If you ever played tabletop role-playing games, you can think about a tabletop exercise as an IT version of Dungeons & Dragons. Pretend an attack is underway, then your team role-plays through how they will perform your incident response (IR) and disaster recovery (DR) plans. It’s an excellent tool for practicing and testing your plans.
Example Exercise Scenarios
If you’re short on ideas, consider these possible scenarios:
- Your enterprise storage has been encrypted. The attack was so thorough that even your onsite backups are encrypted. You have no offsite backups to fall back on. What do you do?
- You have an offsite backup, but it’s on tape and will take days to restore from. Your production environment is down now. What do you do?
- You have no backups whatsoever, so the only option is to rebuild your infrastructure. Where do you begin?
- You’ve tried everything–removing the ransomware, decrypting your data, and restoring from backup–and all attempts have failed. The clock is ticking, so at what point do you give in to the ransom’s demands, and how can you minimize loss doing so?
Structuring Your Exercise
Your tabletop exercise can begin with a visual presentation, such as a PowerPoint or PDF document, that walks the team through each step.
There are many possible approaches, but consider this basic structure, broken into sequential phases, as a starting template:
- Introduction: State the purpose and goals of the exercise.
- Detail the attack: How was the pretend attack detected, what symptoms are observed, where has it spread to, and what damage has been done?
- Pop quiz actions: Who performs what action first, and where?
- “What if” questions: What if onsite backups are compromised? What if offsite backups are not readily available? What if you can’t restore your data within the ransom’s time limit?
- Debrief: What did everyone learn? What security gaps were found? What new action items are taken away?
Repeat these steps through multiple scenarios.