An incident response tabletop scenario is an exercise where security teams discuss, in a classroom-type setting, their roles in response to an emergency. This discussion is usually conducted by a trained facilitator who guides the team through multiple scenarios and determines their readiness or potential gaps in their response process.
If an incident could lead to a loss of, or disruption to, an organization’s operations, services or functions, the team’s response capability needs to be fast acting and effective. The output of an incident response tabletop scenario is to determine how your team will identify, analyze, and resolve incidents and how to prevent a future re-occurrence.
In this article, we will unpack 6 common exercises that a response team would need to recover from. Each exercise will follow a similar format. It will begin with a scenario of a common corporate story leading to an incident. Next, there will be several discussion points which help the team unpack how they could respond to this type of incident in the future. Lastly, we describe the types of impact each scenario would have on the organization and it’s priority.
Exercise 1: Travelling Technician
Kevin, your network administrator, applied and got approval for leave several weeks ago. He has been under severe pressure and has felt overworked for months. He has arranged an overseas trip to Europe with his family. His bags are packed and he’s already imaging the romance of Italy while daydreaming at his desk. A day before his trip, he is tasked with deploying a critical patch. Due to a lack of focus and desire to go on vacation, he rushes through the deployment. A few days later, Jessica, the on-call service administrator, receives multiple queries that the recent patch has caused the application to malfunction. After some investigation, she realizes that no one tested the patch and Kevin is unreachable. How does your team respond?
- How should Jessica respond in this scenario?
- Does Jessica have the technical expertise to resolve this incident? If not, what is the process she can follow to escalate to the right resource?
- When a new critical patch is installed, what is your organization’s change control policy? Who is responsible for testing the patch? Who is responsible for communicating with or training Jessica to resolve future incidents?
- Who is held accountable for this disruption? What disciplinary procedures are followed to ensure this will not happen again?
- Can Jessica temporarily “roll back” the patch to resume normal operations until Kevin comes back from vacation?
- How will your organization respond to the employees affected by the disruption? Is someone responsible for managing their expectations and informing them of the steps to resolving the issue?
This is a common scenario that can easily be avoided when the right change control policies are in place. This scenario is testing the organizations patch management and change control policies. An ineffective process would negatively affect an organization’s internal network and is caused by an insider threat actor.
Exercise 2: Multiplying Malware
A new employee joins your organization. They are not very technologically minded and, without considering the negative impact, they insert their private USB into their company laptop. The USB is compromised with a dangerous and fast-moving malware virus. After several days, the employee complains to the IT team that their company laptop is acting strange. After a brief investigation, the security manager is informed that a dangerous malware virus has breached the laptop and replicated itself across the organization’s internal network. How does your team respond?
- What is the organization’s communication procedure? Who would need to be notified of the virus and at what stage?
- What is the organization’s policy on using personal storage devices?
- How many other infections have gone unnoticed?
- How does your team go about identifying the infection vector?
- How will your team respond and contain the ever-growing virus?
- What is the process to determine other infected assets and communicate this threat to the organization?
- If the threat continues to grow, how will management be required to intervene to prevent further damage?
- Once the threat is contained, how can this be prevented in future? What kind of user awareness training can be done to prevent human error from unknowingly introducing a threat into the environment?
Again, this is a common scenario especially with organizations that do not have a clear personal storage device policy. This scenario is testing the organization’s user security awareness level. This threat could affect an organization’s network integrity and is caused by an accidental insider threat actor.
Exercise 3: Cloud Compromise
Your organization is making use of many cloud platforms and Software as a Service (SaaS). Due to the large volumes of data, your CIO decides to store certain datasets on outside cloud providers. You receive an email from one of your cloud providers indicating that their environment has been breached. After further investigation, you realize that a large amount of your organization’s sensitive information has been compromised. Personal and financial information has been exposed, and you are unaware of who the fraudster is. How does your team respond?
- What is your organization’s policy regarding third-party cloud storage? Do any of the policies indicate a process to be followed when a third-party breach occurs?
- Who is held accountable for the breached information? Your organization or the cloud vendor? What remedial action can be taken against the third-party vendor?
- How can you notify your users of the breach? When would the notification take place and how can you handle customer queries?
- What remediation actions can your team or management level take?
- What is the data recovery plan/policy?
- How can your organization ensure this will not happen with other third-party vendors?
