In Part One of my series on ransomware tabletops, a company was caught unprepared when hit with a real ransomware attack. Fortunately for them, their tape backups weren't affected by the attack, and they lost less than a day’s worth of data.
The new CTO wanted to know who was to blame for the attack, and a consultant was brought in to conduct an audit of their IT and cybersecurity systems and procedures. It wasn't so simple as assigning blame.
The consultant found the IT department's procedures to be solid. However, it was the company's reliance on an old PHP script written by the CEO's nephew in the 1990s that left them open to several known malware attacks. But the attacker never would have found the script if they hadn't been given a remote login through a phishing attack. And they never would have been able to spread malware to the entire network if not for several other factors. In the end, about the only people in the company who weren't potentially to blame were the janitors.
A memo, even one from the CEO, wasn't going to prevent a future attack or make the company better prepared for when it did happen. Larry in IT, who was an avid board game player, suggested the idea of a tabletop exercise—and because he suggested it, he was put in charge of the initial planning.
Larry found that templates for tabletop exercises are widely available online, and he downloaded one from the Cybersecurity & Infrastructure Security Agency (CISA). With some modifications and details added to make it more interesting and relevant to their company, the plan started to come together.
A tabletop exercise requires participants, ground rules, a scenario, and facilitated discussion.
Larry started by making a list of participants. As he went through the list of departments in the company, it became obvious that everyone had some role in preventing or responding to a ransomware attack. To keep things under control, and to keep the exercise from taking too long, he subdivided the list of participants into two groups:
This first exercise would focus just on responding to a ransomware incident that's already underway. The list of players should obviously include a representative from IT. Other essential players include PR, legal, and management. Involvement from senior management, and ideally the CEO, would be essential to getting everyone else on board.
Because he was making the rules, Larry decided he got to play the part of the villain. Someone from outside of the departments participating in the tabletop (perhaps HR?) who has experience in facilitating discussions would be brought in to read the rules and questions and keep things moving forward.
Next were the rules of the game. The first rule is that the tabletop exercise is a no-blame, low-stress, and collaborative environment. Everyone should feel comfortable contributing to the discussion.
The second rule is that every participant must come to the exercise with a familiarity of the company's incident response (IR) plan and know what it currently says their actions should be. The idea isn't that the players would make up their actions based on the scenario, but that they would play out the incident response plan to see how it holds up.
The third rule is that players keep the jargon and details to a minimum. Legal doesn't need to cite the cases that back up their actions. IT doesn't need to argue about which Linux distro is most secure.
On the day of the tabletop exercise, the facilitator starts by welcoming everyone—both those in the room and those participating remotely—and reminding them of the rules. Larry then rubs his hands together menacingly, gives his best evil laugh, and announces that he's gained admin access to the company's network and that their files are safe (for now), but encrypted. He demands a payment of $2 million in Bitcoin within 48 hours to give them the private key to unlock the files.
Starting with IT confirming that the files are encrypted, each player goes around the room and states what they would do, according to the IR plan. After all the players have their turn, Larry escalates the situation. He's provided a sample of customer data from one of the databases he downloaded prior to encrypting it. The players each take another turn.
At the end of the exercise, the facilitator leads a discussion about the exercise using questions from the CISA manual. At the end of the discussion, the facilitator leads another discussion about ideas or shortcomings of the current plan, or the company's preparedness that came out of the discussion.
When John from PR says that he's not sure how he should respond to the press asking him how the attacker got access in the first place, the discussion turns to the next tabletop exercise to be held. Everyone agrees that it should focus specifically on educating a wider group of participants on how to identify and handle potential phishing attacks. I'll tell you about how that exercise went in my next blog post.