C (14:34)

Yeah, we've seen this to be a huge growth area over the last couple years where more and more people are seeing the benefits and starting to perform tabletop exercises. We think a lot of that is driven internally from, you know, management teams, even technical teams trying to drive awareness and visibility upwards. But also board directives could be insurance and compliance requirements or driving people to do these tabletops. In general, we recommend that, you know, a tabletop is performed at least once a year across your senior leadership team and then additionally a separate One across your technical or maybe management teams.

B (15:14)

Well, for folks who've never been part of one. Can you describe it for us? What typically goes into a tabletop exercise?

C (15:20)

A tabletop is going to be a hypothetical incident where you are taking and leveraging this incident to educate the participants in the audience on the different types of things that could transpire during an incident. And while it's also used for, you know, the opportunity for education, it's also about enablement, making sure that people know how to leverage their existing incident response plans, knowing their roles and responsibilities during those incidents, and what are those key decision points that could occur. But all in all, the idea is to take this hypothetical incident that's applicable to you and your organization and get people to understand how they would react by executing that with an audience and having them make the decisions on what steps they would take based upon different injects and things that would happen during that incident process.

B (16:14)

Well, of course, the hot topic these days is AI. And how has that changed the way people are framing their tabletops these days?

C (16:24)

AI, similar to any other threat, just needs to be accounted for when putting together these hypothetical incidents or these tabletop exercises. Different organizations have different types of threats that they should be aware of and conscious of that are the most relative to them and their organization and their business. And AI is one of the things that obviously we're very conscientious about because we know that cybercriminals and threat actors are leveraging AI in certain technologies in different ways. And so accounting for those during these tabletops, whether that is more efficient phishing attempts, whether it is custom code created, whether it's accessing AI infrastructure that you're leveraging and using within your own environment. Those are all things that should be or could be accounted for when you're, when you're creating and developing these unique scenarios to test somebody's ability to respond to them.

B (17:24)

What's your advice for organizations figuring out what the cadence should be for them, how often they should do this?

C (17:31)

I think the cadence for these tabletop exercises and crisis simulations is contingent upon an organization's, an organization's maturity. A lot of, you know, businesses, this could be the very first time they're doing it. And maybe they don't have an existing incident response plan. And so they're leveraging this as an opportunity to vet out who could be doing what during an incident and who's going to be responsible. So they can then go develop that incident response plan because they don't have that level of sophistication yet now there are other organizations that might have existing incident response plan playbooks, specific runbooks, and it's more of an opportunity to test those out and you can perform them more frequently because you have the established plans and you're just seeing how people would respond to certain types of incidents. And so I think the level of maturity an organization has will determine what the purpose and intent behind it is. But I also think what's very important is making sure that you're targeting specific audiences based on the type of conversation that's occurring. And the talk track for the tabletop itself.

B (18:48)

Well, related to that, how do you go about deciding who should be included in the exercises?

C (18:54)

It really varies upon the audience and the intent behind the tabletop and the exercise. For a technical tabletop as an example. For a technical tabletop it could be more around how are things identified? How did you identify a certain type of incident or an incident has occurred in your environment? How are you then tracking that incident? How are you escalating it? How are you sharing information internally about that? Who's determining the severity and escalations and when? That should go up to senior leadership. Now the audience for more of a senior leadership or executive tabletop is going to be less about the intricacies involved with the incident itself and going to be more about decisions and business related decisions that need to be made. You know, you are going to get high level details about the incident, not necessarily having to know the intricacy and technical details involved in how it's tracked, but instead, you know who's going to be communicating with your cyber insurance carrier. Are we going to engage external counsel? Is there a necessity to shut down certain areas of the business? Who's drafting internal and external notifications and and letting people know that we are being potentially impacted by an incident and when should those occur. And so really the in the audience can drive the intent, but the intent can also drive the audience. But realistically we do see we're breaking apart those sessions into different audiences. Audience specific to their role is very important.

B (20:26)

You know, Mark, I know as part of your role there at guidepoint, you help organizations run their tabletop exercises. Can you give us a kind of a peek into that world? I'm specifically curious, like, do you find you have to bring some people along? I guess I'm asking are some folks skeptical when they walk into that room that they're not sure what they're getting into or is this the best use of my time?

