Performing SOC Tabletop Exercise

When to Use

Use this skill when:

• Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance)
• New SOC analysts need exposure to major incident scenarios in a controlled environment
• Updated playbooks need validation before next real incident
• Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal
• Post-incident reviews reveal gaps requiring scenario-based training

Do not use as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.

Prerequisites

• Exercise facilitator with incident response experience
• Participant list: SOC analysts (Tier 1-3), SOC manager, IT operations, Legal, HR, Communications
• Conference room or video call with screen sharing capability
• Printed or digital scenario injects with timed release schedule
• Evaluation scorecard for assessing participant responses
• Existing incident response plan and playbooks for reference during exercise

Workflow

Step 1: Design Exercise Scenario

Create a realistic multi-phase scenario with escalating complexity:

tabletop_exercise:
  title: "Operation Dark Harvest — Ransomware Attack Scenario"
  exercise_id: TTX-2024-Q1
  date: 2024-03-22
  duration: 3 hours (09:00-12:00)
  classification: TLP:AMBER (internal use only)

  objectives:
    1: "Test SOC team's ability to detect and triage ransomware indicators"
    2: "Validate escalation procedures from Tier 1 to incident commander"
    3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
    4: "Evaluate containment decision-making under time pressure"
    5: "Test backup recovery procedures and business continuity activation"

  participants:
    - role: SOC Tier 1 Analyst (2 participants)
    - role: SOC Tier 2 Analyst (2 participants)
    - role: SOC Manager / Incident Commander
    - role: IT Operations Lead
    - role: CISO (or delegate)
    - role: Legal Counsel
    - role: Communications / PR
    - role: Business Unit Leader (Finance)

  scenario_background: >
    Your organization is a mid-size financial services company with 2,500 employees.
    The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
    It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.

Step 2: Create Timed Injects

Design scenario injects released at scheduled intervals:

injects:

  inject_1:
    time: "T+0 (3:45 PM)"
    title: "Initial Alert"
    content: >
      Splunk ES generates a notable event: "Shadow Copy Deletion Detected"
      on FILESERVER-03 (10.0.10.50, Finance Department file server).
      The alert shows: vssadmin.exe delete shadows /all /quiet
      Source user: svc_backup (service account)
      This is the first alert from this host today.
    questions:
      - "What is your initial assessment of this alert?"
      - "What additional data would you query in Splunk?"
      - "Is this a Tier 1 triage item or immediate escalation?"

  inject_2:
    time: "T+10 minutes"
    title: "Escalating Indicators"
    content: >
      While investigating the first alert, two more alerts fire:
      1. "Mass File Modification Detected" — 2,847 files renamed with .locked extension
         on FILESERVER-03 within 5 minutes
      2. "Suspicious PowerShell Encoded Command" on WORKSTATION-118 (10.0.5.118)
         — same svc_backup account used
      CrowdStrike shows process tree: explorer.exe > cmd.exe > powershell.exe -enc [base64]
    questions:
      - "What is your updated assessment? What incident severity would you assign?"
      - "What immediate containment actions would you take?"
      - "Who needs to be notified at this point?"
      - "How do you determine if this is confined to these two hosts?"

  inject_3:
    time: "T+25 minutes"
    title: "Scope Expansion"
    content: >
      Enterprise-wide Splunk search reveals:
      - 7 additional hosts showing .locked file extensions
      - All affected hosts are in the Finance VLAN (10.0.10.0/24)
      - svc_backup account was used to RDP to all affected hosts starting at 3:30 PM
      - A ransom note "README_UNLOCK.txt" found on all affected hosts
      - Ransom note demands 50 BTC, includes Tor payment portal link
      - IT reports the svc_backup password was changed 2 days ago (not by IT team)
    questions:
      - "This is now a confirmed ransomware incident. What is your incident classification?"
      - "Walk through your containment strategy — what do you isolate and in what order?"
      - "Should you shut down the Finance VLAN entirely? What are the trade-offs?"
      - "When and how do you notify executive leadership?"

  inject_4:
    time: "T+45 minutes"
    title: "Business Impact and External Pressure"
    content: >
      The CFO calls the SOC Manager directly:
      "We are closing the quarter-end books this weekend. Finance absolutely needs
      access to FILESERVER-03 by Monday morning or we miss SEC filing deadlines."
      Additionally:
      - Legal asks if customer PII was on any affected servers
      - PR reports a journalist called asking about "cybersecurity issues at [company]"
      - The ransom note deadline is 48 hours
      - IT reports last verified backup of FILESERVER-03 is from Wednesday (3 days old)
    questions:
      - "How do you balance containment security with business pressure from the CFO?"
      - "What is your recommendation on ransom payment? Who makes this decision?"
      - "What information does Legal need to assess breach notification obligations?"
      - "How do you handle the media inquiry?"
      - "Can you recover from the 3-day-old backup? What data is lost?"

