Running a Ransomware Tabletop Exercise

THE AUTHOR

James Panetti
January 14, 2022

Running a Ransomware Tabletop Exercise

If you ever played tabletop role-playing games, you can think about a tabletop exercise as an IT version of Dungeons & Dragons. Pretend an attack is underway, then your team role-plays through how they will perform your incident response (IR) and disaster recovery (DR) plans. It’s an excellent tool for practicing and testing your plans.

Example Exercise Scenarios

If you’re short on ideas, consider these possible scenarios:

  • Your enterprise storage has been encrypted. The attack was so thorough that even your onsite backups are encrypted. You have no offsite backups to fall back on. What do you do?
  • You have an offsite backup, but it’s on tape and will take days to restore from. Your production environment is down now. What do you do?
  • You have no backups whatsoever, so the only option is to rebuild your infrastructure. Where do you begin?
  • You’ve tried everything–removing the ransomware, decrypting your data, and restoring from backup–and all attempts have failed. The clock is ticking, so at what point do you give in to the ransom’s demands, and how can you minimize loss doing so?

Refer to our infographic tips on who should attend these exercises.

Structuring Your Exercise

Your tabletop exercise can begin with a visual presentation, such as a PowerPoint or PDF document, that walks the team through each step.

There are many possible approaches, but consider this basic structure, broken into sequential phases, as a starting template:

  1. Introduction: State the purpose and goals of the exercise.
  2. Detail the attack: How was the pretend attack detected, what symptoms are observed, where has it spread to, and what damage has been done?
  3. Pop quiz actions: Who performs what action first, and where?
  4. “What if” questions: What if onsite backups are compromised? What if offsite backups are not readily available? What if you can’t restore your data within the ransom’s time limit?
  5. Debrief: What did everyone learn? What security gaps were found? What new action items are taken away?

Repeat these steps through multiple scenarios.

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap