Cyber attack simulation (tabletop): are you ready?

When a cybersecurity incident occurs, particularly a ransomware attack, internal TI teams are often so shocked that they are unable to make the right decisions to manage the incident effectively.

For example, we've seen cases where the internal team identified 2 or 3 infected servers, and simply disconnected them without checking that the threat actor was still in the network. Fatal mistake! The threat actor always picks up the pace when he realizes that his hack has been discovered. In the end, the organization ends up with dozens or hundreds of infected servers, which greatly increases the impact of the attack and puts the threat actor in a position of strength in any negotiations.

Note that the more critical servers you have infected, the longer and more costly it will be to bring them back into production.

The good news is that you can avoid catastrophic incident management by regularly simulating cyberattacks, commonly known as tabletop. That way, when an incident does occur, you'll have a sense of déjà vu, and you'll be highly efficient. This will greatly reduce the impact of the incident.

In this blog post, we'll explain what a cyber attack simulation is all about.

Objective of a cyber attack simulation (tabletop)

During a simulation/tabletop, the internal incident response team simulates the management of a cyber attack and verifies its ability to handle such an attack.

The simulation is coordinated by the incident response team leader.

During the tabletop exercise, the team verifies that the mitigation measures it proposes are adequate and effective.

Each team member takes part and indicates how he or she would contribute to incident management. You will also check whether the team is working together to find solutions.

At the end of the simulation, you produce a report evaluating your handling of the incident. The report also indicates the recommendations to be put in place to improve your ability to react if any weaknesses were noted during the simulation.

Ideally, you should have an incident response plan

Before the simulation, we strongly recommend that you have an incident response plan. This plan clearly indicates the roles and responsibilities of each member of the incident response team. It also indicates the actions to be taken at each stage of incident management.

Make sure each member reads the incident response plan before coming to the simulation.

If you don't have an incident response plan, now's the time to create one.

Important: make sure you have a written plan.

Steps covered by the simulation (tabletop)

The tabletop simulates a real incident. So you need to make sure you cover all the steps involved in managing an incident:

Declaring the incident
Incident containment: isolating the incident and preventing it from spreading
Eradication: eliminating the incident (rebuilding infected servers, etc.)
Recovery: restore your data and return to production securely
Post-incident monitoring: put the network under temporary surveillance to detect whether the hacker is trying to attack you (which often happens).
Post-mortem: looking back on incident management and lessons learned.
Communication: all the communication needed to manage the incident (communication with employees, authorities, partners, the media, the public, etc.).

The first simulation is likely to be catastrophic

If this is the first time you've run a tabletop, your results may be bad, but don't be discouraged. The more you do, the more efficient you become.

Regular simulation

It is strongly recommended that you carry out cyber attack simulations at least once a year.

How can Streamscan help?

The consequences of a cyber attack can be major. You need to be impeccably prepared, so that you're fully equipped to deal with any incident.

Need help creating your incident response plan or simulating a cyber attack?