Date

There are several types and ways to conduct exercises, drills and team training. A tabletop exercise is one of the ways that I’ve found generates understanding, traction, and visibility. It can be a bit overwhelming to create a good tabletop exercise. Why? It requires an attacker mindset, creative use of evidence trails, technical accuracy and excellent presentation.

Attacker Mindset

You must become the attacker to devise an attack. Your first obstacle is to define an end state and motive of what you wish to desire. Disruption? Theft? It should not be arbitrary. Once you have your motive you then must develop an attack that’s technically accurate and realistic. I recommend outlining each sequence of the attack to create depth of the scenario (see table)- I’ve had scenarios surpassing forty sequences.

Evidence Trails

Your defensive ops team require tidbits of evidence to allow them to think critically and make decisions. Ideally these evidence trails are slowly revealed through the course of the exercise and projects real-world activities. These evidence trails must be customized to the defensive operations tools and procedures- if the defensive ops team utilizes netflow data and HIPS events then fictional flows and events may be presented to them. I recommend having a potential evidence trail with each sequence of attack in a table. This will help the scenario stay organized and will allow you to decide how the scenario is ultimately presented to the participants.

Technical Accuracy

The tactics and tools used both by the fictional attacker and the participants must be grounded in accuracy. A zero day exploit in Adobe Reader is fair; a “zero day exploit” which “takes down the network” is not.

Excellent Presentation

The presentation must be done plainly and convince and inform all levels of audience. I recommend separating out the attack sequence from the observations and responses of the participants. Once the table top is complete, you may then walk the participants through each sequence of the attack. They then tie in their observations and reactions based on exactly what happened. That’s where the lessons can be learned.


A mocked up attack timeline.  This is used to help build the basis of the exercise.  It helps generate the depth and scope of the attack, the evidence trails, and allows you to then craft how the tabletop exercise itself may be carried out.

Date Time

Event

Evidence / Artifacts

4/15/11 13:41

Attacker A uses google searches to locate a series of employee email addresses

Screenshots of google hits

4/16/11 08:41

Attacker A sends a crafted phishing message to the identified email addresses

SMTP email gateway logs

4/16/11 8:45

Victim B erroneously clicks malicious link / successfully compromises PC “DougH”

HTTP gateway log

Windows prefetch entry

File: C:\windows\tasks\svchost.exe

4/16/11 8:46

PC “DougH” establishes C2 with example1.dyndns.org:443

HTTP gateway log

4/16/11 8:46

PC “DougH” downloads p.zip from rapidshare.com/

HTTP gateway log

File: c:\windows\tasks\p.zip c:\windows\tasks\p.exe

4/16/11 8:46

PC “DougH” executes p.exe (pwdump) and transfers results via FTP to example2.dyndns.org

Windows prefetch entry