1 of 9

15 Minute Tabletop:

User Reported Account Compromise

2 of 9

About 15 Minute Exercises

This presentation is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. While this exercise can be used as-is, it can and should be customized to be more realistic for your organization. For example, you can name systems that you operate and department or team names that are specific to your organization.

License Note: This presentation is shared under Creative Commons Licensing CCBY https://creativecommons.org/licenses/by/4.0/.

If you are a school district in Michigan and need assistance running a tabletop exercise, reach out to the MISecure team.

We strongly recommend that you develop a cybersecurity incident response plan prior to running tabletop exercises. For a starting point, try the MiSecure Incident Response Planning templates (https://misecure.org/incident-response-planning-tools/)

Facilitator Notes

Focused Scope: Because the time is limited to 15–30 minutes, keep the discussion narrow. Don't try to solve the entire incident; focus on the first steps the team would take or the primary communication hurdle.

Exercise Goal

Key Participants

Length

Incident Severity

Walk through response to an internal user calling the helpdesk to report that they gave up their credentials on a phishing website

Tech Team/Help Desk�

15-30 minutes

Medium

3 of 9

Fred Calls the Helpdesk

Fred from HR calls the helpdesk to report that they entered their credentials on a website that they now think was fake.

4 of 9

Fred Calls the Helpdesk

Fred from HR calls the helpdesk to report that they entered their credentials on a website that they now think was fake.

Discussion

  • How do you determine if this is a confirmed security incident or some kind of anomaly?
  • How do you identify what systems, data, people, and operational processes are potentially involved?
  • What real or potential risk(s) does your organization face?
  • What short term containment options do you have? Can you contain it without destroying evidence?
  • What is the operational impact of the incident and your containment strategy?

5 of 9

Check Your Work

Thanking Fred for Calling

Credential Compromise Response:

  • End sessions
  • Revoke tokens
  • Force password change
  • Force MFA
  • Check email for rules or delegation changes.
  • Ask user to change PW is used on other accounts (business or personal).

Investigate Potentially Malicious Activity

  • Review User Activity: Access Logs, VPN Connections, Firewall Logs
  • Review hosted system activity

How much time did you spend on investigation before you changed passwords, etc.?

6 of 9

Hotwash

  • What are your 3 takeaways?
  • What went well?
  • What did you learn?
  • What improvements can you make short term?
  • What improvements should you plan (longer term)?

7 of 9

MISecure Incident Response Planning Tools

https://misecure.org/incident-response-planning-tools/

8 of 9

MISecure Cybersecurity Tabletop Exercise Library

Full TTX Library at: https://misecure.org/tabletop-exercises/

9 of 9

Michigan Incident Response Contacts

For School Districts in Michigan:

MISecure Operations Center �989-763-5797 �misecure@gomaisa.org

For School Districts and other entities in Michigan:

Michigan State Police Cyber Command Center �877-MI-CYBER �mc3@michigan.gov