  inject_5:
    time: "T+70 minutes"
    title: "Forensic Discovery"
    content: >
      Tier 3 forensic analysis reveals:
      - Initial access was via compromised VPN credentials (svc_backup)
      - Credentials were found in a dark web dump from a third-party vendor breach
      - Attacker had access for 5 days before deploying ransomware
      - Evidence of data exfiltration: 15GB uploaded to Mega.nz over 3 days
      - Exfiltrated data includes customer PII (SSN, account numbers) for 12,000 clients
      - The ransomware variant is identified as LockBit 3.0
    questions:
      - "How does confirmed data exfiltration change your response?"
      - "What are the regulatory notification requirements? (SEC, state breach laws)"
      - "What is the timeline for customer notification?"
      - "Should you engage external IR firm? Law enforcement?"
      - "How do you handle the vendor who was the source of the credential compromise?"

  inject_6:
    time: "T+90 minutes"
    title: "Recovery Decision Point"
    content: >
      You are now 6 hours into the incident. Status:
      - All 9 affected hosts isolated
      - Finance VLAN segmented from corporate network
      - LockBit C2 domain blocked at firewall and DNS
      - No decryptor available for LockBit 3.0
      - Wednesday backup verified clean but 3 days of data missing
      - CEO asks for a full situation briefing in 30 minutes
    questions:
      - "Prepare a 5-minute executive briefing. What do you include?"
      - "What is your recovery plan and estimated timeline?"
      - "What monitoring will you put in place during and after recovery?"
      - "What immediate security improvements would you recommend?"

Step 3: Facilitate the Exercise

Facilitator Guide:

EXERCISE FACILITATION PROTOCOL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. OPENING (10 min)
   - State exercise objectives and ground rules
   - Emphasize: "No wrong answers — this is about testing process, not individuals"
   - Remind participants this is a simulation — no actual systems are affected
   - Identify the exercise observer/scribe

2. INJECT DELIVERY (110 min)
   - Present each inject on screen, allow 2 min reading time
   - Ask guided questions to each role group
   - Allow discussion but keep on timeline
   - Inject additional pressure/complications as needed
   - Record decisions, rationale, and gaps identified

3. DISCUSSION RULES
   - Participants respond in-character (their actual role)
   - Reference actual playbooks and procedures when available
   - If participants are unsure, that IS the finding
   - Facilitator may add "hot injects" if discussion stalls

4. CLOSING (40 min)
   - Hot wash: Each participant shares one thing that went well, one gap
   - Facilitator summarizes key findings
   - Identify top 5 action items with owners and due dates

Step 4: Evaluate Participant Responses

Score responses against expected outcomes:

evaluation_criteria:

  detection_and_triage:
    expected: "Immediately recognize shadow copy deletion as ransomware precursor"
    scoring:
      excellent: "Correctly identified within 2 minutes, initiated proper escalation"
      adequate: "Identified after discussion, correct escalation path"
      needs_improvement: "Did not recognize significance, delayed escalation"

  containment_decision:
    expected: "Isolate affected hosts via EDR, segment Finance VLAN, preserve evidence"
    scoring:
      excellent: "Immediate isolation, correct priority order, evidence preservation"
      adequate: "Isolation performed but delayed or incomplete prioritization"
      needs_improvement: "Considered powering off hosts (destroys evidence) or delayed isolation"

  communication:
    expected: "Timely notification chain: SOC Manager -> CISO -> Legal -> Executive"
    scoring:
      excellent: "Proper notification within defined SLAs, clear and concise briefings"
      adequate: "Notifications made but slightly delayed or incomplete"
      needs_improvement: "Key stakeholders not notified, unclear communication"

  business_continuity:
    expected: "Balance security containment with business recovery needs"
    scoring:
      excellent: "Realistic recovery timeline communicated, alternative workarounds proposed"
      adequate: "Recovery discussed but timeline unclear"
      needs_improvement: "Overcommitted on timeline or ignored business impact"

Step 5: Generate After-Action Report

after_action_report:
  exercise: TTX-2024-Q1 "Operation Dark Harvest"
  date: 2024-03-22
  participants: 10
  duration: 3 hours

  executive_summary: >
    The tabletop exercise tested the organization's ransomware response capabilities
    across detection, containment, communication, and recovery phases. The SOC team
    demonstrated strong technical triage skills but gaps were identified in cross-
    functional communication and backup recovery procedures.

