WEBVTT 1 00:00:00.000 --> 00:00:01.290 In this lesson, 2 00:00:01.290 --> 00:00:04.470 we will learn about preparedness exercises. 3 00:00:04.470 --> 00:00:08.880 Preparedness exercises are activities designed to evaluate 4 00:00:08.880 --> 00:00:11.910 and improve an organization's readiness 5 00:00:11.910 --> 00:00:14.160 to handle security incidents. 6 00:00:14.160 --> 00:00:19.160 Preparedness exercise types include tabletop, walkthrough, 7 00:00:19.590 --> 00:00:22.860 parallel, and simulation exercises. 8 00:00:22.860 --> 00:00:26.850 Tabletop exercises are a discussion-based activity. 9 00:00:26.850 --> 00:00:30.660 Next, in a walkthrough exercise, team members review 10 00:00:30.660 --> 00:00:34.440 and practice specific procedures for incident response. 11 00:00:34.440 --> 00:00:38.010 Then parallel exercises simulate incidents 12 00:00:38.010 --> 00:00:40.260 alongside normal operations 13 00:00:40.260 --> 00:00:42.630 to assess how the response integrates 14 00:00:42.630 --> 00:00:44.490 with day-to-day activities. 15 00:00:44.490 --> 00:00:49.230 Finally, simulations replicate real world attack scenarios 16 00:00:49.230 --> 00:00:53.370 requiring teams to respond as if the threat were real. 17 00:00:53.370 --> 00:00:56.160 Simulations and subsequent responses 18 00:00:56.160 --> 00:00:58.950 may occur on the production network. 19 00:00:58.950 --> 00:01:03.480 Let's learn more about tabletop, walkthrough, parallel, 20 00:01:03.480 --> 00:01:05.760 and simulation exercises. 21 00:01:05.760 --> 00:01:09.060 First, we have a tabletop exercise. 22 00:01:09.060 --> 00:01:12.720 Tabletop exercises are discussion-based preparedness 23 00:01:12.720 --> 00:01:14.730 activities where team members 24 00:01:14.730 --> 00:01:18.240 go over a potential incident scenario together. 25 00:01:18.240 --> 00:01:22.950 In a tabletop, participants may literally sit around a table 26 00:01:22.950 --> 00:01:24.600 and talk through their roles 27 00:01:24.600 --> 00:01:29.100 and plan responses without physically executing any actions. 28 00:01:29.100 --> 00:01:31.860 The goal is to improve understanding 29 00:01:31.860 --> 00:01:34.380 and coordination across the team. 30 00:01:34.380 --> 00:01:37.080 Because it's a low stakes exercise, 31 00:01:37.080 --> 00:01:38.760 there is no interaction 32 00:01:38.760 --> 00:01:41.220 with the actual production environment. 33 00:01:41.220 --> 00:01:43.380 This allows the team to consider 34 00:01:43.380 --> 00:01:45.660 each step of their response plan 35 00:01:45.660 --> 00:01:47.430 in a stress-free environment 36 00:01:47.430 --> 00:01:49.710 and refer to the written guidance 37 00:01:49.710 --> 00:01:52.380 to make sure they understand their role 38 00:01:52.380 --> 00:01:55.500 in the security or disaster scenario. 39 00:01:55.500 --> 00:01:58.020 You can think of a tabletop exercise 40 00:01:58.020 --> 00:01:59.820 like a fire drill assembly 41 00:01:59.820 --> 00:02:04.050 where everyone gathers to talk about their designated exits 42 00:02:04.050 --> 00:02:08.340 and safety protocols without actually exiting the building. 43 00:02:08.340 --> 00:02:12.690 This tabletop process is important for ironing out details, 44 00:02:12.690 --> 00:02:16.590 clarifying roles, and identifying potential gaps 45 00:02:16.590 --> 00:02:19.020 without triggering any real alarms 46 00:02:19.020 --> 00:02:21.150 or disruptions to operation. 47 00:02:21.150 --> 00:02:22.740 In cybersecurity, 48 00:02:22.740 --> 00:02:26.280 a tabletop might cover a hypothetical scenario 49 00:02:26.280 --> 00:02:27.600 like a data breach 50 00:02:27.600 --> 00:02:30.930 where team members outline steps they would take 51 00:02:30.930 --> 00:02:33.480 to contain and remediate the issue. 52 00:02:33.480 --> 00:02:36.780 Second, we have a walkthrough exercise. 53 00:02:36.780 --> 00:02:40.590 Walkthrough exercises are step-by-step reviews 54 00:02:40.590 --> 00:02:44.910 of response procedures where team members actively practice 55 00:02:44.910 --> 00:02:47.520 parts of the incident response plan. 56 00:02:47.520 --> 00:02:52.380 Unlike tabletop exercises, walkthroughs are more hands-on 57 00:02:52.380 --> 00:02:55.830 and typically involve rehearsing specific steps 58 00:02:55.830 --> 00:02:58.860 such as verifying communication channels 59 00:02:58.860 --> 00:03:01.080 and system access points. 