Mastering the tabletop: 3 cyberattack scenarios to prime your response

Security leaders live by the axiom that it is not a matter of if but when they will fall victim to a cybersecurity incident.

Because of this, CISOs often strive to get ahead of the inevitable by implementing incident response and business continuity plans. But without running tabletops — dry-run exercises oriented around specific security incidents and scenarios — you can never know how your plans or team might stand up against a real-world incident.

For those who have never run a tabletop or are pressed for time to craft a specific scenario, the US Cybersecurity and Infrastructure Security Agency (CISA) provides detailed Tabletop Exercise Packages (CTEP) that can give security leaders a head start.

Here are three of CISA’s CTEPs that create incredible value due to their breadth and depth and flexible templatized packages for any organization to use.

Scenario #1: Compromised open-source software packages

Software supply chain attacks continue to rise, with malicious actors increasingly targeting open-source software (OSS) packages due to their high return on investment. Rather than targeting a single organization or product, attackers have realized they can compromise a widely used OSS package and have a massive downstream impact.

The problem is exacerbated by a lack of visibility into the full inventory of OSS components an organization consumes, either directly for internal development purposes or via products from vendors in their supply chain. Organizations such as Synopsys have pointed out that 70% to 90% of modern codebases contain OSS components and that OSS components make up 70% or more of the overall codebase.

These components, while offering key benefits such as cost savings, speed and efficiency, also come with risks such as a lack of resources for maintenance, with 25% of OSS projects having a single maintainer and 94% having fewer than 10.

This is why organizations such as Sonatype have found 245,000 malicious packages in the past year, twice those found in all previous years combined that its report has been tracking.

From Log4j to the latest XZ Utils scare, the OSS ecosystem has key risks that organizations need to account for, which is exactly why CISA released the OSS CTEP.

OSS CTEP structure

CISA’s OSS CTEP is structured over 180 minutes and includes various activities capped off by a hotwash. It orients around the NIST CSF in phases of govern, identify, protect, detect, respond, and recover. Some of the key objectives include:

• Discuss organizational resilience and response to threats targeting open-source projects.
• Familiarize stakeholders with reporting processes and respective roles and responsibilities during a cyber incident stemming from a critical OSS project.
• Identify areas for improvement in incident reporting processes, policies and procedures
• Examine response coordination efforts between public, private and community stakeholders during a cyber incident

The CTEP lays out a couple of scenarios involving the introduction of a vulnerability into an OSS community’s toolchain leading to a worldwide system of compromises and delays associated with patching the vulnerability.

While much of the CTEP is aimed at being an actionable exercise for the OSS community and maintainers themselves, it can serve as a useful framework for organizations as well.

Key questions around OSS risks

Key questions could include:

• Do we understand what OSS components we’re consuming and using, what systems they reside on, and which vendors are integrating them into the products that we use?
• In the event of an OSS package compromise, how would we go about following the incident management lifecycle as identified by NIST to respond to and recover from the incident?
• What actions can we take to mitigate risk to the organization involving the impacted systems and products?
• How can we make more risk-informed decisions around the OSS projects and components we consume and use?
• How do we respond to our vendors in our supply chain to ensure we have transparency around the components in their products which may pass down risk to us?

The outcomes of these thought-provoking questions and activities can be codified into organizational policies and processes to bolster the organization’s resiliency against OSS software supply chain attacks moving forward.

Scenario #2: Ransomware attack

Ransomware has easily become one of the most notorious and pervasive attack vectors wreaking havoc on the digital ecosystem. Some estimates have ransomware hackers in 2023 bringing in double the 2022 total of $567 million in cryptocurrency payments from cyberattacks.

Ransomware attackers seek to gain access to data or systems until some form of compensation or demand is met. Notable incidents include the 2021 attack on Colonial Pipeline which not only had financial consequences but societal impact, bringing broader awareness to citizens that cyberattacks can affect daily life. Other notable events include Wannacry, NotPetya, Locky and many others, as the list continues to grow.

We’ve even now seen ransomware-as-a-service (RaaS) subscription-based models evolve in which ransomware groups sell their code or access to attackers and interested parties. They may sell or lease variants of their ransomware to buyers, which is compelling given estimates put the average ransomware demand in 2021 for example at $6 million.

Bolstering resilience around ransom attacks

CISA’s CTEP Situation Manual for Ransomware can be used for tabletop exercises to bolster resiliency against ransomware attacks. Much like the OSS CTEP, it is 180 minutes long, involves a diverse set of stakeholders across the organization, and various activities oriented around the NIST CSF.

Key objectives include:

• Examining an organization’s response capabilities during a significant ransomware incident.
• Examining the ability to coordinate information sharing.
• Identify areas for improvement in cyber incident response plans and organizational resilience.
• Exploring and bolstering an organization’s plans to recover from the incident, and restore services, mission-critical assets, or systems.

One scenario involves an employee of the organization being targeted by a phishing email as the entry point to a network/system and attackers compromising PII data and installing ransomware — a common scenario.

Another scenario includes a CISA alert for a new ransomware variant, followed by dealing with end-of-life operating systems, a stolen laptop belonging to an employee, and employees contacting the VP of finance about a suspicious email with a PDF attachment. If these scenarios sound all too familiar, it is because they are.