  strengths:
    - SOC analysts correctly identified ransomware indicators within first inject
    - Containment decision-making was swift and technically sound
    - Legal team was well-prepared on breach notification requirements
    - IT operations had clear understanding of backup recovery procedures

  gaps_identified:
    - gap_1:
        finding: "No documented procedure for notifying CISO after-hours"
        risk: High
        action: "Update escalation contacts with personal phone numbers and backup contacts"
        owner: SOC Manager
        due_date: 2024-04-05

    - gap_2:
        finding: "Backup recovery testing has not been performed in 6 months"
        risk: Critical
        action: "Schedule quarterly backup restoration drill"
        owner: IT Operations Lead
        due_date: 2024-04-15

    - gap_3:
        finding: "No pre-approved media holding statement for cyber incidents"
        risk: Medium
        action: "Draft and approve 3 holding statement templates with Legal"
        owner: Communications Lead
        due_date: 2024-04-10

    - gap_4:
        finding: "Service account (svc_backup) had Domain Admin privileges unnecessarily"
        risk: Critical
        action: "Audit all service accounts, implement least privilege"
        owner: IT Security
        due_date: 2024-04-01

    - gap_5:
        finding: "Unclear decision authority for ransom payment"
        risk: High
        action: "Document ransom payment decision tree with CEO/Board approval requirement"
        owner: CISO
        due_date: 2024-04-15

  metrics:
    overall_score: "72/100 (Adequate)"
    detection: "85/100 (Excellent)"
    containment: "80/100 (Good)"
    communication: "60/100 (Needs Improvement)"
    recovery: "65/100 (Needs Improvement)"

  next_exercise: "TTX-2024-Q2 — Data Breach / Insider Threat Scenario (June 2024)"

Step 6: Track Remediation and Follow-Up

--- Track action items from tabletop exercise
| inputlookup ttx_action_items.csv
| eval days_remaining = round((strptime(due_date, "%Y-%m-%d") - now()) / 86400)
| eval status_flag = case(
    status="Completed", "GREEN",
    days_remaining < 0, "RED — OVERDUE",
    days_remaining < 7, "YELLOW — DUE SOON",
    1=1, "GREEN"
  )
| sort - status_flag, days_remaining
| table gap_id, finding, owner, due_date, days_remaining, status, status_flag

Key Concepts

Term	Definition
Tabletop Exercise	Discussion-based simulation where participants walk through incident scenarios without executing technical actions
Inject	Scenario update introducing new information, complications, or decisions for participants to address
Hot Wash	Immediate post-exercise debrief where participants share observations and initial lessons learned
After-Action Report (AAR)	Formal document capturing exercise findings, gaps, strengths, and remediation action items
Facilitator	Exercise leader who presents injects, guides discussion, and ensures objectives are met
Decision Point	Moment in the scenario requiring participants to choose between options with trade-offs

Tools & Systems

• FEMA HSEEP: Homeland Security Exercise and Evaluation Program providing exercise planning methodology
• Tabletop Exercise Framework (NIST SP 800-84): NIST guide for planning and conducting IT security exercises
• Immersive Labs: Platform for cybersecurity crisis simulation and tabletop exercise management
• Infection Monkey: Open-source breach simulation for technical validation of tabletop findings
• Archer: GRC platform for tracking exercise findings and remediation action items

Common Scenarios

• Ransomware Attack: Multi-phase scenario testing detection, containment, ransom decision, and recovery
• Data Breach: Customer PII exposure testing notification requirements, legal obligations, and PR response
• Supply Chain Compromise: Third-party vendor breach impacting organizational systems and data
• Insider Threat: Employee data theft scenario testing HR, Legal, and security team coordination
• Business Email Compromise: CEO fraud wire transfer attempt testing financial controls and verification procedures

Output Format

TABLETOP EXERCISE SUMMARY — TTX-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario:     Operation Dark Harvest (Ransomware)
Date:         2024-03-22 (09:00-12:00 UTC)
Participants: 10 (SOC: 5, IT: 1, Legal: 1, Comms: 1, Exec: 2)
Duration:     3 hours (6 injects delivered)

SCORES:
  Detection & Triage:    85/100  Excellent
  Containment:           80/100  Good
  Communication:         60/100  Needs Improvement
  Recovery Planning:     65/100  Needs Improvement
  Overall:               72/100  Adequate

KEY FINDINGS:
  [+] Strong: Ransomware indicators correctly identified immediately
  [+] Strong: EDR isolation procedure well understood
  [-] Gap: No after-hours CISO notification procedure
  [-] Gap: Backup recovery untested for 6 months
  [-] Gap: No pre-approved media statement templates
  [-] Gap: Service account over-privileged (Domain Admin)
  [-] Gap: Ransom payment decision authority undefined

ACTION ITEMS: 5 (Critical: 2, High: 2, Medium: 1)
NEXT EXERCISE: TTX-2024-Q2 (June 2024) — Insider Threat Scenario