Tabletop exercises allow organizations to test and improve their crisis management capabilities in a safe environment. Realistic scenarios are played out, allowing participants to refine their response strategies to potential security incidents and identify weaknesses in their existing processes.
In the blog post “Tabletop Exercises: Putting Your Crisis Management to the Test“, we looked at different types of tabletop exercises and their benefits overall. In this follow-up article, we will focus on a specific scenario: the ransomware attack. Ransomware attacks have become one of the biggest threats to businesses worldwide, and the need to be well-prepared for such situations is now more important than ever.
This article outlines the course of a tabletop exercise specifically focused on a ransomware attack. We focus on decision-making in critical situations, as well as communication with internal and external stakeholders. These aspects are important to effectively manage a ransomware incident and minimize the impact on the organization.
Table of contents
Ransomware Attack on a Mid-Sized Company
In this example, we examine the operations of a medium-sized manufacturing company that specializes in the just-in-time delivery of components to major automotive manufacturers. The company has a highly digitized and networked production environment based on automated systems and a cloud-based IT infrastructure.
Start Inject: On a Monday morning, the IT department discovers that several critical systems are no longer accessible. Instead, a message is displayed demanding a substantial ransom in cryptocurrency. This indicates that a widespread ransomware attack on the company’s systems must have occurred.
Risk Assessment and Decision Making
Once the IT department confirms that the company has fallen victim to a ransomware attack, the clock starts ticking. Several critical systems appear to have been encrypted and it becomes clear that the scale of the attack is likely to be significant. IT management is now faced with the urgent task of taking appropriate action to contain the damage and prevent the ransomware from spreading further.
In this critical phase, IT and management decision-makers must rapidly make crucial decisions and establish priorities to effectively manage the incident and minimize damage. A tabletop exercise provides an ideal setting for discussing these decision-making processes in a stress-free environment. It must be ensured that potential consequences are also taken into account. In a tabletop exercise, decision-makers are typically confronted with decisions such as the following (not an exhaustive list):
Shutdown or Controlled Continuation of Production
One of the most significant challenges in the aftermath of an attack is determining whether to halt production or to continue in a controlled manner. Given that certain parts of the production process have already come to a standstill, there is a risk that areas that are still functioning will become infected, leading to a complete halt in production.
The company must decide whether to shut down or isolate the production line to prevent further compromise. However, this could result in an indefinite shutdown. Alternatively, the company could opt for a controlled and secure continuation of production, despite the risk that that part could also be compromised later.
The decision to maintain often necessitates the allocation of additional monitoring resources, which are then unavailable for incident response and infrastructure recovery.
Furthermore, the decision entails an assessment of the potential risk of contractual penalties resulting from a delay or disruption in the supply chain.
Dealing with the Ransom Demand
One of the most important considerations during a ransomware attack is how to respond to the ransom demand. It is advisable to follow the guidance of authorities and cybersecurity experts. Paying the ransom is not recommended under any circumstances. However, unexpected discussions may arise, especially if the costs of business interruption, recovery efforts, and the involvement of external specialists exceed the actual ransom demand. It is crucial for senior management and the board of directors to carefully evaluate the economic implications of these discussions.
Contacting the attackers, even if there is no intention of complying with their demands, can sometimes be beneficial. In some cases, it can provide additional time or further information.
Inject: Fortunately, the backups were not encrypted, allowing for a restoration of the systems. However, it is not yet possible to determine with certainty how long the attackers have been in the network. The corresponding analysis is still pending and may take several days.
Timing and Sequence of Restoration
When restoring systems from backup, the question of which systems should be restored first is often raised. In a company with multiple departments and production lines, there is often a difference of opinion as to the relative importance of the various systems. Each department tends to consider its own systems to be the most critical, which can make it challenging to align on a uniform approach.
It is necessary to decide which systems and services are most relevant from a company-wide perspective. Should the priority be on production systems, with the aim of resuming production as soon as possible, or should the focus be on ERM/CRP solutions, with the objective of processing orders already received and facilitating the processing of new incoming orders?
This is a typical issue that can be clarified and decided in advance of a cyberattack. “Business Continuity Management” is the keyword in this case.
When restoring the data, it is important to determine from which point in time the backups should be restored. As a general rule, the backup that is closest to the time the data was encrypted is used.
However, this approach carries the risk that said backup may also have already been compromised. It is possible that the attackers have been in the network for weeks and have embedded themselves in the systems.
It is therefore important to decide how much time should be invested in analyzing and searching for the so-called “initial access”, that is to say, the first point in time that the attackers accessed the system. This decision also requires careful consideration.
Escalation and Communication
Once the IT department has identified a cyber incident, verified it, and determined that it presents a significant risk to the company, it is crucial to promptly inform the relevant parties and initiate the escalation process. The following topics, among others, are of particular relevance (not exhaustive):
Escalation Plans
An effective response to a ransomware attack hinges on clearly defined and tested escalation processes. In such a crisis, it is crucial that all parties involved are aware of the information channels and know who is to be informed and when.
It is important to ensure that the relevant individuals can be reached promptly. This can be via telephone, email, or other communication channels. It is therefore advisable to prepare an Incident Response Plan (IRP) in advance.
