Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
A tabletop exercise is an excellent way to practice incident response (IR) capabilities and validate appropriate documentation is available to guide the IR team in the event of a ransomware attack. Executives play a key role in not only the ransomware response activities,
but also before and after a ransomware attack. This piece provides a ransomware tabletop exercise focused on executive responsibilities, including actions executives should take before and after a ransomware attack.
Prior to any cyberattack, it is important that executives are cyber aware, and ensure cybersecurity training and awareness are part of business as usual throughout the organization. Key actions executives must take to prepare the organization for a ransomware
A tabletop exercise is an important crisis response activity that should be performed at least once a year and should cover the major threats and vulnerabilities the organization faces. A ransomware tabletop exercise is a beneficial way to review and
test organization policies and procedures before they are needed during a real incident. Some important tips for executive tabletop exercises include:
The role of executives during a tabletop exercise or real cyber event is to ensure the IR leads are empowered and have the tools and resources necessary to effectively respond and recover. Executives must be prepared to help free up the right staff, make
quick decisions based on data presented by the IR team and be an interface to the board of directors or other stakeholders as required by the IR plan.
A tabletop exercise consists of a series of injects, or scenarios steps, that unfold over time, just as a real incident would occur. The details in the first injects may seem rather benign, but as the investigation continues, the injects will build the
overall incident or attack.
It is late on a Friday night when reports come in that online banking is unavailable for all customers. IT personnel report they are unable to remotely perform maintenance on any of the impacted servers and must send someone to the colocation site to
investigate. Once personnel get to the colocation site and access the systems locally, they find all the computers are inoperable.
Executive actions/questions to ask:
An email is received at 1 a.m. by the account firstname.lastname@example.org, saying bank servers have been taken over and encrypted, and demanding a ransom of $15 million in bitcoin. The deadline to pay the ransom is 48 hours, after which data will begin to be released
and the ransom demand will double.
An emergency conference call with the IR team and executives is initiated early Saturday morning via email invitation. Halfway through the conference call, a participant realizes an unauthorized person is listening to the call. It turns out to be the
adversary, who was monitoring all internal email and received the conference call details.
All personnel move communications to an alternate system using pre-paid mobile phones and all computers and servers are shut down to prevent further damage from the adversary, who still has remote control of systems. IT personnel report it will take 10
working days to wipe all computer systems and restore from backups – and that backups have not been tested in over a year. If the ransom is paid, the systems could be restored in two days.
Injects will continue addressing actions such as media communication along with a determination of whether or not to pay the ransom. Following that decision, the tabletop exercise can focus on recovery steps.
After the incident/tabletop exercise, executives should also play a role in ransomware recovery and lessons learned. Consider the following for post-breach
Other executive actions include:
Tabletop exercises can often devolve into the team ignoring documentation and doing what the group thinks is the right thing to do. The idea is NOT to blindly follow the documentation, but rather to use the tabletop exercise as an opportunity to identify
updates that are needed to the documentation so that if a real incident occurs, the documentation CAN be used as a guide or template for actions.
Getting executives involved in tabletop exercises, especially on ransomware, is a great way to ensure they are well versed in the issues and understand there is a plan in place to respond. To ensure executives get the most from your tabletops:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.