Ransomware and Beyond series

How to run a ransomware security simulation

In the effort to protect your organization from ransomware, which is more important: prevention or preparedness?

While there are many measures you can—and should—take to prevent a ransomware attack (you can read our checklist here), no organization can completely prevent an attack from occurring. That's why preparedness is just as important: threat actors can bypass even the strongest security systems, so putting a response plan together in the event of an attack can go a long way in ensuring a speedy recovery.

One tool you can implement to help build a response plan is a tabletop exercise. This is a guided simulation that enables you to talk through, and even act out, what would happen in the event of a ransomware attack.

As our Security Engineer Cassandra Rawls explains, running a tabletop exercise is critical in helping you understand your organization's level of preparedness. As she says, “This is an opportunity to ask questions and uncover any holes in your process that you can fix before you're hit with a real attack.”

Before you run a tabletop exercise

If you're reading this and feel like you're ready to run a tabletop exercise of your own, that's great—but there are some things you should have in place first. Incident response expert Tyler Hudak outlines them in his webinar, “Simulating a Cyber Attack”:

First, you need an approved and distributed incident response plan. As Hudak explains in his webinar, this is a high-level plan that explains what you would do in the event of an attack. He emphasizes that it needs to be approved by management and distributed to the teams who would be involved—if you're the only one who's familiar with it, it's as good as useless.

Next, you'll need to have incident response procedures and playbooks. These are more detailed plans that would be distributed to your IT or Information Security teams. They contain step-by-step checklists outlining how you would get from one phase of the response plan to another. They should include contact info for involved parties, as well as flowcharts showing how each phase of the response would progress.

Finally, you'll need to make sure you have business buy-in on your incident response plan. Ransomware attack recovery involves a number of teams, from legal to internal communications to HR, so making sure each stakeholder is on board with your plan is important.

Step by step: How to run a tabletop exercise

Once you've built your incident response plan, procedure, and playbook, it's time to plan the tabletop exercise. According to Hudak, these are the steps you should take to plan and carry it out.

Step 1: Decide who will be involved

If you're simulating a ransomware attack, you'll need to involve a number of stakeholders, both within and outside of your organization.

Internally, you'll want to include anyone on your IT team who will be directly involved with carrying out recovery efforts. You should also include:

  • Representatives from your legal team, who can advise you on any legal nuances or procedures you'd need to be aware of
  • Human resources and internal communications, who can help decide how to communicate the incident to employees and build a process that employees can follow in the event of an attack
  • Any business units that would be affected by this scenario
  • Executive management, who would have the final say on whether ransomware fees should be paid or not

There are also external stakeholders you should include, such as an insurance breach coach and a third-party forensics agent. These people can guide you through what they would need to guide your organization through the recovery process.

Step 2: Choose your scenario

Next, it's time to select a scenario you can walk your participants through. It's important to choose one that's relevant to your organization as well as the participants in the simulation. If you're stuck on thinking up a scenario that fits these criteria, Hudak has some suggestions for thought starters:

  • Does anything about your organization, good or bad, need to be highlighted?
  • Have there been any ransomware attacks in the news lately that would be relevant to your organization?
  • Is there an issue your exec team is worried about that you could work through with a simulation?

Hopefully these questions will help you decide on a scenario that's useful and relevant.

Step 3: Schedule and run your meetings

A full tabletop exercise can take anywhere from two to four hours to complete, and not all participants need to be present for the whole thing. Hudak recommends scheduling separate meetings for the technical and business-related aspects of the tabletop exercise. Your HR team, for example, may only need to be present for half an hour to get up to speed on what's happened so far and offer a solution for how they can contribute.

Hudak also recommends slightly different structures for each of the technical and business-related meetings. In your incident response team and IT meeting, you'll start by explaining the exercise and what is known about the scenario. For the business unit and exec team meeting, you'll want to do the same, and follow that with a summary of the decisions the IT and incident response participants have made so far. You should also ask your participants if they have questions about what's occurred so far before you begin.

When it comes to running through the actual simulation, you should have a moderator and a note taker, neither of whom may be participants in the exercise. Your moderator will describe the scenario, ask questions, throw in curveballs, and keep everyone on task. Your note taker will record the decisions that are made, questions that are asked, and any issues that are surfaced.

Step 4: Determine lessons learned and adjust response plan

As Rawls reminds us, “You'll find a lot of holes in the process while you're going through each scenario, but you'll see growth with each exercise you run.” Pay close attention to the roadblocks and logistical issues that come up while you're running your exercise, as well as any confusion around who owns which tasks.

Over time, and with repeated tabletop exercises, your team's response will get better and faster. And while we hope you can avoid being targeted by ransomware, if it does happen, you'll be ready.

Next article

Test your ransomware knowledge
Take the ransomware quiz and see if your knowledge is up to scratch
Sign up to the Ransomware and Beyond Series

We'll notify you when new articles are released

More from this series
7. The Ultimate Ransomware Question: to Pay or Not to Pay the Ransom?

It may not be an age-old question, but it's an important one nonetheless: if you're targeted by a ransomware attack, should you pay up?

Read article
8. Ransomware Recovery: What to do if you've been targeted by a ransomware attack

The sad truth is that even the most stringent prevention measures sometimes aren't enough to keep a ransomware attack from occurring. Once it happens, the best you can do is try to minimize damage and get to work restoring things as best you can.

Read article
10. How to interrupt the ransomware threat cycle with Zix

The best way to defend yourself against a ransomware attack is to be ready for it.

Read article