Would you know how to respond if your organisation was hit by a cyber attack? Running a cyber tabletop exercise allows you to prepare and test responses in a safe environment. But what type of cyber incident should you use in your exercise? What scenario best prepares you for a possible attack? Here are some examples of cyber tabletop exercises that you could consider running for your crisis team.
Examples of Cyber Tabletop Exercises
Ransomware Attack : You lose access to data or systems because an attacker has encrypted files and is now demanding payment in return for the decryption key. With ransomware so prevalent it is unsurprising that many organisations want to test their response to a ransomware attack, often combining encryption with data exfiltration. Ransomware attacks are frequently “upfront” and unambiguous: systems and resources are quickly – and often publicly – unavailable with attackers making contact shortly after with their demands. A ransomware scenario generates important questions that need rapid answers. Can you restore from backups? Who do we need to inform? Do you want to pay the ransom?
Insider Threat : Someone within the organisation has deliberately committed theft, fraud or sabotage. Insider threats, such as employees intentionally compromising sensitive information, can be difficult to detect and prevent. Exercises may involve notification by third parties or sometimes even competitors informing you that company assets have been stolen. Depending on the time frame you may need to involve HR – or the insider may have already left the organisation. Is there anyone else involved? how did they manage to exfiltrate the information? If it was sabotage, what steps do we need to take to identify any additional malicious activity?
Data Breach Response : The loss or potential loss of sensitive or personal data is one of the worst things that a Crisis Management Team can face in a simulated incident. What information is public? Are they commercial files or client or customer data? What can we do to prevent further losses?When do we need to report to a regulator? How would we reassure clients?
Supply chain/ Third-Party Vendor: Some of the largest and most devastating cyber-attacks of recent years have been supply chain attacks where a third party has access to your network. These scenarios are often complex and difficult to handle as key aspects are outside your control – a compromised third party dealing with an internal attack and other organisations also demanding updates and information.
Social Engineering Attack : While phishing is the most common form of social engineering, vishing, smishing and physical impersonation attacks can lead to significant asset loss and reputational damage. The public is rarely supportive of staff members who have been “duped” into giving information or credentials. For example when Twitter staff were victims of a concerted social engineering attack in 2020 the company had a large scale public relations battle alongside the internal clean-up. How you respond can have a big impact both inside and outside the organisation. Who is responsible? What access do they have? How can we restore confidence?
SCADA/ IOT Security Incident: If your organisation is highly automated you should consider an exercise where your processes are disrupted by a cyber attack. What manual fail over processes exist? are there enough skilled staff to step in while systems are restored? This cyber table top exercise simulates a security incident where complex technical systems are offline and tests the organisation’s ability to respond effectively and restore IoT devices.
Cloud Security Incident : This is a cyber incident resulting in the compromise of a cloud-based service, typically leading to data exfiltration. There are similarities to a supply chain attack in that the service, and your data, are not directly in your control. A cloud security incident exercise is worth considering given the high frequency of incidents –Thales reports that 40% of organisations have experienced a cloud-based breach.
Add stress and realism!
In addition to the core scenario, additional components should be added to build stress and add realism. In real life the impact of the attack will ripple through the organisation, effecting resourcing as well as internal and external communications. These elements should be included in your exercise to give your team practice at dealing with the wide range of impacts of an actual cyber-attack. For example what do you tell customer facing staff about the incident, and perhaps more importantly, who is going to feed your loggists or IT team as they work into the night?
These are a few examples of tabletop exercises to consider running with your crisis management team. For more information on exercising, read our guide to exercising or contact us at [email protected]
