Home Light Weight Tabletop Exercise for Cybersecurity Education
Article
Licensed
Unlicensed Requires Authentication

Light Weight Tabletop Exercise for Cybersecurity Education

  • Rain Ottis EMAIL logo
Published/Copyright: December 30, 2014
Journal of Homeland Security and Emergency Management
From the journal Journal of Homeland Security and Emergency Management Volume 11 Issue 4

Abstract

It is often difficult to meaningfully convey concepts like security incident management cycle, information sharing, cooperation, as well as the roles of people, processes and technology in cybersecurity courses. Serious gaming can help solve this problem, since it can provide a more immersive and interactive learning experience than traditional methods. This paper presents a light weight tabletop exercise format that has been successfully used in cybersecurity education to demonstrate these and many other concepts to Master level students in two European universities over the past 5 years. The term light weight is chosen to indicate the low work load and resource requirements for the instructor. The paper provides practical guidance on how to develop and execute such exercises. In addition, it lists observations of concepts and recommended discussion points that have been successfully demonstrated in class using this exercise format.

Keywords: cybersecurity; education; exercise; serious games; tabletop
Corresponding author: Rain Ottis, Department of Computer Science, Tallinn University of Technology, Akadeemia 15a, Tallinn 12618, Estonia; and Department of Mathematical Information Technology, University of Jyväskylä, Jyväskylä, Finland

Appendix A. Example of a Blue Team Instruction Sheet

Your Blue team will represent a security device manufacturer. Specifically, your company designs and manufactures network filtering devices. Your customers include the government, CERT and ISP teams. Design and assembly of your products takes place in Finland, other steps in the production chain can be outsourced (your decision). Do research in public sources about what are the cybersecurity problems of the security device manufacturers (especially in Finland). Try to find out how such companies secure their operations, what do they consider important, etc. Based on that you should come up with a plan. The deliverable is a one-pager, which identifies:

  1. the role of the entity that the team represents in cyber defense (1 paragraph)

  2. the key objectives for the team (maintain service availability, identify attackers etc.)

  3. the generic plan for reaching your objectives in the case of (large scale) cyber incidents

  4. a threat assessment.

While the deliverable is a one-pager, it does not mean that you cannot have more detailed plans in place for the exercise.

During the exercise, the Red team will execute their attacks in sequence. After each attack there is a round of responses/actions from all the affected Blue teams. The responses do not have to be only technical. You can also make press statements, contact foreign partners for help, etc.

Be prepared to improvise. Things will happen that you did not plan for. Some plans fail for reasons outside of your control. Some other Blue team may hinder your plans. Adapt and overcome.

I hope this is enough information to get you started. Please let me know if you have any questions.

Appendix B. Example of a Red Team Instruction Sheet

Red team will prepare a cyber attack scenario from the perspective of a foreign intelligence agency.

  1. You are a foreign intelligence agency that is tasked to collect compromising information on key persons in Finland.

  2. Your objectives are as follows:

    1. Gain remote access (via malware infection) to the personal computer of the Chief of Police. Spear phishing is recommended.

    2. The news portal keeps confidential dossiers of key public figures. You must gain access to this database. You are authorized to bribe one of the janitors to facilitate your operations.

    3. Gain access to the online betting house transaction database and send a copy of it over the internet to a drop site. You are authorized to rent a botnet to run a DDoS campaign to mask your operations.

    4. You are authorized to impersonate a vigilante activist group that takes responsibility of any attacks that are discovered.

    5. It is recommended to use deception attacks to keep the targets guessing about your motives and goals.

  3. Your scenario includes multiple avenues of attack, including social engineering, targeted hacking, use of botnets, etc.

Build a scenario that includes several (4–5) waves of different attacks, sometimes switching targets, etc. Also, in the interest of learning something from this, do not build an unbeatable scenario. Leave clues to the blue teams and let them work for their success. Write in some “stupid” things like some guy’s well known hacker alias in the bot code (which gets exposed if the blue teams “reverse engineer” the code).

