4 tabletop exercises every security team should run

2024-03-06 COZAR Cybersecurity 0

Ensuring the enterprise is protected from vulnerabilities is a required function of security teams. It’s also a best practice for cyber insurance vendors and meeting compliance requirements. A popular evaluation test, the tabletop exercise, permits security teams and corporate management to select a threat and then run through the process of containing and remediating the threat.

In a tabletop exercise, a team discusses their roles and responses during an emergency under different scenarios, typically with someone acting as a facilitator. It’s not a full-scale drill but an opportunity for stakeholders to talk through a simulated crisis.

Which ones should you choose to test? There are as many tabletop exercises as there are potential vulnerabilities. Experts recommend that tabletop exercises be run throughout the year and rotated based on a company’s risk profile. Some threats, however, tend to be on everyone’s list of risks. These are four of the most common threats for which security teams should run tabletop exercises:

1. Ransomware

No one is safe from ransomware attacks as they are among the most rewarding for cybercriminals, who often target indiscriminately. Beyond the initial ransom demand, attackers might attempt to extort both the victim and their business partners, as well as customers of the company targeted in the original attack. A study from 2021 by Cybereason noted that 80% of companies that pay a ransomware demand are frequently hit a second time by the same attackers, sometimes with the same attack and sometimes with a follow-on extortion attempt. A 2023 study from Akamai said a ransomware victim is six times more likely to face a follow-up attack within three months.

Despite the lull in 2022 ransomware attacks, due in part to the Russia and Ukraine war and the COVID-19 pandemic, ransomware claims were up 50% in 2023 over 2022, notes David Anderson, vice president of cyber liability at Woodruff Sawyer, a national cyber insurance brokerage. This year is expected to have more ransomware attacks than 2023, he says.

During an enterprise’s tabletop evaluation of its defenses against cyberattacks, the team will be looking for ways to identify and mitigate the ransomware and any subsequent extortion attacks. Because of regulatory reporting requirements and potential legal and financial liabilities, stakeholders from outside the security function should participate. This might include legal, communications, finance, compliance, and marketing.

Here are some questions that should be asked to further protect customers and business partners from the initial attack.

  • Is all customer data encrypted to ensure that even if the data is stolen, it will be of no use to the attacker?
  • Is the customer data on a separate subnet or otherwise segregated from primary corporate data?
  • How is business partner data protected to ensure that when a breach occurs, the business partner’s confidential data cannot be used against them for extortion purposes?
  • What strategies are in place to defend against artificial intelligence (AI)-powered ransomware attacks?
  • How well did the existing ransomware plan work during the exercise?
  • How well does the ransomware plan, as exercised, ensure the continuity of the company’s systems? What can be improved?
  • What methods can you use to contain the attack?
  • What are your contingency plans in case your current backups are compromised? How far back must you go to find a non-compromised backup?
  • How often do you test your backups to see if they are recoverable and not compromised with malware?
  • What is the process for reporting a ransomware attack to meet regulatory compliance?
  • How does security coordinate with legal, marketing, and communications teams to inform affected parties and the media?

2. Third-party risks

According to the Verizon 2022 Data Breach Investigations Report, 62% of all data breaches happen via thirdparty vendors. Forrester Senior Research Analyst Alla Valente said last year that the survey likely undercounted the third-party threat, with perhaps more than 70% of breaches including some third-party component. Third-party risk management (TPRM) exercise participants should include representatives from key downstream business partners — partners who supply goods and services to the enterprise — as well as your cyber insurance provider, law enforcement, and all key stakeholders, often including the board of directors and senior management.

While supply-chain attacks are ubiquitous, often they are misidentified because the actual attack might be initially identified as ransomware, an advanced persistent threat, or some other cyber threat. Often it requires the forensics team post-breach investigation to identify that the attack came through a trusted third party.

Here are some recommended questions to include.