- What actions would your team take if the breach happened on your on-site cloud environment?
As cloud and IoT become more common, so too does this scenario. With the ever-growing digital landscape, threats can infiltrate your environment from multiple sources. This scenario is testing the organization’s third-party incident response caused by an external threat on a cloud asset.
Exercise 4: Peculiar Payments
An urgent and disturbing email arrives in your team’s inbox from the CFO of the organization. After a routine financial audit, the finance team discovers that several people, outside the organization, are receiving a monthly paycheck. These people are not on the payroll system and have not received approval from finance. After further investigation, it appears that the paychecks are being paid into an offshore account. The payment is made by a Software-as-a-Service (SaaS) application that only three controllers have access to. Eventually, your team discovers that an external threat actor has successfully broken into one of the controller’s accounts and approved the payments. How does your team respond?
- How can you immediately prevent further payments to the offshore account?
- Can you recover the payments?
- Who is accountable for the incident? How did the controllers account become compromised? Is the compromised controller an accidental victim or an insider accomplice?
- What security measures does the SaaS instance have?
- How could the payment have gone unnoticed by the finance department?
- What is the finance’s team’s policy on payments and approvals? Where did the system fail in terms of their policies?
- How and when do you notify management?
- As you are not aware of who the fraudster is, who do you inform about the transgression? Do you have to notify the authorities?
- How can you change the SaaS security posture to stop incidents like this in the future?
Most cyber criminals are driven by money and therefore target finance departments. Your security is only as strong as your weakest link. If your organization makes use of an unsecure SaaS platform, that becomes a target for a hacker. This scenario is testing the organization’s inter-departmental communication and procedures. Financial data and resources have been impacted by either an accidental insider or external threat.
Exercise 5: Exceptional Emergencies
Your organization is located within a flood zone. Recently the weather has been erratic, and a storm seems to be imminent. On this day, the winter weather combined with warming temperatures, has caused a news-worthy flood. Your team and organization are on high alert. Local authorities have declared a state of emergency and your team is tasked with continuing business operations. How does your team respond?
- What is your organization’s Disaster Recovery Plan (DRP)? Has your organization run a flooding simulation on the DRP?
- Does your IT team have a DRP for flooding?
- How can you secure your digital assets and ensure a continuation of business processes?
- Do you have any digital assets that could be compromised by the flood? Is your data stored on any local servers within range of the flood warning?
- How can you recover business operations once the state of emergency has been resolved?
This is a less common scenario, depending on where your organization is located, but it is one that every organization needs to be prepared for. This scenario is testing the organization’s emergency response protocol. An ineffective process could lead to a loss of business operations and severely impact the organization’s reputation and revenue earnings.
Exercise 6: Recovering Ransoms
Your organization was recently in the media for record-breaking revenues and profits. This media attention has boosted your brand and reputation, but it has also alerted many cybercriminals. As a result, your Chief Marketing Officer’s account has been compromised with highly targeted phishing attacks. Sensitive Go-To-Market and prospective customer information has been stolen. The criminals are demanding $5 million in exchange for the information. If the money is not paid within a week, the information will be released to all of your organization’s competitors. How does your team respond?
- What is the organization’s policy on terrorist attacks and criminals seeking financial compensation?
- Do you have an Incident Response Plan (IRP) that explains recovery steps in a ransomware attack?
- Can you determine the validity and severity of the threat? Have the criminals secured sufficient information that could validate $5 million?
- Who do you inform about the incident? Do the authorities need to be involved?
- What is management’s role?
- Who is accountable for the break-in? Marketing or the IT department?
- What can your organization do to prevent a ransomware attack in the future?
Ransomware attacks target organizations in every vertical and of every size. This scenario is testing the organization’s emergency incident response and ability to deal with external threats. If not dealt with efficiently, the organization will be financially implicated and suffer reputational damage.
Incidents are unavoidable. It’s not about if an incident occurs, but rather when. How is your team going to respond?
Using an incident response tabletop scenario, organizations can proactively prepare for further incidents and curve the impact that these disastrous events can have on an organization. To fully realize the value of an incident response tabletop scenario, many organizations opt for experienced consultants and facilitators to enable the process and gain the best results.
Before you can focus on recovering from incidents, you need to understand the baseline preparedness of your response team. That is why many organizations are focusing on scenario-based tabletop exercises. What about you?