1 of 32

Tabletop Exercise:

Data Encryption/Ransomware

Restore from Backups

Add Date

2 of 32

About This Exercise

This exercise was developed by the MiSecure team for school districts to enhance their preparedness for cybersecurity events and incidents.

This presentation is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. While this exercise can be used as-is, it can and should be customized to be more realistic for your organization. For example, you can name systems that you operate and department or team names that are specific to your organization. If you are a school district in Michigan and need assistance running a tabletop exercise, reach out to the MISecure team.

To make the exercise more valuable, consider choosing a facilitator who is not a participant in the exercise.

This presentation is shared under Creative Commons Licensing CCBY https://creativecommons.org/licenses/by/4.0/.

We strongly recommend that you develop a cybersecurity incident response plan prior to running tabletop exercises. For a starting point, try the MiSecure Incident Response Planning templates (https://misecure.org/incident-response-planning-tools/)

2

Skip or hide this slide when running an exercise

Exercise Goal	Key Participants	Length	Incident Severity
Rehearse technical roles and restoration procedures following a ransomware event.	District Tech Team and Backup Partners	2.5 hours	High

3 of 32

Welcome and Intros

Facilitator(s):

Participants:

Group 1
Group 2
Group x

3

4 of 32

What is a Tabletop Exercise (TTX)?

Definition:

A discussion-based exercise inspired by a realistic scenario designed to generate dialogue, enhance conceptual understanding, and identify strengths and areas for improvement.

Purpose:

Provide an opportunity to walk through an realistic cybersecurity incident as a team which allows you to evaluate existing response capabilities.
Facilitate discussion on various issues related to incident recognition, response and recovery in a low stress environment.
Think of it as a rehearsal.

4

5 of 32

Participant Engagement & Expectations

Goals:

Enhance general awareness and understanding of roles, responsibilities, and expectations when responding to an incident.
Validate existing incident response plans, procedures, and resources.

Acquaintance Building:

Become acquainted with individuals, teams, organizations, and stakeholders who will play roles in real incidents.
Recognize capabilities, interdependencies, and respective responsibilities.

Active Participation:

All participants are encouraged to contribute, focusing on collaborative problem-solving and actionable outcomes.

5

6 of 32

Exercise Roles

Players: �Perform their regular roles and responsibilities, talking through the simulated scenario as they would in a real emergency.

Facilitators: �Provide situation updates, moderate discussions, and resolve questions to keep the exercise on track.

Observers: �Ask relevant questions and offer expertise to support player responses without directly influencing outcomes.

Notetakers (this is you): �Document discussions and key takeaways for the After-Action Report.

6

7 of 32

Expected Outcomes

Documenting Findings:

Resolutions and discussions are documented informally in your notes or formally in an After-Action Report (AAR) and Improvement Plan (IP) if you choose.

Update Plans:

The exercise will generate actionable recommendations for revising current plans, policies, and procedures.

Enhanced Coordination through shared Experience:

Walking through scenarios together improves your team’s ability to face real world situations as they arise.

7

8 of 32

Assumptions & Artificialities

The scenario is fictional, though based on real world incidents.
The scenario is plausible, with all participants receiving information simultaneously. Please respond to events as presented.
Don’t fight the scenario.
There are no trick questions or hidden agendas; engage with the scenario as it unfolds.
This no-fault learning environment evaluates capabilities, plans, and procedures, not individuals.

8

9 of 32

Operational Security

Safeguard all exercise, operational, and business-sensitive material discussed today as if it were classified.
Manage and secure all information and documents obtained during this briefing.
Avoid discussing this material publicly or sharing it with unauthorized individuals, including on social media.

9

10 of 32

The Scenario

10

11 of 32

Day 1 (Saturday): 6:00 AM: Ransomware Detected

Your IT Team discovers that all on premise hosted systems have been encrypted by a cyber threat actor.

11

12 of 32

Discussion

IT Director: What communications/notifications do you make?

IT Team: What steps do you take immediately?

Are you working from your Incident Response Plan now?

If “all on premise systems” are encrypted, what IT systems and �school services are available and which are not available?

