Incident Response Tabletop Exercise Scenarios

Incident Response Tabletop Exercise Scenarios

Every effective cybersecurity program includes regular tabletop exercises where your team gets to practice dealing with a security incident. And realistic exercises start with choosing a scenario that’s appropriate to your actual security risks. In a recent blog, we shared tips for conducting the tabletop exercise itself. In this post, we share three basic scenarios to get you started on creating the right situation for your exercise. 

Note that the scenarios shared here don’t come with answers to each problem. A tabletop exercise isn’t a fill-in-the-blank exam. It’s a convincing simulation that lets your team practice working through your incident response plan and a key way to identify needed changes in that plan. Use these sample scenarios to start crafting situations that will give your team the most realistic experience. 

Key Elements for Any Tabletop Exercise Scenario

You’ll find a few common aspects in every good scenario: 

  • Custom details – In your tabletop exercise, tailor the scenario to your team by using names of actual employees, the software your team uses, real customers, etc. All this will heighten the realism and help everyone grasp the consequences of something like your top customer calling because your service isn’t working. 
  • An unfolding threat – Throw a series of developments and plot twists at the participants to reflect that, in a real-life incident, you never know all the facts upfront. 
  • Unavailable personnel – At some point, reveal that whoever is in charge of your team (or a staff member with necessary expertise) is unreachable. This forces everyone to work the problem on their own rather than just saying that they’ll call someone else for guidance. 
  • Outside pressure – Throw questions from clients, partners, the media, etc. into the mix to raise the tension and test the communications aspects of your incident response plan.  

Essential Questions to Ask in Any Scenario 

With any scenario you use, structure the exercise so that participants have to answer the following questions: 

  • Does this qualify as an incident? 
  • What’s your first step after realizing that something odd is happening? 
  • What information/evidence do you need to collect? 
  • How do you know what data was compromised/exfiltrated? 
  • Who else in your organization needs to be notified and what should be shared internally? 
  • How long will it take to recover your data from backup? 
  • Do you have talking points ready for staff members who may get calls from customers? When do you proactively notify customers of the problem? 
  • What deadlines from your service level agreements (SLAs) are at risk while your system is compromised? 
  • Will you pay the ransom? 
  • What are your reporting requirements after the incident is over? 

Tabletop Exercise Scenario #1: Ransomware 

Backstory: You’re a midsize professional services firm with 100 employees, which includes a three-person IT team. 

Day 1, 7:05am 
After a long holiday weekend, a couple of early birds arrive at work and report to IT that they can’t access files on their workstations or the network drive. 

Day 1, 7:35am 
IT team members rush to the office and find that numerous files on the server and workstations appear to be encrypted. 

Day 1, 7:55am 
The only file anyone can open is one that has appeared in every directory. It’s called RECOVER-FILES.txt. Upon review, the team discovers that this is a ransom message and decides to notify the IT leader. 

Day 1, 8:05am 
The team realizes that the IT leader is on a cruise and unreachable. 

Day 1, 3:50pm 
Upon further investigation, 80% of your workstations and 50% of your servers and applications were encrypted. Forensic analysis found evidence of data exfiltration and indicated that the threat actors were actively in your network for months before the attack. Recovery will probably take several days or weeks. Not all data is recoverable. 

Tabletop Exercise Scenario #2: Business Email Compromise 

Backstory: You’re a family-owned, 60-person company that builds components for large agricultural equipment manufacturers. 

Day 1, 4:05pm 
The CFO receives an email from the CEO, who is traveling in China. The CEO’s message shares greetings from his wife and mentions how much they enjoyed their time in Beijing. He goes on to say that he has decided to proceed with the purchase of a large piece of equipment that the team has been discussing for weeks. He gives the CFO a bank account to use for the $400,000 payment, and the CFO makes the payment. 

Day 5, 8:05am 
When the CEO returns to the office, the CFO mentions the purchase to him, and the CEO responds, “I never told you to make that purchase. What are you talking about?” The C-suite calls IT in to investigate whether the CEO’s email has been compromised and where the money went. 

Tabletop Exercise Scenario #3: System Compromise/Double-Extortion Ransomware 

Backstory: Your company runs a cloud-based sourcing service. Customers log into your portal to order the parts they need to conduct operations each day. 

Day 1, 10:02am 
A customer submits a support ticket saying that they can’t get into the Admin Console for your service and can’t query data from their database for custom reporting. Your support team attempts to use the service and discovers they can’t get into it either. 

Day 1, 10:10am 
Your internal team sends the issue to your offshore software development team—and they can’t get into the service either. 

Day 1, 3:45pm 
Forensic investigation finds a ransom note and also discovers that the threat actor was able to capture cached admin credentials and pivot to other systems and resources. 

Day 1, 4:59pm 
You realize that the attacker successfully exfiltrated critical data and is threatening to disclose it if ransom isn’t paid. You haven’t yet determined what data they exfiltrated 

Clearly, each of these scenarios can go in a lot of directions and will give your team plenty of things to discuss. If you’re just starting to use tabletop exercises, you’ll usually benefit from having an experienced third-party expert help develop the scenario and lead your team through the exercise. 

Contact HBS to talk with one of our cybersecurity consultants.

author avatar
Carly Westpfahl