  • How well do you vet your business partners’ communications and data transfers for potential threats?
  • Do your business partners have direct access to the enterprise’s databases or does the data first go through a screening for potential threats?
  • Do you have any operations with partners that bypass existing security controls or policies that would create potential vulnerabilities for malware to pass from a partner to the enterprise?
  • What policies and procedures do you have in place to ensure the secondary and tertiary partners downstream are providing uncompromised data that eventually will enter your network or cloud? Do you test downstream supply-chain partners or only your primary partners?
  • Many enterprises are third-party suppliers to companies upstream, in that they use data and services supplied by the company doing the tabletop exercise. How do you test data leaving your corporate network or cloud to ensure no malware is infecting upstream partners?  
  • What policies and procedures are in place to ensure that any data existing in the corporate network or cloud are analyzed for malware before being transferred to a business partner?
  • What policies and procedures are in place to vet a potential business partner and who has the authority to overrule the results of the vetting process?
  • If vulnerabilities with a third party are identified, what are the procedures to remediate the issue before the partner is given access to corporate assets?
  • Have you tested all of your cloud instances to ensure that they are properly configured and secured?
  • Have you tested all corporate email addresses to ensure that none belong to former or deceased employees or unused service accounts and that all email addresses are appropriately secured?

There are cases where corporate code bases were compromised when data was downloaded from what were considered reliable code repositories that had been infected by malware. The RepoJacking attack on GitHub, for example, led to millions of repositories being potentially compromised. Following are some questions Aqua Security recommends be answered concerning GitHub, although they would be appropriate for any repository breach:

  • What are all the GitHub organization names you used before?
  • Were there any mergers and acquisitions your organization was involved in?
  • Are there any dependencies in my code that lead to a GitHub repository vulnerable to RepoJacking?
  • Is there guidance somewhere (documentation, guides, Stack Overflow answer, and the like) that suggests you should use a GitHub repository vulnerable to RepoJacking?

3. Insider threats

Insider threats come in two primary types: malicious insiders who deliberately compromise corporate assets for personal, financial, political or some other gain, and those who create a security vulnerability either accidentally or simply due to lack of knowledge but without malice. In the former case, a deliberate crime against the company is committed. The latter case might involve either a user error or perhaps a user taking an action that seems reasonable to them to perform their jobs but could create a vulnerability. However, there might or might not be a crime committed.

Here are some questions to ask during this tabletop exercise scenario that can help shed light on whether an insider threat is deliberate or not.

  • What security controls are in place when specific requests are made to transfer corporate funds, regardless of whether the request is made through email, a phone call, or a video call?
  • How often are these controls reevaluated and updated by security and management teams due to changing technical capabilities?
  • What physical security controls are in place to ensure only an authorized user has access to on-premises computing assets?
  • What security controls are in place for remote users to access any assets, including their own email and data storage?
  • What tools do you have in place to identify an insider threat? Are these tools able to classify the potential threat as malicious or non-malicious?
  • What are the organization’s policies and procedures for handling insider threats?
  • What are the legal and regulatory implications of insider threat incidents?
  • What steps can be taken to mitigate the risk of an insider threat?

4. Distributed denial-of-service attacks

The goal of distributed denial-of-service (DDoS) attacks is simply to shut down operations. The 2023 attack on Google, which peaked at nearly 400 million requests per second, demonstrated the staggering potential enterprises face in defending against today’s botnet armies.

Because DDoS attacks are virtually always from outside the network, enterprises preparing a tabletop exercise targeting DDoS protections need to ask questions about continencies, early identification and network resiliency.  Here are some examples.

  • How quickly can a DDoS attack be identified and segregated?
  • What plans are in place to mitigate an attack, particularly at the network’s edge?
  • What defenses are in place at the infrastructure layer to defend against synchronized (SYN) floods and other reflection attacks?
  • What defenses are in place at the application layer for HTTP request floods and similar application-based attacks?
  • What is being done to reduce the attack surface area to reduce the number of attack vectors?
  • How is the network being scaled to respond to potential abnormal attacks?
  • How is your endpoint detection and response configured to defend against DDoS attacks? How often do you test it?

While each tabletop exercise is unique and will include questions specific to the enterprise’s goals, those posed here can aid security teams in sorting out their priorities. Generally, the first step of the tabletop exercise is identifying the goal, which then will reflect on the questions ultimately posed.

DDoS, Ransomware, Risk Management, Supply Chain