In preparing for the scenario, identify the attack methods and figure out how they would be “seen” at the target side, as well as which Blue teams would be affected. For example, a distributed ping flood is seen as oversized ping packets from Y sources at a rate of X per second. The source addresses are located in A, B, C countries, and some with the ISP Blue team. Also, be ready to answer questions about your own operations (where is the C&C server? how many bots in your botnet? Do you have contacts with other carders? etc.). Every inject should answer who, what, when, where, why and how?

During the exercise, you would “execute” your first attack and the Blue teams will react on it. Then we go for the second attack and so on. Be prepared that some Blue actions will neutralize your follow-on attacks. Then it is good to have a plan B since you need to improvise.

Tomorrow the Red team leader will email the instructor a one page document that covers:

  1. the nature of the attacker (for example, international organized crime group that specializes in …; 1 paragraph)

  2. the objectives of their team (for example, deny basic services to citizens for 3 days)

  3. their generic plan for reaching their objectives (including types of actions taken, tools used, how targets are identified, etc.)

  4. a short risk assessment.

I hope this is enough to get you started. Let me know if you have any questions.

References

Booz Allen Hamilton (2011) “Tabletop Exercise,” Available at: http://www.boozallen.com/content/dam/boozallen/media/file/Tabletop_Exercise.pdf (accessed October 10, 2014).Search in Google Scholar

Dausey, David J., James W. Buehler and Nicole Lurie (2007) “Designing and Conducting Tabletop Exercises to Assess Public Health Preparedness for Manmade and Naturally Occurring Biological Threats,” BMC Public Health, 7:92.10.1186/1471-2458-7-92Search in Google Scholar

Emergency Management Institute (2003) “Unit 5: The Tabletop Exercise,” Available at: http://training.fema.gov/emiweb/downloads/is139Unit5.doc (accessed October 10, 2014).Search in Google Scholar

European Network and Information Security Agency (2012) “On National and International Cyber Security Exercises: Survey, Analysis & Recommendations,” Available at: https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cce/cyber-exercises/exercise-survey2012/at_download/fullReport (accessed October 10, 2014).Search in Google Scholar

SAFECOM (2011) “Communications-Specific Tabletop Exercise Methodology,” Available at: http://www.safecomprogram.gov/oec/communications_specific_tabletop_exercise_methodology.pdf (accessed October 10, 2014).Search in Google Scholar

Wildland Fire Lessons Learned Center (2011) “Design and Delivery of Tactical Decision Games: TDGS/STEX Workbook,” Available at: http://www.fireleadership.gov/toolbox/TDG_Library/references/TDGS_STEX_Workbook.pdf (accessed October 10, 2014).Search in Google Scholar

Published Online: 2014-12-30
Published in Print: 2014-12-1

©2014 by De Gruyter

Articles in the same Issue

  1. Frontmatter
  2. Editorial
  3. Special Issue on Cybersecurity, Cybercrime, Cyberwar
  4. Articles
  5. A Criminological Perspective on Power Grid Cyber attacks: Using Routine Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-Making
  6. From Weakest Link to Security Hero: Transforming Staff Security Behavior
  7. Transforming the UK Home Office into a Department for Homeland Security: Reflecting on an Interview with a Litigant Defending Against Online Retaliatory Feedback in the US
  8. Enhancing the Security of Cloud Manufacturing by Restricting Resource Access
  9. Evaluation of Efficiency of Transcoding Steganography
  10. Light Weight Tabletop Exercise for Cybersecurity Education
https://doi.org/10.1515/jhsem-2014-0031
Keywords for this article
cybersecurity; education; exercise; serious games; tabletop

Articles in the same Issue

  1. Frontmatter
  2. Editorial
  3. Special Issue on Cybersecurity, Cybercrime, Cyberwar
  4. Articles
  5. A Criminological Perspective on Power Grid Cyber attacks: Using Routine Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-Making
  6. From Weakest Link to Security Hero: Transforming Staff Security Behavior
  7. Transforming the UK Home Office into a Department for Homeland Security: Reflecting on an Interview with a Litigant Defending Against Online Retaliatory Feedback in the US
  8. Enhancing the Security of Cloud Manufacturing by Restricting Resource Access
  9. Evaluation of Efficiency of Transcoding Steganography
  10. Light Weight Tabletop Exercise for Cybersecurity Education
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 23.11.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jhsem-2014-0031/html
Scroll to top button