C (20:52)

Yeah, absolutely. We have a lot of clients who might not necessarily know what they're getting into, which, again, dependent upon the intent of the exercise. In most circumstances, we actually recommend that clients aren't prepared with knowing the full incident scenario, because in a real incident situation, you are not going to know everything about the incident up front. You're going to be dealing with it reactively versus, you know, having all of the details and able to know that, well, eventually this is going to happen. Instead, information gets trickled in during a real incident response effort. And so we try to simulate what a real incident would be like. And a lot of that is, you know, having core preparation with policies and processes and then being able to navigate those based on the variables and the details that are shared with you as part of the incident. So realistically, when we're going to develop these things, it's one, who's the audience? Two, what is the intent behind the tabletop? Is it to test plans? Is it for educational purposes, to teach people about different types of threats? Is it enablement for the team to further understand their roles and responsibilities? And then developing a scenario that's going to test different areas of the business and help them establish some muscle memory and then also to educate them on, okay, well, here where there were, there were deficiencies in your process and you need to potentially make improvements to be more effective in the future. If this was a real scenario and.

B (22:35)

What'S it like after the fact, is this a revelation for some of the people to have this real worldview of the possibilities?

C (22:45)

It is, you know, it's, it's. A lot of our clients walk away from these things saying, holy crap, are these the kinds of things that could really happen to us and that we need to be thinking about? And the answer is, is generally yes. You know, the intent isn't to necessarily scare people, but it is to bring awareness to them so that they know the details about the true impacts of potential incidents to their business and their organization.

B (23:19)

What are your recommendations for folks who want to go down this path, who maybe haven't done this before? What's a good place to get started?

C (23:27)

I think understanding your level of maturity, 1, is the first piece. Have you done these types of things in the past, if you haven't? I think in general, everybody should be performing tabletop exercises. They should be actively having these simulations for different target audiences periodically. Two, do we have the capability to potentially try to do this or want to try to do this internally ourselves, or do we want to bring in outside help with the expertise and experience of knowing what some of the pitfalls or speed bumps might be. We do see where a lot of people will, you know, attempt to perform these and that's great, at least they're trying. But then they do realize sometimes there is some, some outside experience that can be brought to the table and so looking for others and consulting them on the opportunity for that, for that experience in those services. And then I think that, you know, three is just making sure that you are leveraging best practices like doing target and specific audiences, building custom scenarios that are going to be specific to your environment, but also making sure that they're relevant and things that could really happen because a lot of times you'll lose the audience and people will say, oh, that couldn't really happen to us. So making sure that they are viable and real things that could potentially impact your specific environment and infrastructure. And then the last piece is making sure that you're taking the lessons learned from that and applying them. These are learning opportunities. They're not necessarily a test, but they're an opportunity to say, hey, we were extremely efficient here and here are things we did very well. But maybe we're missing some of these policies or processes here. Here's where there was some confusion and people didn't know who should be handling certain actions or activities. We also weren't sure who our third parties are or we weren't tracking that information. So making sure that you're leveraging the lessons learned from that so that you can grow and be more efficient and effect in the following exercises.

B (25:38)

That's mark Lance from GuidePoint Security.

A (25:54)

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. This message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on low rise Jeans, halter top, velour, tracksuit, puka shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop where taste recognizes taste.

B (27:01)

And finally, cybersecurity has officially crossed the Rubicon. And it did so carrying a pipette. Researchers have shown that malware no longer needs phishing emails or poisoned downloads, it can hitch a ride inside synthetic DNA. In a University of Washington demonstration, carefully crafted DNA sequences were shown to trigger exploits when processed by sequencing software, turning lab workflows into attack paths. Once sequenced, biological data moves through cloud platforms and custom code, where hidden instructions could corrupt data or enable remote access for sectors like genomics, biotech, healthcare, and agriculture. This raises uncomfortable questions about data integrity, intellectual property, and national biosecurity. Traditional controls barely notice the threat because DNA looks like biology, not malware. The takeaway is simple and genomic pipelines are now part of the attack surface. The genome is no longer just life's blueprint it is executable input. And yes, that means your lab bench just joined the threat model. Now, if you'll excuse me, I'm gonna go watch the latest episode of Pluribus. And that's the Cyberwire. Be sure to check out our daily briefing@the cyberwire.com Be sure to check out this weekend's Research Saturday and my conversation with Daniel Schwabe, Domain Tools head of investigations and ciso. We're sharing their work inside the Great Firewall. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I, Dave Bittner. Thanks for listening. We'll see you back here next week.

A (29:58)

The Uniswap Wallet makes it easier and safer to own and use crypto Created by pioneers of the crypto economy, the Uniswap protocol has powered over $3 trillion in trading volume, and it's trusted by tens of millions worldwide. With the Uniswap Wallet, you can discover, swap, and manage your crypto all from your phone. Buy your first crypto assets in just a few taps and start exploring the freedom of decentralized finance. With Uniswap. Tap the banner to get.