Tabletop Exercise:

Data Theft Financial and Reputational Impact

Add Date Here

About This Exercise

This exercise was developed by the MiSecure team for school districts to enhance their preparedness for cybersecurity events and incidents. In this exercise, Executive Team takes the lead in responding to a data theft scenario, exploring the impact on operations and reputation, and exploring response strategies and resources.

This exercise is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. While this exercise can be used as-is, it can and should be customized to be more realistic for your organization. For example, you can name systems that you operate and department or team names that are specific to your organization. If you are a school district in Michigan and need assistance running a tabletop exercise, reach out to the MISecure team.

This presentation is shared under Creative Commons Licensing CCBY https://creativecommons.org/licenses/by/4.0/.

To make the exercise more valuable, consider choosing a facilitator who is not a participant in the exercise.

We strongly recommend that you develop a cybersecurity incident response plan prior to running tabletop exercises. For a starting point, try the MiSecure Incident Response Planning templates (existing content).

2

Skip or hide this slide when running an exercise

Welcome and Intros

• Facilitator(s)�
• Participants

3

What is a Tabletop Exercise (TTX)?

Definition:

• A discussion-based exercise inspired by a realistic scenario designed to generate dialogue, enhance conceptual understanding, and identify strengths and areas for improvement.

Purpose:

• Provide an opportunity to walk through an realistic cybersecurity incident as a team which allows you to evaluate existing response capabilities.
• Facilitate discussion on various issues related to incident recognition, response and recovery.
• Practice, practice, practice…

4

Participant Engagement & Expectations

Goals:

• Enhance general awareness and understanding of roles, responsibilities, and expectations when responding to an incident.
• Validate existing incident response plans, procedures, and resources.

Acquaintance Building:

• Allows individuals, teams, organizations, and stakeholders to become acquainted.
• Recognize interdependencies and respective responsibilities.

Active Participation:

• All participants are encouraged to contribute, focusing on collaborative problem-solving and actionable outcomes.

5

Exercise Roles

Players: �Perform their regular roles and responsibilities, talking through the simulated scenario as they would in a real emergency.

Facilitators: �Provide situation updates, moderate discussions, and resolve questions to keep the exercise on track.

Observers: �Ask relevant questions and offer expertise to support player responses without directly influencing outcomes.

Notetakers: �Document discussions and key takeaways for the After-Action Report.

6

Expected Outcomes

Documenting Findings:

• Resolutions and discussions are documented informally in your notes or formally in an After-Action Report (AAR) and Improvement Plan (IP) if you choose.

Update Plans:

• The exercise will generate actionable recommendations for revising current plans, policies, and procedures.

Enhanced Coordination through shared Experience:

• Walking through scenarios together improves your team’s ability to face real world situations as they arise.

7

Assumptions & Artificialities

• The scenario is fictional, though based on real world incidents.
• The scenario is plausible, with all participants receiving information simultaneously. Please respond to events as presented.
• Don’t fight the scenario.
• There are no trick questions or hidden agendas; engage with the scenario as it unfolds.
• This no-fault learning environment evaluates capabilities, plans, and procedures, not individuals.

8

Operational Security

• Safeguard all exercise, operational, and business-sensitive material discussed today as if it were classified.
• Manage and secure all information and documents obtained during this briefing.
• Avoid discussing this material publicly or sharing it with unauthorized individuals, including on social media.

9

The Scenario

10

Day 1: 6:00 AM: Data Theft Ransom Email

Your HR Director receives a ransom email from threat actor “SkoolKids” stating that they have stolen sensitive data from your district and will make it publicly available if you do not pay a ransom of 28₿ (bitcoin).

​

11

Discussion

HR Director: what would you do as a result of receiving an email threatening to expose sensitive data?

When the HR Director informs others, what actions would they take?

Where did this data come from? What system or systems contain �sensitive information?

Are you working from you Incident Response Plan now?

​

​

12

Day 1 - 11 AM: Board President Reports Email

Your school board president informs the superintendent that she received an email from “SkoolKids” with a sample of stolen data.

​

13

Discussion

The Board President received threatening email - does that change your response?

What would you do to validate SkoolKids claim?

Who is involved at this point? Would you contact external resources?

What actions are being taken? Are these actions documented in incident response plans?

​

14

Day 2: 10:00 AM: Call from the FBI

Your IT director gets a call from an FBI Special Agent with information about leaked data found on a threat actor’s system. FBI shares dates of access, internal user ID, and external IP address. Initial access was 3 months ago.

SkoolKids emails the HR director and Board President and informs them that you have 24 hours to pay or they will publish or sell the data.

​

​

15

Discussion

How do you accept and verify calls from law enforcement or third parties?

Describe your incident response team and how new information from IT director would be passed to other team members.

What is the actual or potential business impact at this point?

Would you engage with the threat actor SkoolKids or consider�paying ransom?

What internal and external communications are you �considering or initiating?

Are you following documented plans?

16

Your teams confirm unauthorized access and that data is likely to have been stolen from your systems.

Day 3: 5:00 PM: Quiet Incident Goes Public

Local news site receives a tip that sensitive information from your district has been stolen and a sample is available on the dark web. A reporter asks the superintendent for comment.

A union representative requests information on what the district will do to protect privacy of teacher data.

​

17

Discussion

What is the messaging strategy for various stakeholders?

What internal communications are necessary to keep employees informed?

Would someone speak to the media about this incident?

What does your incident response team look like at this point?

What would you do to ensure that the threat actor no longer has access?

18

Hotwash/Key Takeaways

• Strengths
• Areas for Improvement
• Recommendations
• Ideas for Updating Your Cyber Response Plan
• Did you take notes? Take a few more now!
• What conversations do you plan to have with �team members who are not here today?

​

19

Thank You!

20

Resources

MISecure Incident Response Planning Tools

https://misecure.org/incident-response-planning-tools/

22

MISecure Cybersecurity Tabletop Exercise Library

Full TTX Library at: https://misecure.org/tabletop-exercises/

Michigan Incident Response Contacts

For School Districts in Michigan:

MISecure Operations Center �989-763-5797 �misecure@gomaisa.org

For School DIstricts and other entities in Michigan:

Michigan State Police Cyber Command Center �877-MI-CYBER �mc3@michigan.gov

​

24

Agenda and Timing

25