Explaining cybersecurity tabletop vs. live-fire exercises
Tabletop games and live-fire exercises are two ways to test the effectiveness of enterprise security controls and defenses. Discover how each works and how they differ.
Testing security controls and tools against a multitude of scenarios is critical to truly understand an organization's state of readiness should an attack occur. Two common methods to do this are cybersecurity tabletop games and live-fire exercises.
Both methods involve conducting realistic tests to help security teams assess how effective their organization's people, processes and technologies are against a variety of cyberattacks. They also enable teams to determine where current strategies or controls don't work as intended so they can fix them before a real attack occurs.
Let's delve into cybersecurity tabletop games vs. live-fire exercises, including who uses them, what they involve and when organizations should use one or the other.
What are cybersecurity tabletop games?
Cybersecurity tabletop games present realistic scenarios to incident response teams but don't necessarily involve performing simulated attacks on the network. Tabletop exercises, which are discussion-based or operational, are led by a moderator experienced in how the cyberattack scenarios work. Moderators can be an internal or a third-party member.
Tabletop scenarios are often aimed at senior-level employees, such as CEOs, CFOs, heads of legal and heads of HR, as well as the security team members who work to prevent, investigate and mitigate attacks. Attendees are ideally the group that would assemble if the attack were real.
During an exercise, a scenario plays out, usually with new information about the attack revealed at various intervals to evaluate how the team reacts in real time. Although they might include some technical discussions, tabletop exercises usually cover higher-level issues, such as the following:
- How the incident response team operates.
- How senior-level staff respond to an attack.
- When and how to inform key stakeholders, including staff, clients and suppliers.
Organizations should conduct cybersecurity tabletop exercises regularly, quarterly if possible.
What are cybersecurity live-fire exercises?
Cybersecurity live-fire exercises, sometimes referred to as red team exercises, simulate attacks on the network, and security teams must respond in real time to identify and stop or mitigate the event. Attacks employ the same techniques, tactics and procedures threat actors use, but are conducted safely to minimize the risk of actual business disruption.
Most live-fire exercises involve red versus blue team simulations, with the former attempting to infiltrate and attack the organization and the latter trying to stop them. This is sometimes done in open collaboration between the two teams, which is referred to as a purple team exercise.
Live-fire exercises enable organizations and security teams to test their technical response in real time and expose vulnerabilities and defense weak points, as well as assess the blue teams' ability to detect and respond to attacks effectively.
Like tabletop games, teams should conduct live-fire exercises regularly, quarterly if possible.
Cybersecurity tabletop vs. live-fire exercises: Which should organizations conduct?
This isn't an either-or situation -- tabletop and live-fire exercises are both useful and considered complementary. It is often effective to run a live-fire exercise and analyze the results, and then use those results to create a tabletop exercise scenario with senior leadership.
By conducting both cybersecurity exercises, organizations can improve their collaboration and communication efforts, understand team members' experience levels and capabilities, and assess where to make improvements to strengthen the organization's security posture.
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.