Dealing with these sorts of situations can be frustrating and challenging in enterprise environments, as organizations scramble to try and make sense of what is happening, how they may be impacted and how they respond to the threat and recover from it once they determine the actual impact.

Understanding threats and preparedness

The ransomware CTEP explores aspects of an organization’s operational resiliency and poses key questions aimed at understanding threats to an organization, what information the attacker leverages, and how to conduct risk assessments to identify specific threats and vulnerabilities to critical assets.

Given that ransomware attacks focus on data and systems, the scenario asks key questions about the accuracy of inventories and whether there are resources in place dedicated to mitigating known exploited vulnerabilities on internet-facing systems.

This includes activities such as not just having backups, but their retention period and an understanding of how long it would take to restore from backups if necessary, in events such as a ransomware attack.

Questions asked during the tabletop also include a focus on assessing zero-trust architecture implementation or lack thereof. This is critical, given that zero trust emphasizes least-permissive access control and network segmentation, practices that can limit the lateral movement of an attack and potentially keep it from accessing sensitive data, files, and systems.

The exercise also involves assessing cybersecurity awareness training for employees. This is foundational when mitigating ransomware risks, because the initial attack vectors target employees via phishing and other social engineering tactics.

A robust cybersecurity awareness training program combined with procedures for employees to report suspected phishing attempts can help raise awareness among the security team and broader organization when malicious activity is potentially underway.

A typical ransom scenario imagines a hack

The scenario progresses to involve traffic outside standard business hours, systems throughout the organization receiving ransom messages and blank screens, and security researchers discovering hacking groups on the dark web posting about compromising your organization. It’s posited that the hackers have accessed sensitive PII such as SSN’s, banking information, and more and shared a subset of the records to prove their success.

This leads to internal tabletop questions oriented around resiliency planning, such as sustaining continuity of operations for essential functions and having incident response plans and being able to prioritize and perform IT restoration. It also involves being able to distinguish between normal and abnormal network traffic and having a codified cybersecurity incident response plan (IRP) that employees are trained on and have practiced (as with the tabletop).

There is also a legal aspect for the organization depending on the nature of the data compromised, which is why questions in the scenario involve understanding security breach notification laws for a given country, state, and industry.

This is an evolving area of cybersecurity, with efforts like CIRCIA for critical infrastructure and SEC changes for publicly traded companies that have a “material” cybersecurity incident. Organizations need to be well-versed in their disclosure requirements and have thought out communication plans to ensure both compliance and properly delivered messaging to the public and regulatory authorities as well as media outlets.

There is also a need to understand what external partners need to be engaged from a legal and law enforcement perspective, all critical points organizations need to be aware of prior to a ransomware incident.

Scenario #3: Insider threat

The CISA CTEP for Insider Threats involves a hypothetical scenario in which a disgruntled former employee has taken advantage of the access they have through a third-party vendor with which the organization collaborates to exploit system vulnerabilities.

This is a very plausible scenario given inherent third-party risks and the struggle to manage the ever-growing length of the supply chain and constant integrations between systems and environments via network connections, APIs, and more.

The initial scenario involves an alert from CISA regarding a vulnerability in a specific microprocessor found throughout an organization that can allow attackers to access sensitive data. Replacing hardware can be expensive and time-consuming, so the threat can’t be entirely mitigated immediately.

Meanwhile, an employee is terminated for treating co-workers poorly. During their exit, the former employee threatens the organization that it will regret the decision.

This scenario generates questions to test how an organization actually receives these sorts of alerts from industry resources such as CISA and how they can potentially take action if they are relevant and potential threats.

Disgruntled former employees as a typical threat

Also, given the employee’s history of bad behavior and threatening posture, there are questions about how contentious terminations should be handled and whether the organization has a procedure to retrieve the employee’s company equipment and remove access during the termination process. It also encourages the organization to consider what steps it can take to ensure former employees can no longer access organizational systems and data.

In the scenario, employees report missing and altered files and deleted backups. Security gets involved, identifying administrator-level access occurring and systems and files being tampered with. The account is deactivated, and the extent of the damage is not initially known.

Questions to think through during the tabletop include:

• How long does the organization keep backups?
• How long does it take to restore from backups and has that process actually been tested?

The tabletop also invites discussions around how the organization is prepared to respond to the discovery of unauthorized administrative activity, who would be notified, and how.

Helping security teams think of everything that needs to be done

The point of the exercise is to force security teams to consider what resources are required for incident response and what processes might be invoked to mitigate the impact from malicious activity from an insider threat.

There also may be a need to contact law enforcement and to sufficiently document the incident to be able to legally pursue the attacker and hold them accountable for the malicious activities.

Scenarios like these can and often do play out, with former employees becoming frustrated with a former employer and looking to use insider information they are privy to, to try and compromise or negatively impact the organization both technically, financially and reputationally.

Organizations need to have comprehensive plans and processes in place to halt malicious activities, mitigate the impact, respond to and recover from the incident and legally pursue the insider to hold them accountable for their actions.