Such cases can be effectively simulated in a tabletop exercise. This allows companies to test how their teams react when a key person cannot be reached. For example, the CEO can be integrated into the exercise at a later point in time to see if alternative contact options or deputies are available.
It is also important to consider the communication tool that will be used for escalation. What contingency plans are in place if the usual communication tool, such as Microsoft Teams, becomes unavailable? This can also be effectively tested in a tabletop exercise.
Involving External Specialists
As part of the escalation process, it is important to determine whether the company has the necessary resources and expertise to manage the incident efficiently. It may be necessary to call in external specialists and partners, which has the potential to present challenges.
For example, it is important to clarify whether the correct emergency contacts at the partners are known and available. It is also necessary to verify whether immediate support outside of normal business hours is covered by the “Service Level Agreement”. An Incident Response Retainer (IRR) with a cybersecurity specialist can significantly reduce the time and cost required to respond to an incident.
If it becomes necessary to seek external support, several considerations must be made. The first question is who should be contacted in this situation and which partner is best suited to the specific requirements of the incident. It is also important to establish how the partner can be reached as quickly as possible.
Inject: Customers and suppliers begin to notice that something in the supply chain is not working. For example, customers can no longer place orders. Salespeople are starting to be actively contacted by customers asking for more information.
Coordinating Communications
In the event of an incident such as a ransomware attack, it is essential to communicate with the various internal and external stakeholders in an organized and coordinated manner. It is particularly important to maintain absolute control over the content of the information being communicated in order to prevent the spread of rumors or the inadvertent disclosure of internal and sensitive information.
It is therefore essential to define the communication strategy and determine how and by whom the communication will take place. Similarly, it must be ensured that communication, especially with the public, is conducted through a central point of contact in order to guarantee consistent and controlled statements.
It is also important to consider which information should be shared with the public and which should be withheld. Ideally, the appropriate general communication templates should already be prepared in advance to enable proactive and rapid communication. One task in the tabletop exercise could therefore be to create a draft of this initial information within a ten-minute timeframe.
These and similar questions are of great importance but are often overlooked. In a tabletop exercise, they are given particular attention and prove to be crucial for effective crisis management.
Common Findings and Lessons Learned
Conducting various tabletop exercises with different scenarios has revealed something important: Many observations and recommendations tend to recur. This is true for all industries and for companies at different stages of development.
Below is a selection of the most common observations.
Decisions That Can Be Clarified in Advance
During our tabletop exercises and Incident Response Assessments, a common theme emerges: Long and intense discussions during an incident often revolve around issues that could have – and should have – been resolved in advance. These pre-incident decisions can save valuable time and significantly improve response capabilities. Some of the important decisions that should be made in advance include:
- Dealing with Ransom Demands: Should the ransom be paid or not?
- Crisis Strategy: Should the focus be on restoring systems as quickly as possible or on maintaining production?
- Communication Preparation: Developing communication strategies and templates for rapid yet professional communication in the event of a crisis.
- Contacts and Contracts: Ensuring that contacts with incident response partners and specialists are known and that appropriate contracts are prepared.
The key takeaways from these exercises and assessments are clear: Decisions that can be made in advance of an incident should be made in advance. At a minimum, these issues should be discussed in detail and a suitable strategy defined. This saves valuable time in the event of a crisis and avoids unnecessary delays in crisis management.
Implementation of “Obvious” Measures
A commonly identified area for improvement is the detailed implementation of “obvious” measures. In (technical) tabletop exercises, immediate actions such as “reset passwords” or “isolate systems” are typically mentioned very early on. However, it is when the exercise facilitator asks questions about how these measures can be implemented in an emergency that the discussion becomes more interesting.
- Resetting Passwords: In the event of a user account compromise, the access data is typically reset, and active sessions are terminated. However, in the case of a ransomware incident, it is likely that the attackers had the highest privileges and potentially gained access to all user accounts in the Active Directory. This presents a significant challenge, as it may require resetting the passwords of thousands of user accounts. To effectively address this challenge, it is advisable to consider potential approaches in advance.
- Isolating Infected Systems: As with compromised users, the typical immediate response to a compromised system is to isolate it. However, what is the optimal method for isolating a system? Modern Endpoint Detection and Response (EDR) solutions allow this step to be implemented in a relatively short amount of time. However, the question remains as to whether this is also possible when the device is in use in a home office and connected via a Virtual Private Network (VPN). Furthermore, it must be established who is responsible for determining whether a device may be isolated. While the isolation of standard clients probably does not present a significant issue, this may be different for critical servers. For example, the question arises as to how and when the mail server or domain controller should be isolated. Here, too, it must be clarified who is responsible for making this decision.
From initially relatively straightforward questions about immediate measures, more complex topics quickly emerge. In the event of an incident, suitable solutions must be found promptly. It is therefore advisable to consider these measures in advance and to make the appropriate preparations.
Conclusion
Tabletop exercises are an effective method of identifying and addressing potential weaknesses in a company’s crisis management. By playing through scenarios such as a ransomware attack, companies can test and optimize their decision-making processes, escalation protocols, and communication strategies in a safe environment.
Through such exercises, crucial questions and challenges can be clarified before a crisis occurs, thereby saving valuable time in an emergency. The insights gained from such exercises are vital to ensuring that action is taken promptly, efficiently, and in a coordinated manner. Furthermore, they contribute to the significant improvement of the overall security culture.