60 00:03:01.080 --> 00:03:04.830 However, tabletops like walkthrough exercises 61 00:03:04.830 --> 00:03:07.740 do not interact with the production environment, 62 00:03:07.740 --> 00:03:11.850 keeping the exercise safe from interrupting operations. 63 00:03:11.850 --> 00:03:15.450 Walkthroughs are especially useful for training new staff 64 00:03:15.450 --> 00:03:17.970 or refreshing knowledge within the team. 65 00:03:17.970 --> 00:03:19.560 You can think of a walkthrough, 66 00:03:19.560 --> 00:03:22.500 like a practice run of an evacuation drill 67 00:03:22.500 --> 00:03:26.490 where each participant checks their routes, emergency exits, 68 00:03:26.490 --> 00:03:29.370 and assembly points without leaving the building. 69 00:03:29.370 --> 00:03:31.680 In the context of cybersecurity, 70 00:03:31.680 --> 00:03:35.610 a walkthrough might involve rehearsing specific procedures 71 00:03:35.610 --> 00:03:38.700 like initiating system shutdown protocols, 72 00:03:38.700 --> 00:03:40.500 testing backup systems, 73 00:03:40.500 --> 00:03:43.140 or validating alert escalation routes 74 00:03:43.140 --> 00:03:46.050 to ensure everyone knows how to proceed. 75 00:03:46.050 --> 00:03:49.260 Third, we have a parallel exercise. 76 00:03:49.260 --> 00:03:52.080 Parallel exercises simulate an incident 77 00:03:52.080 --> 00:03:53.940 in a staging environment 78 00:03:53.940 --> 00:03:56.130 that mirrors the production network. 79 00:03:56.130 --> 00:03:57.720 In these exercises, 80 00:03:57.720 --> 00:04:01.200 actions are taken to assess the response team's ability 81 00:04:01.200 --> 00:04:02.670 to manage an incident. 82 00:04:02.670 --> 00:04:04.470 But all of the activities 83 00:04:04.470 --> 00:04:07.530 happen outside the main production environment, 84 00:04:07.530 --> 00:04:11.220 preserving normal operations while allowing the team 85 00:04:11.220 --> 00:04:14.100 to be hands-on in the staging environment. 86 00:04:14.100 --> 00:04:18.150 In this way, parallel exercises allow teams to interact 87 00:04:18.150 --> 00:04:21.810 with a realistic production-like environment 88 00:04:21.810 --> 00:04:25.290 without impacting actual business activities. 89 00:04:25.290 --> 00:04:28.200 An example would be setting up a secondary 90 00:04:28.200 --> 00:04:31.710 and parallel environment where the team responds 91 00:04:31.710 --> 00:04:34.050 to a simulated malware outbreak. 92 00:04:34.050 --> 00:04:37.290 While the real systems continue running unaffected, 93 00:04:37.290 --> 00:04:40.590 the incident response team can test their detection, 94 00:04:40.590 --> 00:04:43.200 containment, and remediation processes 95 00:04:43.200 --> 00:04:45.210 in the parallel environment. 96 00:04:45.210 --> 00:04:48.780 You could think of a parallel exercise like a performer 97 00:04:48.780 --> 00:04:50.880 having a backup rehearsal space 98 00:04:50.880 --> 00:04:53.310 that's identical to the main stage, 99 00:04:53.310 --> 00:04:55.230 allowing the team to practice 100 00:04:55.230 --> 00:04:57.300 as if they're in a live scenario 101 00:04:57.300 --> 00:05:01.560 without the risk of performance disruptions and anxiety. 102 00:05:01.560 --> 00:05:05.580 Fourth and last, we have a simulation exercise. 103 00:05:05.580 --> 00:05:10.580 Simulation exercises are high-intensity, realistic scenarios 104 00:05:10.590 --> 00:05:14.730 that occur in a live, monitored production environment. 105 00:05:14.730 --> 00:05:17.730 These exercises require the response team 106 00:05:17.730 --> 00:05:20.520 to act as if the incident is real, 107 00:05:20.520 --> 00:05:22.530 allowing them to test their skills 108 00:05:22.530 --> 00:05:26.310 and the organization's plans under genuine conditions 109 00:05:26.310 --> 00:05:28.260 on the production network. 110 00:05:28.260 --> 00:05:30.810 Since simulations involve interacting 111 00:05:30.810 --> 00:05:32.760 with the production environment, 112 00:05:32.760 --> 00:05:36.030 careful monitoring and safeguards are necessary 113 00:05:36.030 --> 00:05:37.860 to ensure that the simulation 114 00:05:37.860 --> 00:05:41.160 does not negatively impact operations. 115 00:05:41.160 --> 00:05:43.410 In a typical simulation, 116 00:05:43.410 --> 00:05:47.970 organizations might use a red team and blue team construct 117 00:05:47.970 --> 00:05:50.730 where the red team acts as the attackers 118 00:05:50.730 --> 00:05:52.440 launching simulated threats 119 00:05:52.440 --> 00:05:54.840 such as ransomware or phishing attacks 120 00:05:54.840 --> 00:05:56.880 on the production systems, 121 00:05:56.880 --> 00:06:00.750 and the blue team representing the defenders 122 00:06:00.750 --> 00:06:02.730 must identify, contain, 123 00:06:02.730 --> 00:06:06.060 and neutralize these threats in real time. 124 00:06:06.060 --> 00:06:10.200 This dynamic setup adds depth to the exercise 125 00:06:10.200 --> 00:06:13.470 as the red team's goal is to breach defenses, 126 00:06:13.470 --> 00:06:15.900 while the blue team's goal is to protect 127 00:06:15.900 --> 00:06:17.970 and secure the environment. 128 00:06:17.970 --> 00:06:19.230 Think of this experience 129 00:06:19.230 --> 00:06:22.560 like a full scale emergency response drill, 130 00:06:22.560 --> 00:06:24.960 such as a mock fire scenario 131 00:06:24.960 --> 00:06:28.650 where alarms are sounded and the building is evacuated, 132 00:06:28.650 --> 00:06:31.200 but with the added challenge of a fire 133 00:06:31.200 --> 00:06:33.600 that moves unpredictably. 134 00:06:33.600 --> 00:06:36.390 This kind of interactive simulation 135 00:06:36.390 --> 00:06:38.550 provides the closest experience 136 00:06:38.550 --> 00:06:40.530 to handling an actual incident, 137 00:06:40.530 --> 00:06:44.700 offering a real world test of readiness, resilience, 138 00:06:44.700 --> 00:06:46.710 and response effectiveness. 139 00:06:46.710 --> 00:06:48.990 Overall, and considering each type 140 00:06:48.990 --> 00:06:52.320 of preparedness exercise as a guideline, 141 00:06:52.320 --> 00:06:53.850 you should conduct a walkthrough 142 00:06:53.850 --> 00:06:56.100 at least quarterly for your plans 143 00:06:56.100 --> 00:06:58.410 and a tabletop at least twice a year. 144 00:06:58.410 --> 00:07:01.470 For simulations, I recommend doing them annually, 145 00:07:01.470 --> 00:07:03.780 but if that's too cost prohibitive, 146 00:07:03.780 --> 00:07:06.150 consider rotating between a simulation 147 00:07:06.150 --> 00:07:08.670 and a parallel test each year. 148 00:07:08.670 --> 00:07:13.670 So remember, preparedness exercises come in four main types, 149 00:07:14.490 --> 00:07:19.490 tabletop, walkthrough, parallel, and simulation exercises. 150 00:07:20.100 --> 00:07:23.820 Tabletop exercises are discussion-based sessions 151 00:07:23.820 --> 00:07:26.430 where team members talk through their roles 152 00:07:26.430 --> 00:07:28.290 in a hypothetical incident, 153 00:07:28.290 --> 00:07:31.695 building an understanding without directly interacting 154 00:07:31.695 --> 00:07:33.330 with any systems. 155 00:07:33.330 --> 00:07:36.270 Walkthrough exercises are more hands-on, 156 00:07:36.270 --> 00:07:40.080 allowing team members to practice specific response steps 157 00:07:40.080 --> 00:07:44.520 in a controlled setting without impacting live operations. 158 00:07:44.520 --> 00:07:47.970 Next, parallel exercises take it further 159 00:07:47.970 --> 00:07:51.870 by running simulated incidents in a staging environment 160 00:07:51.870 --> 00:07:53.970 that mirrors the production setup, 161 00:07:53.970 --> 00:07:56.220 enabling realistic practice 162 00:07:56.220 --> 00:07:58.980 while normal operations continue. 163 00:07:58.980 --> 00:08:01.530 Finally, simulation exercises 164 00:08:01.530 --> 00:08:04.350 occur on the actual production environment, 165 00:08:04.350 --> 00:08:08.970 testing the response teams skills in real time scenarios. 166 00:08:08.970 --> 00:08:12.840 Together, these exercises help strengthen readiness, 167 00:08:12.840 --> 00:08:15.030 coordination, and resilience 168 00:08:15.030 --> 00:08:18.003 against potential security incidents.