1 of 9

15 Minute Tabletop:

Email Account Compromise?

2 of 9

About 15 Minute Exercises

This exercise was developed by the MiSecure team for school districts to enhance their preparedness for cybersecurity events and incidents.

This presentation is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. While this exercise can be used as-is, it can and should be customized to be more realistic for your organization. For example, you can name systems that you operate and department or team names that are specific to your organization.

License Note: This presentation is shared under Creative Commons Licensing CCBY https://creativecommons.org/licenses/by/4.0/.

If you are a school district in Michigan and need assistance running a tabletop exercise, reach out to the MISecure team.

We strongly recommend that you develop a cybersecurity incident response plan prior to running tabletop exercises. For a starting point, try the MiSecure Incident Response Planning templates (https://misecure.org/incident-response-planning-tools/)

Facilitator Notes

Focused Scope: Because the time is limited to 15–30 minutes, keep the discussion narrow. Don't try to solve the entire incident; focus on the first steps the team would take or the primary communication hurdle.

Exercise Goal

Key Participants

Length

Incident Severity

Walk through response to a potential email account compromise reported to you from another organization.

Tech Team/�Cyber Incident Response Team

15-30 minutes

Medium

3 of 9

Email Account Compromise?

A nearby school district calls to inform you that they received a malicious email from an elementary teacher at your domain/district. They provide the email headers, username/email address and email timestamps of 6 messages.

4 of 9

Email Account Compromise?

A nearby school district calls to inform you that they received a malicious email from an elementary teacher at your domain/district. They provide the email headers, username/email address and email timestamps of 6 messages.

Discussion:

  • How do you determine if this is a confirmed security incident or some kind of anomaly?
  • How do you identify what systems, data, people, and operational processes are potentially involved?
  • What real or potential risk(s) does your organization face?
  • What short term containment options do you have? Can you contain it without destroying evidence?
  • What is the operational impact of the incident and your containment strategy?

5 of 9

Check Your Work

  • Initial analysis to determine if emails are from your domain or lookalike?
  • Header Analysis
  • Log Correlation
  • Mail Flow audit - origin and destination and all senders
  • Extent of issue - is the user compromised? Then what? Emails sent? Where? Just this user?
  • Notifications to our internal and external recipients of email from our district.
  • Did you follow compromised account containment activities?

6 of 9

Hotwash

  • What are your 3 takeaways?
  • What went well?
  • What did you learn?
  • What improvements can you make short term?
  • What improvements should you plan (longer term)?

7 of 9

MISecure Incident Response Planning Tools

8 of 9

MISecure Cybersecurity Tabletop Exercise Library

Full TTX Library at: https://misecure.org/tabletop-exercises/

9 of 9

Michigan Incident Response Contacts

For School Districts in Michigan:

MISecure Operations Center �989-763-5797 �misecure@gomaisa.org

For School Districts and other entities in Michigan:

Michigan State Police Cyber Command Center �877-MI-CYBER �mc3@michigan.gov