1 of 9

15 Minute Tabletop:

Internal Attack from VPN

2 of 9

About 15 Minute Exercises

This presentation is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. While this exercise can be used as-is, it can and should be customized to be more realistic for your organization. For example, you can name systems that you operate and department or team names that are specific to your organization.

License Note: This presentation is shared under Creative Commons Licensing CCBY https://creativecommons.org/licenses/by/4.0/.

If you are a school district in Michigan and need assistance running a tabletop exercise, reach out to the MISecure team.

We strongly recommend that you develop a cybersecurity incident response plan prior to running tabletop exercises. For a starting point, try the MiSecure Incident Response Planning templates (https://misecure.org/incident-response-planning-tools/)

Facilitator Notes

Focused Scope: Because the time is limited to 15–30 minutes, keep the discussion narrow. Don't try to solve the entire incident; focus on the first steps the team would take or the primary communication hurdle.

Exercise Goal

Key Participants

Length

Incident Severity

Walk through response to an MDR alert indicating a potential attack via your VPN.

Tech Team/�Cyber Incident Response Team

15-30 minutes

Medium

3 of 9

Internal Attack from VPN

You get a report from your MDR software that there have been a high number of failed logins to several servers coming from the internal VPN IP address.

4 of 9

Internal Attack from VPN

You get a report from your MDR software that there have been a high number of failed logins to several servers coming from the internal VPN IP address.

Discussion

  • How do you determine if this is a confirmed security incident or some kind of anomaly?
  • How do you identify what systems, data, people, and operational processes are potentially involved?
  • What real or potential risk(s) does your organization face?
  • What short term containment options do you have? Can you contain it without destroying evidence?
  • What is the operational impact of the incident and your containment strategy?

5 of 9

Check Your Work

Review logs for failed logins.

Review past and current active VPN connections.

Review VPN access rights. Can all VPN accounts access everything?

If suspicious login is found, review logs of that user’s activity, follow account compromise mitigations.

If lateral movement is detected or suspected initiate larger cyber incident response activities.

6 of 9

Hotwash

  • What are your 3 takeaways?
  • What went well?
  • What did you learn?
  • What improvements can you make short term?
  • What improvements should you plan (longer term)?

7 of 9

MISecure Incident Response Planning Tools

https://misecure.org/incident-response-planning-tools/

8 of 9

MISecure Cybersecurity Tabletop Exercise Library

Full TTX Library at: https://misecure.org/tabletop-exercises/

9 of 9

Michigan Incident Response Contacts

For School Districts in Michigan:

MISecure Operations Center �989-763-5797 �misecure@gomaisa.org

For School Districts and other entities in Michigan:

Michigan State Police Cyber Command Center �877-MI-CYBER �mc3@michigan.gov