts a data center fire

This scenario is based on a suggestion by Rad Jones, academic specialist at Michigan State University’s School of Criminal Justice and former director of ­security and fire protection for Ford Motor.

Segment 1: A small fire begins just outside the data center, setting off the alarm system. By the time the fire department arrives, the fire has been extinguished by the sprinkler system, but the building has been evacuated. Employees and people who work in nearby buildings want to know what has happened, as does the media. Then, as people begin to go back inside, the receptionist takes a call from someone who indicates that the fire is “only the beginning” because the company hasn’t treated him right.

Segment 2: An employee discovers a box in the lobby with a handwritten warning that it contains anthrax. Management decides to evacuate the building again. Calls come in from concerned family members, and local TV crews arrive. Meanwhile, the sprinklers in the data center have caused the company’s e-mail and web servers to stop working, which means the company’s e-commerce site is down.

Segment 3: A woman calls the newspaper claiming to be the wife of an employee who’s just been laid off and who has left printouts about anthrax scattered in his home office. The newspaper calls the company with this information. The health department is on scene. The company’s call center (at another location) is swamped with calls from customers who can’t place orders at the website.

Segment 4: The police apprehend a ­suspect. The health department determines that the box did not contain anthrax and the building is safe. Some employees are afraid to come back to work.

Scenario 5: An explosion at a nearby chemical plant releases deadly toxins

This scenario is based on a suggestion by Mike Paszynsky, director of corporate security at PSE&G, a ­Fortune 500 public utility based in Newark, N.J.

Segment 1: An explosion occurs at a chemical plant two miles from headquarters. Local news media are reporting that an undetermined number of the chemical company’s employees have been injured or killed, and officials are trying to determine to what extent deadly toxins have been released into the air. No one is sure what caused the blast.

Segment 2: Area hospitals are crowded with people reporting breathing difficulties, and public health officials are encouraging people all over the city to “shelter in place” as a precaution. Headquarters is currently upwind of the explosion. The company needs to decide what to tell its employees to do but isn’t sure whether it has the legal right to tell people not to leave. People are speculating that terrorists caused the explosion.

Segment 3: The company tells employees not to leave the building, but many do anyway, saying that they don’t trust what they’re hearing and that they need to get home and take care of their families. The security guards at the front door also want to know what to tell people on the street who want to take shelter in the company’s lobby. The cafeteria reports that it has already sold out of lunches.

Segment 4: The immediate danger passes, and authorities say the explosion was an accident. Several employees have been hospitalized, and others are upset that the company cafeteria did not have more supplies on hand.

Scenario 6: A pandemic flu hits

This scenario is based on a suggestion by Joe Flach, VP of Eagle Rock Alliance, a business continuity consulting firm in West Orange, N.J.

Segment 1: A pandemic flu starts sickening and killing people in Hong Kong, where the company does not have any operations. The medical community fears that the disease will spread to other continents and says that anyone who has been to Hong Kong in the past three weeks could be a carrier. As a precautionary measure, the company considers asking employees who have traveled to Hong Kong within the past three weeks not return to work until they see a doctor. The company also considers having security at the front door ask every visitor whether he or she has been to Hong Kong in the past three weeks.

Segment 2: A few people in the region are diagnosed with the disease, and the absentee rate at schools rises. Employees start calling in sick, but it’s not clear whether they are ill or afraid of going out in public. Enough people are absent that the company struggles to keep systems up, take orders, and pay bills.

Segment 3: The disease spreads, and absentee rates shoot up to almost 50 percent. Some employees are sick or caring for sick family members. Employees are asking the company to provide hand sanitizer and masks, even though the medical community says those precautions may not be effective. Critical functions are not getting done. Managers consider shutting offices and asking everyone to work from home until the danger passes. 

Segment 4: The disease has peaked, but many employees are still leery of returning to work.

We hope these scenarios give you some ideas for developing your own with your employees. Enjoy the process, and good luck!