In my previous overview of the topic, I likened ransomware tabletop exercises to an IT version of Dungeons & Dragons. If the idea of role-playing pretend scenarios sounds childish, think again; in fact, it should be a key part of your wider disaster recovery (DR) strategy.
Traditional DR testing requires a test environment and all the overhead that entails. That environment must serve as a mock-up of your production environment, with enough hardware and software replicated to reliably simulate a disaster then perform recovery.
Not so with a tabletop exercise. Refer to the example exercise I pitched in my previous article and note that all you need to run through it are people (ideally your computer security incident response team, or CSIRT) and their time. Each person involved in the plan talks through what actions they will take through each step of the disaster and ensuing recovery. No hardware or software is required, because it all plays out through hypothetical discussion.
Practice makes perfect, and tabletop exercises can be practiced as often as desired. A full test environment typically needs to be staged to some extent prior to each test run, but a tabletop exercise that requires no environment can be kicked off anytime the required people are available to participate. This saves time and possibly money (depending on how you built your test environment), which means you can easily repeat the test time and time again at any frequency.
Ransomware attacks come in many varieties and their delivery methods are no less varied, to say nothing of the many other types of cyberattacks. Accounting for every such possibility in a test environment is expensive, inefficient, and exhausting, if not impossible.
Tabletop exercises don't suffer this restriction; in fact, variety is welcome. Any given tabletop exercise can be modified by one tiny detail or overhauled entirely to fork off into another direction of cause/effect chains. The key to a good exercise is to constantly pose the question “What if _____?” every step along the way. Repeating this line of questioning every time you practice the exercise results in continually prodding and poking at your DR strategy in search of oversights and weaknesses.
Infinite variety encourages creative solutions that can evolve as quickly as the attacks themselves. When news breaks of a new variant, run through the exercise with it and observe what needs to be changed. This makes for a much more robust and flexible testing mindset that can adapt on the fly faster than any physical test environment could ever offer.
Though tabletop exercises are far cheaper and efficient than running an actual DR test environment, the former is by no means a replacement for the latter. I’ve previously stated that one of the Top 4 Ways to Prevent Ransomware Attacks is to remember that “Practice Makes Secure” and that practicing should include a mock-up test environment.
Tabletop exercises compliment your other tools. What you observe during a tabletop exercise should inform you on how to improve your test environment; likewise, you’ll likely discover caveats when executing a real test that you may have never caught during your DR role-play.
No testing means no assurance; conversely, the more practice methods you have at the ready, the more prepared you will be for any current or future threat.