performing-soc-tabletop-exercise

What this skill does

# Performing SOC Tabletop Exercise

## When to Use

Use this skill when:
- Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance)
- New SOC analysts need exposure to major incident scenarios in a controlled environment
- Updated playbooks need validation before next real incident
- Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal
- Post-incident reviews reveal gaps requiring scenario-based training

**Do not use** as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.

## Prerequisites

- Exercise facilitator with incident response experience
- Participant list: SOC analysts (Tier 1-3), SOC manager, IT operations, Legal, HR, Communications
- Conference room or video call with screen sharing capability
- Printed or digital scenario injects with timed release schedule
- Evaluation scorecard for assessing participant responses
- Existing incident response plan and playbooks for reference during exercise

## Workflow

### Step 1: Design Exercise Scenario

Create a realistic multi-phase scenario with escalating complexity:

```yaml
tabletop_exercise:
  title: "Operation Dark Harvest — Ransomware Attack Scenario"
  exercise_id: TTX-2024-Q1
  date: 2024-03-22
  duration: 3 hours (09:00-12:00)
  classification: TLP:AMBER (internal use only)

  objectives:
    1: "Test SOC team's ability to detect and triage ransomware indicators"
    2: "Validate escalation procedures from Tier 1 to incident commander"
    3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
    4: "Evaluate containment decision-making under time pressure"
    5: "Test backup recovery procedures and business continuity activation"

  participants:
    - role: SOC Tier 1 Analyst (2 participants)
    - role: SOC Tier 2 Analyst (2 participants)
    - role: SOC Manager / Incident Commander
    - role: IT Operations Lead
    - role: CISO (or delegate)
    - role: Legal Counsel
    - role: Communications / PR
    - role: Business Unit Leader (Finance)

  scenario_background: >
    Your organization is a mid-size financial services company with 2,500 employees.
    The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
    It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.
```

### Step 2: Create Timed Injects

Design scenario injects released at scheduled intervals:

```yaml
injects:

  inject_1:
    time: "T+0 (3:45 PM)"
    title: "Initial Alert"
    content: >
      Splunk ES generates a notable event: "Shadow Copy Deletion Detected"
      on FILESERVER-03 (10.0.10.50, Finance Department file server).
      The alert shows: vssadmin.exe delete shadows /all /quiet
      Source user: svc_backup (service account)
      This is the first alert from this host today.
    questions:
      - "What is your initial assessment of this alert?"
      - "What additional data would you query in Splunk?"
      - "Is this a Tier 1 triage item or immediate escalation?"

  inject_2:
    time: "T+10 minutes"
    title: "Escalating Indicators"
    content: >
      While investigating the first alert, two more alerts fire:
      1. "Mass File Modification Detected" — 2,847 files renamed with .locked extension
         on FILESERVER-03 within 5 minutes
      2. "Suspicious PowerShell Encoded Command" on WORKSTATION-118 (10.0.5.118)
         — same svc_backup account used
      CrowdStrike shows process tree: explorer.exe > cmd.exe > powershell.exe -enc [base64]
    questions:
      - "What is your updated assessment? What incident severity would you assign?"
      - "What immediate containment actions would you take?"
      - "Who needs to be notified at this point?"
      - "How do you determine if this is confined to these two hosts?"

  inject_3:
    time: "T+25 minutes"
    title: "Scope Expansion"
    content: >
      Enterprise-wide Splunk search reveals:
      - 7 additional hosts showing .locked file extensions
      - All affected hosts are in the Finance VLAN (10.0.10.0/24)
      - svc_backup account was used to RDP to all affected hosts starting at 3:30 PM
      - A ransom note "README_UNLOCK.txt" found on all affected hosts
      - Ransom note demands 50 BTC, includes Tor payment portal link
      - IT reports the svc_backup password was changed 2 days ago (not by IT team)
    questions:
      - "This is now a confirmed ransomware incident. What is your incident classification?"
      - "Walk through your containment strategy — what do you isolate and in what order?"
      - "Should you shut down the Finance VLAN entirely? What are the trade-offs?"
      - "When and how do you notify executive leadership?"

  inject_4:
    time: "T+45 minutes"
    title: "Business Impact and External Pressure"
    content: >
      The CFO calls the SOC Manager directly:
      "We are closing the quarter-end books this weekend. Finance absolutely needs
      access to FILESERVER-03 by Monday morning or we miss SEC filing deadlines."
      Additionally:
      - Legal asks if customer PII was on any affected servers
      - PR reports a journalist called asking about "cybersecurity issues at [company]"
      - The ransom note deadline is 48 hours
      - IT reports last verified backup of FILESERVER-03 is from Wednesday (3 days old)
    questions:
      - "How do you balance containment security with business pressure from the CFO?"
      - "What is your recommendation on ransom payment? Who makes this decision?"
      - "What information does Legal need to assess breach notification obligations?"
      - "How do you handle the media inquiry?"
      - "Can you recover from the 3-day-old backup? What data is lost?"

  inject_5:
    time: "T+70 minutes"
    title: "Forensic Discovery"
    content: >
      Tier 3 forensic analysis reveals:
      - Initial access was via compromised VPN credentials (svc_backup)
      - Credentials were found in a dark web dump from a third-party vendor breach
      - Attacker had access for 5 days before deploying ransomware
      - Evidence of data exfiltration: 15GB uploaded to Mega.nz over 3 days
      - Exfiltrated data includes customer PII (SSN, account numbers) for 12,000 clients
      - The ransomware variant is identified as LockBit 3.0
    questions:
      - "How does confirmed data exfiltration change your response?"
      - "What are the regulatory notification requirements? (SEC, state breach laws)"
      - "What is the timeline for customer notification?"
      - "Should you engage external IR firm? Law enforcement?"
      - "How do you handle the vendor who was the source of the credential compromise?"

  inject_6:
    time: "T+90 minutes"
    title: "Recovery Decision Point"
    content: >
      You are now 6 hours into the incident. Status:
      - All 9 affected hosts isolated
      - Finance VLAN segmented from corporate network
      - LockBit C2 domain blocked at firewall and DNS
      - No decryptor available for LockBit 3.0
      - Wednesday backup verified clean but 3 days of data missing
      - CEO asks for a full situation briefing in 30 minutes
    questions:
      - "Prepare a 5-minute executive briefing. What do you include?"
      - "What is your recovery plan and estimated timeline?"
      - "What monitoring will you put in place during and after recovery?"
      - "What immediate security improvements would you recommend?"
```

### Step 3: Facilitate the Exercise

**Facilitator Guide:**

```
EXERCISE FACILITATION PROTOCOL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. OPENING (10 min)
   - State exercise objectives and ground rules
   - Emphasize: "No wrong answers — this is about testing process, not individuals"
   - Remind participants this is a simulation — no actual systems are affected
   - Identify the exercise observer/scribe

2. INJECT DELIVERY (110 min)
   - Present each inject on screen, allow 2 min reading tim