• Experience the evaluation, decision-making, participation, and communication in a security crisis.
• Identify gaps between formal procedures and actual behavior.
• Understand the difficulties of managing the operational issues of an incident.
• Recognize the priorities and necessary actions to improve response capabilities.
• Improve decision-making and execution of appropriate actions to restore situations.
• Exercise communication and coordination processes during incidents.
• Determine the effectiveness of manuals to address detection, response, and recovery.

It is also possible to establish other objectives aligned with the needs.

These objectives will guide all the definitions made during the design.

Players

• Perform regular functions during the exercise.
• Discuss or initiate actions in response to the scenario.

Observers

• Do not directly participate in the exercise.
• Can only ask questions at the end.

Coordinators

• Lead and facilitate the operation of the exercise.
• Take notes for the preparation of the subsequent report.

This definition may include one or more types of threats in relation to the objectives of the exercise. This may be defined by risk management, or cyber threat intelligence reports (internal, external, or aligned with the sector to which the organization belongs).

Thetype of threats will serve as the primary guide for the various tactics, techniques, and procedures selected in the next stage. The most common types are: Ransomware, Denial of Service, Insider Attackers, Information Leakage, Social Engineering, Supply Chain Attack, and Physical Disruption.

Consider regulations, standards or frameworks applicable to the organization that may contain application requirements related to the exercise.

These may add value to the definitions made during design.

Define which assets will be involved in the scenario, and the business processes they support will be key to design a scenario aligned to the objectives.

Among others we can find:

• Services, applications, servers, data centers that support the asset on which you want to simulate the incident.
• Consider people, departments, suppliers, and other entities of the organization's ecosystem that are involved in some part of the operation that will be affected.

This definition will help us to generate injects oriented to the different participants according to their roles and responsibilities.

Completely through messaging channels, with scheduled meeting intervals or constantly grouped by the different areas can be some of the interaction modalities.

Remember that one of the main objectives of TTX is about communication. Consider these channels from the design of the injects.

Based on the objectives and scope of the exercise, we can determine if the exercise will contain detailed technical elements or if it is not necessary.