Prepare for Ransomware: Tabletop and Red Team Exercises
 

When it comes to ransomware, how well your company responds to an attack in progress can be almost as important as how well you defend against it ever happening. With pernicious ransomware attacks continuing to rise, impacting 75% of companies in 2021, according to Mimecast’s State of Email Security report, tabletop and red team exercises help fine tune both aspects of a security program.

Tabletop Exercises

Ransomware tabletop exercises bring together stakeholders and representatives from security, IT, legal, human resources, public relations, and incident response teams to discuss their roles in emergency ransomware attack scenarios. A typical exercise may simulate a breach scenario or simply present a threat assessment followed by a discussion of how things should play out according to your company’s incident response playbook. 

While all tabletop exercises may share some concerns, incident plans and practices may vary significantly by industry. Is the incident response team dealing with a ransomware attack on encrypted banking data or on healthcare records? The exercise must highlight plausible scenarios that are specific to an organization’s industry, size, staffing, and particular vulnerabilities. 

A tabletop exercise may open discussions about vital aspects of ransomware breach readiness and contingencies to ensure rapid recovery and business continuity, such as: 

• Will you negotiate with the criminals? 
• Will you pay the ransom, simply rely on your data backups, or choose an alternative strategy? 
• What’s the command structure in case of a successful attack?
• Does everyone understand their role in the exercise? 
• How will your company communicate the incident to employees, partners, regulators, customers, and media? 

Some companies may turn to consultants to help conduct tabletop exercises or rely on frameworks such as the U.K. National Cyber Security Centre’s Exercise in a Box,[1] to provide structure to their ransomware exercises. 

Tabletop exercises have known pros and cons. On the one hand, they lack realism, such as time pressure with assets or lives at stake. But on the other, they enable teams to discuss incident action plans and emergency scenarios in a low-stress environment. By recording the exercises and adding a time element to problem-solving, participants can measure their response times and evaluate the effectiveness of their preparations. 

In the final analysis, though, tabletop exercises provide a relatively low-cost approach to deepening a team’s understanding of ransomware and getting stakeholders on the same page about their roles in a crisis. 

Red Team Exercises

Simulating the attack patterns of a highly skilled ransomware adversary, a red team tests an organization’s cyber defenses much the way a controlled burn tests the resilience of firefighters to protect a forest.

Drawn from an in-house team or hired consultants, a red team may conduct a penetration test (also known as a “pen test”) on infrastructure, apps, clouds, and networks. Aided by tools including the MITRE ATT&CK Framework, which maps adversarial behavior, the team will generate findings that help an enterprise improve its security posture and cyber resilience. For instance, a red team may aim to detect an organization’s ransomware vulnerability to social engineering or phishing, much of which happens via email. 

Many organizations assign an in-house blue team to counteract the red team and defend the company against the simulated cyberattacks and its impacts. Based on these exercises, blue teams typically fine-tune security software, evaluate their incident response plan, and fix previously undiscovered flaws. Spoiler alert: Red teams usually win, but the security program improves. 

Hiring third-party red teams can offer several advantages for ransomware exercises: 

• Red team services bring fresh eyes, tools, and experiences that even immensely talented in-house experts or consultants may lack.
• The red team consultants may deeply understand a particular set of compliance rules and industry practices, enabling them to efficiently seek known vulnerabilities with cloud-based apps or services.
• The red teams are skilled at various attack simulations, exploiting malware, finding unpatched network services, or phishing to plant ransomware. 

Not surprisingly, red and blue teams often work together, at least after the initial exercise. If they work together the entire time, they’re called purple teams, and team members switch roles to deepen their expertise in attacking and defending an enterprise. Think of purple teams as a form of knowledge transfer because the red and blue teams work together briefly, exchange information, and typically move on to their next challenge. 

The Bottom Line

Tabletop and red team exercises help improve your company’s security defenses and its responses to attacks that may elude them. Companies need to include exercises on ransomware as part of a regular schedule that fits their business, regulatory, and security profile. Read about Mimecast Mailbox Continuity, an option for minimizing downtime due to cyberattacks. 

[1] “Effective Steps to Cyber Exercise Creation,” U.K. National Cyber Security Centre