Home

Ransomware tabletop exercises: A resiliency professional’s guide for enterprise recovery

A ransomware tabletop exercise or a drill which is a structured, discussion-based forum that presents a realistic attack scenario and lets the teams prepare, react, respond, and recover from it
5 min Lesen
Chandrasekar S
Chandrasekar S
Deputy General Manager, Cybersecurity, HCLTech
5 min Lesen
Ransomware Tabletop Exercises: A Resiliency Professional’s guide for Enterprise Recovery

Introduction

Since the world started resuming business operations to complete potential since COVID 19 another disruption had started on the rise. This time it is completely man made. Ransomware has become a great weapon in the digital world. It does not matter whether you run a small start up or a giant manufacturing business, a single wrong click can bring you down on your knees. The moment you are targeted you see sluggishness, messages and tickets piling up, employees calling one another to understand what is happening. This experience will blow your mind. The first few hours are enough to know whether the organization can steer the ship against the storm or perish in the storm.

We have seen many organizations steer that ship one way or the other. But they always have one thing in common, which is practicing. is not about preventing an attack or detecting it but how you work through the situation and keep your lights on throughout the duration. But often professionals think about how to practice.

This is where we welcome a ransomware tabletop exercise or a drill which is a structured, discussion-based forum that presents a realistic attack scenario and lets the teams prepare, react, respond, and recover from it. All this without touching a single production system. Just think as a net practice of the worst cricketing match that will ever be played.

Why rehearsing a ransomware recovery is more critical than policies

Today’s ransomware is not about file encryption or compromising on the 3 triads of information security (CIA). The bad actors steal data, target backups, threaten public exposure, and disrupt business & operational processes across entire ecosystems. Business continuity or disaster recovery enables you to have a redundant parallel system running from an alternate location. However, in most of the attack scenarios, the recovery site is also compromised which makes triggering your business continuity plans impossible. This is where technologies like air gaps, data immutability, WORM would come into play.

Often professionals and enterprises tend to start investing time in creating policies or frameworks. However, all this is of no use when:

  • Half the team is not sure of their role.
  • Communication channels are unclear.
  • Backups are configured in theory, but restoration is not practice.
  • Leadership is unsure how to take decisions.
  • Legal and compliance obligations are not fully understood.

Why cyber or ransomware tabletop exercises are required today.

A tabletop exercise cuts through most of the challenges mentioned above. It reveals how your people react, respond under pressure (without actual pressure). It also highlights what kind of decisions are taken by the leadership teams, what their dependences are. It helps to open the business point of view in front of them as IT teams in an organization only think of systems, connectivity, access and restoring data. Tabletop exercises help organizations prepare for such incidents by validating response strategies, improving coordination, and ensuring readiness against evolving threats. Below are some of the areas which can be explored / evaluated during a tabletop?

  • Who is the decision maker?
  • What damage assessments reports are required and who will provide?
  • Who are the teams who struggle to provide the desired output?
  • What are the SLAs in various stages?

Role of AI: A double-edged sword?

Most of the enterprises believe that the latest surge in will help them to combat this nuance. All these next generation solutions are producing various techniques and mechanisms to detect these attacks at the first point of contact and help to assess the weak entry points. However, the same capability is also exploited at the other side of the table by the bad state actors to bypass your security environment. AI techniques are equally helping attackers to explore new ways of exploitation where the mitigation measures are still under development. For example, nowadays we see a new kind of threat which is on the rise is cryptojacking. This attack is targeting specifically crypto currency owners and starting the crypto mining on behalf of the owners. Hence AI can play spoil sports on both sides.

Often it is the mindset that the reason for a ransomware situation is that enterprises are unable to adopt to the latest technology or AI capabilities, this is completely mistaken. The real reason is employee behavior and mindset. Having spent millions of dollars to adopt the next gen technology & still if the employee does not follow the hygiene practices of information security lead to making technology cripple before an attacker.

How to execute a tabletop that delivers value and not just a tick in the box

There are multiple ways of running a cyber tabletop exercise which can provide a tick to auditors who look for usual evidence of tests, however there are recommended ways of executing and a tabletop is only as good as its preparation. Below are some areas that must be clearly defined and agreed when we execute a tabletop.

  1. Define the Purpose and objective clearly: The primarily aspect is to define what do you want to validate or desire to see in the tabletop. Are you looking to validate the procedures of recovering the data post an attack or would the leadership be interested in seeing the preparedness of the teams during the attack? In most aspects the board would be interested in understanding the communication flow between teams, the decision making, and role clarity between the teams rather than restoration and technical content. So, the purpose of the tabletop must be defined and articulated clearly.
  2. Bring the right teams on board: In many organizations, the minute employees hear about cyber or ransomware, they fingers point to the cybersecurity teams or the business continuity professionals. Ransomware is not just a vulnerability of cybersecurity, but it is larger. It cuts across all channels of information and communication technology such as datacenter, cloud, tools, platforms, and end user systems. And hence a tabletop test must not just be represented by cybersecurity teams but should have equal participation from all the teams. A balanced tabletop must include Infrastructure, applications (at least the digital crown jewel systems), Security, Major incident management, Business continuity / disaster recovery coordinators, and non-IT teams such as Legal, Compliance, HR, and corporate communications. Not forget leadership and management folks. Often one might wonder if suppliers and vendors would have any role which would again depend on what the objective you want to achieve is as mentioned above.
  3. Agree with a scenario that reflects a real-world practice event: This is the key step in the exercise. There is no point in assuming a scenario that is simple to execute as it is not a tick in the box. Once the scenario is agreed, you will need to develop injections to change the course of action, bring in imaginary worst-case developments which can alter the course of the exercise. List down on the possible points of entry into the environment and develop a mapping on what all IT systems are bound to be impacted on. Below will be the recommended flow that will need to be validated during the tabletop.
    • Incident Detection: Employees / SOC report suspicious behavior or multi vector behavior. E.g., security event monitoring platforms show abnormal encryption patterns.
    • Incident Analysis: Initiating the triage, classifying the incident, bringing the required teams on bridge.
    • Incident Containment: Teams try isolating systems, network segmentation activities, account, end point, and OT containment activities.
    • Incident Response: Customer / media / CSP / vendor communications, leadership decisions.
    • Incident recovery: Clean room rebuild, data integrity checks, recovery room, recovery playbooks, and security hardening.
    • Restoration: Teams validate sanitized environment, further check for future anomalies, use alternate environments or rebuild from scratch
  4. Plan for the debrief lessons learnt and next steps: Common post test activities must include what went well, what did not go well or slowed decision making, how did the injects change the response of employees , what processes / documents are up to date, obsolete , did not exist and develop a mitigation plan with owners, timelines and scenario ideas for next tabletop to make it more realistic.

Conclusion

While a ransomware tabletop can be far from reality and does not simulate real-life behavior of a cyber-attack, it improves the confidence level of leadership and employees to face a scenario. Key activities like decision making, communication and recovery strategies are worth rehearsing multiple times with different permutations and combinations. Key is to ensure you incorporate all the learning in the next attempts and be ready to face the future.

Verwandte Inhalte

Digital Foundation
Before AI agents run your business: Fix their identity crisis now
Learn more
Cybersecurity
Before the storm hits: Building a Mythos-ready security program
Learn more
Cybersecurity
From checklists to continuous assurance: How AI is reshaping compliance management
Learn more
Tags:
Cybersecurity
Teilen auf
copy-link Link kopieren kopiert!
DFS Cybersecurity Blogs Ransomware tabletop exercises: A resiliency professional’s guide for enterprise recovery