The Master Scenario Events List (MSEL) comes from the NIST Special Publication 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. This standard details all of the aspects of creating, running, and debriefing after a tabletop exercise. The most important part of a tabletop will be the planning—identifying the audience, defining the objectives, and creating a realistic scenario will all help maximize the organization's cybersecurity potential by improving their security incident response plans, identifying potential weaknesses or gaps in controls, and preparing individuals for playing their respective roles during an incident.
Inject | Expected Outcome | Learning Points | Maximum (Minutes) for Each Message |
“Injects” are events within the scenario that prompt participants to implement the plans, policies, and/or procedures to be tested during the exercise. Each inject should be considered its own “event” within the timeline of the scenario. | Expected outcomes represent management/administration's desired responses or actions to the questions or messages proposed during the delivery of injects. | Learning points are the specific takeaways that participants will learn from the inject and discuss afterward. | It is necessary to limit the time for the discussion of each inject so that all injects can be addressed during the given exercise time frame. |
8:35 a.m.: Several customers report to support services that their TreadMarch units appear to start, but only display a blue screen and will not connect to the network. |
| Not all incidents are related to hacking. | 15 minutes |
8:45 a.m.: Security operations center reports suspicious activity on several user accounts. Nothing outside what their accounts are allowed to do. |
| Are staff trained to detect suspicious behavior? Is there enough information to correlate events? | 15 minutes |
9:00 a.m.: Call center reports that call volume is higher than normal for a weekday. |
| Does the organization have operational monitoring of treadmills, operational status, firmware versions, etc. to evaluate trends? | 10 minutes |
9:30 a.m.: Technician reinstalls firmware on malfunctioning treadmill. Reports that a security dongle has been missing for several days. |
| How will incident response team receive communications from impacted teams in real time? | 10 minutes |
10:07 a.m.: After reviewing account activity, security team member personally knew one of the users and texted to see what they were doing. User is on vacation. |
| Can the organization detect suspicious or anomalous user activity? | 15 minutes |
10:15 a.m.: PR department indicates social media sources show there may be a protest about labor conditions outside headquarters. |
| Public messaging is an important part of major exercises and PR personnel need to be in the communication path early on. | 10 minutes |
10:29 a.m.: CIO is removed from the scenario due to unexpected circumstances. |
| A streamlined process should include communications “warm handoff” for incident response leaders. | 10 minutes |
11:01 a.m.: Logs show successful two-factor authentications for user with suspicious activity. User mistakenly clicked Approve. |
| Mistakes should be something that you prepare for and learn from, not something that you avoid. | 15 minutes |
11:12 a.m.: SOC detects portscanning activity originating from the treadmill firmware update server. |
| Many sophisticated attacks begin with or target IoT or OT networks. | 10 minutes |
11:45 a.m.: Protesters gather outside the building to complain about the working conditions in one of the factories where the treadmills are being produced. Media is now onsite. |
| Acknowledging and being transparent about an incident to protect the community is a better PR strategy than concealment. | 10 minutes |
12:25 p.m.: In reviewing traffic logs, the network team sees successful connections from the update server to another server … the network vulnerability scanning server. |
| Would it have been possible to correlate suspicious activity in real time to have proactively prevented this scenario from escalating? | 15 minutes |
12:45 p.m.: Several staff members report seeing a drone flying close to the building. |
| Has the organization performed a physical security audit? | 10 minutes |
1:05 p.m.: Logs show that the scanning server has been sending unknown traffic to nearly every server and client in the organization over the last several hours. |
| Do security controls and policy apply equally to all departments in the organization? Or have exceptions been made and are they well known and understood? | 15 minutes |
Overnight: Incident response firm worked overnight to determine that malware was installed that had a data exfiltration tool. |
| How does the organization define a breach and when does data exfiltration necessitate victim notifications? | 15 minutes |
52.14.48.138