What Are Tabletop Exercises

THE AUTHOR

James Green
November 4, 2021

What Are Tabletop Exercises

We recently asked renowned Ransomware Expert Allan Liska: "What takes place during a tabletop exercise and why is it useful to do?" see his response in this video, and in case you've missed it, here's the transcript:


James Green:

So, one of the ways that folks can be best prepared for a potential ransomware attack is to simulate one beforehand and just talk out what the response would be like, often called a tabletop exercise. Can you talk about what takes place during a tabletop and why it's so useful to do?

Allan Liska:

Sure. So, IT and security teams have, whether they want to or not, basically lived ransomware for the last year, year and a half, and trying to prevent ransomware attacks. While the rest of the organization is probably aware of ransomware, they're not aware of how a modern ransomware attack works, or often they're not. And so, one of the things that a tabletop exercise does, it helps educate other areas of the organization as to what is involved in a ransomware attack, what is involved in protecting from it, or detecting and protecting from a ransomware attack and recovering from one.

            So, the way a tabletop exercise works is you organize it around the IT and security team with the other teams that will be involved, whether that's senior leadership, your human resources team, your PR team, whoever is going to need to be involved in actually not only stopping a ransomware attack, but then recovering. And then you walk through a typical ransomware scenario.

James Green:

Seems like one of the benefits is that you would just have to identify those people. You may not even know who that is unless you've gone through something like this.

Allan Liska:

Right, exactly. So, often, people don't think, "Oh, well, I need to get legal involved," until you realize, "Oh, yeah, we're probably going to get sued if we get hit with a ransomware attack. We should have our legal counsel here and get them involved in the ransomware."

James Green:

Yeah. So, I know that this is a like, probably day long process or something, but just at a high level, how does that proceed? What does an actual tabletop entail once you've put the team together?

Allan Liska:

So, if you're like me, you grew up playing Dungeons and Dragons, and this is basically Dungeons and Dragons with ransomware actors. But basically, the way it works is you have a core team that identifies the scenario. So, here's what we're going to have the ransomware actor do. Here's how they're going to move through the network and so on. And then you have representatives from all the teams that could possibly detect that event or respond to that event in the tabletop exercise. And you basically walk your way through, okay, the ransomware actor got in through a phishing email and they launched a PowerShell script into memory. And then your desktop team's like, "Okay, we don't have anything that detects against that." So, they probably are going to get away with that.

            And then you kind of move forward through a successful attack and then you start the recovery process. So, again, how long does it take to recover from one server being encrypted, 10 servers, 200 servers encrypted, et cetera? What would the process be? And you use this as a understanding what the points of fail you are, understanding what the recovery process would be, and then you build on that. One of the things that is really, really important to emphasize here is that the tabletop exercise is designed to make sure everyone understands what the flaws in the systems are. It is not to blame any one organization like, "Oh, it's going to be your fault if we're hit with ransomware." It's really the highlight where those flaws are so that you can take steps to hopefully address them and not actually get hit with a ransomware attack.

James Green:

And one of the problems that security teams especially face is that you don't know what you don't know. In conducting a tabletop exercise, is it useful to engage a third party or some sort of tools or something to help you think through all the possibilities?

Allan Liska:

Yeah. So, often, your incident response retainer includes a tabletop exercise. So, if you have an incident response retainer, you can bring your IR team in and have them conduct the tabletop exercise. And they'll have hands-on experience with recent ransomware attacks that they can really get down to the nitty gritty to make sure that you actually can defend against how the ransomware actors work. You may think that the tools you have will enable you to do that, but they'll often hold you to account more and say, "Well, do you have these settings turned on?" We'll have to go check that. The other thing that you can do is there are actually ransomware simulators out there, so that they will simulate a ransomware attack up to the point of encryption, obviously, and so, that you can actually see whether or not your detections will work the way that they're supposed to.

James Green:

Very cool. Okay, last question. Does the IR team bring a 12-sided die?

Allan Liska:

Yes. Given how complex ransomware attacks are, you may need a 20-sided die.

James Green:

Fair enough. Thanks, Allan.

Allan Liska:

Thank you.


Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap