Tabletop exercises and red teaming: how organizations can strengthen their cyber resilience

In the event of a cyberattack, collaboration between different business areas is crucial for effective response. Legal, Corporate Communications, management, any affected departments and, of course, the IT and Incident Response teams must work together on this.

The aim of a tabletop exercise (TTX) is to review and improve this collaboration. Contingency plans and incident response (IR) playbooks serve as the basis. ‘The structured approach helps to uncover vulnerabilities in the process and define improvements,’ says Manojlo Mitrović, Cyber Security Analyst (CSIRT) at Swisscom. Sometimes the problem is small, such as an incorrect phone number for the Incident Response team (CSIRT) in the respective contingency plan.

For a tabletop exercise, the participants gather to role-play a predefined scenario under the guidance of a security expert who moderates the exercise. The scenario is based on real-life events, such as cybercriminals exploiting a software vulnerability and then moving around the corporate network.

‘Exercises like these promote interdisciplinary collaboration and understanding between different departments,’ says Mitrović. ‘For example, if an affected system needs to be isolated, the individual departments can show the impact from their point of view.’

For this to work, careful preparation is required to ensure the scenario is as realistic as possible. If it is too simple, gaps in contingency plans and IR playbooks may not be revealed. Participants must also prepare themselves thoroughly and, for example, have contingency plans at hand. The choice of participants is just as important: the same people who will make the decisions in the event of a genuine cyber incident should be involved. This requires a certain level of commitment and a willingness to take the time for the tabletop exercise. Interruptions and intermittent absences make it difficult to achieve the set goal.

While tabletop exercises examine processes and collaboration on a theoretical level, red teaming involves a practical approach. Here, cybersecurity experts simulate an attack on a company’s infrastructure using the same methods deployed by cybercriminals and state-supported actors (APTs). ‘That might include anything,’ says Thomas Röthlisberger, Head of Swisscom’s internal Red Team. ‘Social engineering, phishing, privilege escalation, lateral movement. But always keeping in mind the overarching business objective defined in advance.’ These methods also include the coffee machine posters mentioned at the beginning. Employees who scanned the QR code were redirected to a login page. This was set up by the Red Team to obtain login details that would allow them to break into the company network.

The aim of a Red Team operation might be to exploit security loopholes and configuration flaws to gain access to confidential data that real attackers would encrypt or exfiltrate using ransomware. ‘With red teaming, we want to discover vulnerabilities in our own infrastructure before real attackers do,’ says Röthlisberger.

At the same time, the simulated attacks serve to train the Blue Team using realistic scenarios, i.e. the defenders in the Security Operation Centre (SOC) and Computer Security Incident Response Team (CSIRT) as well as all operating teams that might potentially be affected by cyberattacks. ‘We also see red teaming as an exciting training experience,’ adds Röthlisberger.

The members of the Red and Blue Teams are colleagues who work together on a daily basis. A facilitator or referee is needed so that these experts can interact honestly and on an equal footing in a simulated attack. This is the White Team, which serves as a point of contact for both sides. It can also give the Blue Team clues without the other team knowing about it.

Due to the realistic nature of this approach and thus the risks, clear rules are necessary. It’s important that ongoing business is not impacted. A code of conduct can be used to set out guidelines, such as do not cause systems to crash and do not access customer data. This ensures that the Red Team operates within legal and compliance boundaries. Or, as Röthlisberger puts it: ‘It’s hacking on egg shells with the handbrake on.’

It’s essential to allow sufficient time for preparation and follow-up (lessons learned) for both tabletop exercises and red teaming. This also includes documenting the entire simulation, setting measurable targets and sharing the findings from red teaming exercises with affected teams. These can be used to subsequently derive necessary steps and measures designed to strengthen cyber defence. ‘Of course, it helps when the management team is directly involved,’ says Mitrović. ‘This promotes an understanding of the measures and their costs.’

Conducted in a structured manner and with sufficient resources, tabletop exercises and red teaming are effective tools for strengthening cyber resilience and minimising the risk of cyberattacks. Both methods can also be regarded as recurring measures that help to foster continuous learning and improvement.