12

13 of 32

Severity Level	Description
False positive	Description: Events determined to be the result of normal, if unexpected, user or automated activity. Example: A user mistakenly believes that they’ve exposed their credentials in response to a suspicious email. Potential Response: none
Low level Simple event	Description: Incidents that have minimal impact on the organization. Example: Detection of malware that has been quarantined, phishing emails that have been blocked, unsuccessful attempts to gain unauthorized access. Potential Response: Handled by routine operational processes, no significant disruption, limited to specific users or systems.
Medium level Significant event	Description: Incidents that have a moderate impact and may require some intervention. Example: A compromise of a single user's credentials, malware infection on a few systems, unauthorized access to non-sensitive data. Potential Response: Requires IT/security team intervention, may involve resetting passwords, cleaning infected systems, monitoring for further issues.
High level incident	Description: Incidents that significantly impact business operations or sensitive data. Example: Data breach involving sensitive information, widespread malware/ransomware attack, significant unauthorized access to critical systems. Potential Response: Response: Requires immediate and coordinated response from the incident response team, may involve shutting down systems, notifying affected parties, and implementing containment measures.
Critical level Serious incident	Description: Incidents that pose an extreme threat to the organization's operations, data, or reputation. Example: Advanced persistent threats (APTs), major data breach affecting large volumes of sensitive data, coordinated cyberattacks causing substantial operational disruption. Potential Response: A full activation of the incident response plan, potential involvement of external agencies (e.g., law enforcement, cybersecurity experts), comprehensive containment, eradication, and recovery efforts.
Catastrophic	Description: Incidents that threaten the survival of the organization. Example: Nation-state sponsored attacks causing massive data loss, critical infrastructure attacks leading to extended downtime, cyberattacks causing significant financial loss or legal ramifications. Potential Response: Crisis management, involvement of executive leadership, public communication strategies, extensive recovery and continuity plans, potential long-term impact assessment and remediation. Possible execution of your Emergency Management Plan.

Incident Severity Scale from

14 of 32

Day 1: 7:00 AM: Assemble Your Team

Describe your Incident Response Team.

Who is involved?

Any external calls at this point?

Where do you meet?
What information do you assemble?

Is your Incident Response Quick Reference available offline?

Who are the decision makers?

14

Page 1 of Incident Response Worksheet available at MISecure.

15 of 32

Preliminary Investigation Reveals…

All on-premise systems are encrypted.

Cloud email system is compromised and cannot be trusted for incident communications.

What plans/systems are in place for offline communications if on-premise phone system and cloud email is not deemed secure?

15

16 of 32

16

Critical Assets Worksheet from MiSecure Incident Response Worksheet available at MISecure.

17 of 32

17

Incident Log Template from MiSecure Incident Response Worksheet available at MISecure.

18 of 32

Day 1 - 10 AM: Can we access log files?

Your Incident Response Firm and the FBI are requesting log files.

If your entire on-premise system is encrypted, what log files are available?

18

19 of 32

19

Critical Log File Worksheet from MiSecure Incident Response Worksheet available at MISecure.

20 of 32

Day 1 - 11 AM: RFI - Can we restore from backups?

Your Incident Response Leadership including insurance requests information about available backups to help in their decision making.

Is there any chance that your backups have been encrypted along with everything else?
How complete are the backups?
When is the last backup?
How long will restoration take? What promises can you make?
How confident are you in your answers?
Can you provide your restoration plan in writing?

20

IR Team thanks you for the information and will now discuss with Insurance, law enforcement and possible communication with cyber threat actor.

21 of 32

Day 1 - 11:15AM: What does your team do while waiting?

Incident Response Team including insurance provider, law enforcement and others may take time to decide what to do next.

If you anticipate needing to restore, what could you do while waiting for the leadership to decide on a course of action?

What questions do you have at this point and how can you get answers?

21

22 of 32

22

23 of 32

Day 1: Saturday 5:00 PM - Restore from Backups!

Your preparation and confidence pays off - Incident Response Leadership Team decides that your district will not pay the ransom and instead restore from backup.

Request is that you restore to a restricted environment with limited internet access.

FBI and IR firm are familiar with the threat actor and ransomware variant. They provide firewall rules to prevent contact with threat actors command and control.

IR firm provides MDR for all devices to aid in eviction of threat actor.

There will also be a password reset event for all accounts to attempt to evict the threat actor.

23

24 of 32

Discussion

Walk through your restoration process.

Describe the restoration team including internal and external resources.

What systems come up first?

How do you reimage workstations?

What is the leadership team doing and communicating at this point?

Is all this documented?

How would you conduct a password reset for all accounts?

24

25 of 32

Day 1: 9:00 PM

Superintendent brings pizza, thanks the team and asks how things are going.

What they really want to know is “can we have school on Monday?”
The Superintendent looks stressed. What pressures are they facing?

25

26 of 32

Day 1: 9:30PM - End of Day Tech Team Wrap Up

What is your report at this point?

What is your cadence for updating leadership?

Best/worst case scenarios.

What systems will and will not be fully operational on Monday morning?

How long until full restore is complete?

How are you feeling at this point?

26

27 of 32

Hotwash/Key Takeaways

Strengths
Areas for Improvement
Recommendations
Ideas for Updating Your Cyber Response Plan
Did you take notes? Take a few more now!
What conversations do you plan to have with �team members who are not here today?

27

28 of 32

Thank You!

28

29 of 32

Resources

30 of 32

MISecure Incident Response Planning Tools

https://misecure.org/incident-response-planning-tools/

30

31 of 32

MISecure Cybersecurity Tabletop Exercise Library

Full TTX Library at: https://misecure.org/tabletop-exercises/

32 of 32

Michigan Incident Response Contacts

For School Districts in Michigan:

MISecure Operations Center �989-763-5797 �misecure@gomaisa.org

For School Districts and other entities in Michigan:

Michigan State Police Cyber Command Center �877-MI-CYBER �mc3@michigan.gov

32