Our Top 2 Cybersecurity Tabletop Exercise Examples for 2024

Is your organization routinely practicing incident response by conducting tabletop exercises? If so, our top cybersecurity tabletop exercise examples can help. If not, there’s no better time to start! With new critical vulnerabilities like ConnectWise ScreenConnect coming to light almost daily, it’s only a matter of time before your organization experiences an incident. So, regardless of size or maturity level, conducting regular incident response tabletop exercises is vital for all organizations to assess and tweak their preparedness and ability to handle emerging cyber threats.

For those not familiar with the term, a tabletop exercise is designed to bring key members of your team (including vendors and other third parties) together to test your cybersecurity incident response plans against current and common threats. Originally, tabletop exercises literally gathered everyone around a tabletop (and if you were lucky there was pizza on the table). In this age of video conferencing, remote work, and multiple locations, tabletops have gone virtual—which is perfect—because your incident response is likely to be at least partially virtual as well (but you’ll have to provide your own pizza). During a tabletop exercise, you will identify gaps, ensure all participants understand their roles and responsibilities, review procedures, and ultimately make process improvements as needed. In a nutshell, the idea is to test your incident response BEFORE you experience an incident. You definitely don’t want to practice or review your plan for the first time during an actual incident.

And great news! Organizations that make incident response tabletop exercises a routine part of their cybersecurity program decrease their risk. IBM’s Cost of a Data Breach Report 2023 found that organizations with robust incident response planning AND testing programs (tabletops!) saved an average of $1.49M in the face of a data breach. (That’s a lot of pizza!)

So, what’s your next step? Pick your favorite cybersecurity tabletop exercise from our list of popular cybersecurity tabletop exercise examples or pick one of our tabletop exercise examples below and get started!

Our Top 2 Picks for Your Cybersecurity Tabletop Exercise Examples in 2024

In 2023, we saw two incident types that stood out for their severity and expansive global reach: software vulnerability exploitations and cloud data breaches. Keep in mind that during typical tabletop exercises, only the facilitators have knowledge of scenario specifics in order to simulate your team’s genuine response to security incidents. The facilitators act as a guide throughout the exercise, leading the discussion as you experience the unexpected. (By the way, LMG has great tabletop exercise facilitators ready to work with you if you would prefer to be surprised along with the rest of your team!)

Tabletop Exercise Example Scenario 1: Software Vulnerability Exploitation

Software exploits took center stage in 2023, and attacks had a ripple effect upon supply chains—often starting as zero-day vulnerabilities and lasting for months (or sometimes years—we still see unpatched Log4J issues!) as known software vulnerabilities. According to the Identity Theft Resource Center’s 2023 Annual Data Breach Report, the number of data compromises increased by 78% compared to 2022. Here’s a cybersecurity tabletop exercise example designed to help you prepare to face this type of incident.

Example Scenario: Software Vulnerability Exploitation

During routine monitoring, your security team identifies suspicious network activity that is traced back to a hosted third-party application. Upon investigation, they found that attackers exploited a zero-day vulnerability and had (or still have) access to sensitive client data stored in the cloud.

Sample Discussion Questions:

• Is this an incident?
• How does it impact the business in the short term?
• What action should your team take immediately to respond?
• Who should be involved?
• Who needs to be notified?
• Do you have cyber insurance? If so, who decides whether to and ultimately files a claim?
• What evidence should be preserved?
• Who is cleared to talk to the media?
• How do you assess the extent of the breach and affected systems?
• Is it necessary to notify the data owners of the breach? Who decides?
• When and how should that notification take place?
• What are the long-term ramifications, and will there be a lasting impact on the business?
• Does this incident require any changes to business or operational practices?

Tabletop Exercise Example Scenario 2: Cloud-based Data Breach

If you’ve followed along with our previous blogs, you are certainly aware that cloud security is key. Researchers from IBM found that a staggering 82% of breaches in 2023 involved data stored in the cloud. If you’re like many organizations, you may use Microsoft 365 or AWS. If you do, check out the details on Microsoft’s email breach last month and our blogs on the top M365 and AWS security issues; you can incorporate some of these threats into the following cybersecurity tabletop exercise example.

Example Scenario: Cloud-based Data Breach

Employees report receiving phishing emails that prompted them to reset their cloud passwords. At least one employee fell for the attack, changed his password, and ultimately allowed potential initial access for the threat actor. Upon investigation, your security team confirms the access and identifies privilege escalation on Domain Administrator accounts, indicating possible lateral movement across your environment.

Additional Sample Discussion Questions:

• What action should your team take immediately to respond/stop the access?
• Can and should you revoke access?
• Should you reset passwords across the domain?
• Is multi-factor authentication in place?
• Can you determine if data has been accessed or exfiltrated?
• Do you need specialists to help investigate?
• Will you report this incident to law enforcement? Who decides?
• What legal and regulatory requirements must you consider in the case of a cloud data breach?

When using these cybersecurity tabletop exercise examples, consider asking the facilitator to include some curve balls to keep the team thinking about their response. For example, what if the incident response team lead is on vacation? Does your response change and do you have backup team members identified and ready to step in?

Using these cybersecurity tabletop exercise examples to proactively test your incident response processes is crucial for increasing your organizational resilience against today’s top cybersecurity threats. By simulating the most prolific scenarios and engaging in constructive discussions led by industry experts, organizations can identify their weaknesses, train internal and external team members, refine response strategies, and ultimately ready themselves to respond to any security incident.

Please contact us if you would like our expert team to facilitate high-impact cybersecurity tabletop exercises at your organization.