It's Monday morning, 8 a.m. You walk into the office and, on your computer screen, you witness something you've only ever experienced in your nightmares.

"Boom! Your organization is hit with a ransomware attack," Sherri Davidoff, CEO of LMG Security, says in a first-look for Dark Reading of a planned tabletop exercise at the upcoming RSA Conference 2023. "All systems are down. What do you do?"

Hopefully, you know what to do thanks to practice runs for such scenarios, in the form of tabletop exercises that workshop incident response for various scenarios.

Creating such an exercise is an undertaking, but it's worthwhile to prepare security professionals for the challenges they'll one day inevitably face. "It's just like Red Cross CPR classes," Davidoff says. "Training your first responders matters."

On April 24, from 8:30 to 10:30 a.m. PT, Davidoff and Matt Durrin, director of training and research for LMG Security, will be hosting a tabletop exercise on ransomware and cyber extortion at RSA Conference 2023. The event will throw participants into a maelstrom inspired by real-life ransomware attacks and challenge them to evade the traps endemic to enterprise incident response.

Designing a Tabletop Exercise

"The big thing that we want to shoot for in these tabletops is as much realism as we can possibly get," Durrin says.

But realism is difficult to simulate. Davidoff jokes about how "we tried using ChatGPT to run a tabletop exercise," and it didn't turn out so well. "It's like: 'I am the facilitator,' and starts walking you through the steps. But it's very boring. It doesn't give you any curveballs."

Simulating realism, ironically, requires a good deal of showmanship: storytelling, audio and visual materials, and a certain creativity to generate the chaos and unpredictability you'd find in a cyberattack in real life. But little of this theater is completely made-up.

"We try to leverage the experience that we've gained over the years of actually dealing with these attacks in the wild," Durrin notes, "so we have elements that are in line with what a modern ransomware attack would look like."

For RSAC 2023, they chose to model their simulation after a classic LockBit attack. "First thing in the morning on a Monday morning you walk in and your network is completely offline," Durrin explains. "There are ransom notes on your desktop. They're telling you that your files have been encrypted. They might have broken into your printer and exhausted every piece of paper that you have, printing off copies of the ransom note."

All local data is encrypted and internal systems unrecoverable. The price to recover is $2.5 million, which will double after 48 hours.

Source: Trend Micro

Panic sets in. "How do we identify where we need to look for additional malware?" Durrin continues. "How do we figure out how long they've been in the network? And then what kind of changes do we need to make to our plan?" Participants perform triage, distribute tasks among group members, and gather evidence, in a scramble to contain the damage.

Any sense of control is erased, though, when more bad news arrives: The hackers have already exfiltrated data. A double extortion, one of a few curveballs the hackers will lob over the fence by the end of the campaign.

"This is where things get kind of scary, especially for the more executive audiences," Durrin says. "When we start talking about public exposure and reputational damage, that really gets them on the hook, and it leads to a good discussion between the technical and nontechnical people. There's so much interplay between those two groups during an attack."

Do Tabletop Exercises Actually Help IRL Security?

Multiple extortions may be a lot to fit into a two-hour event. But Davidoff and Durrin emphasize how a full 80% of ransomware victims experience double dipping, 68% within a month of their first breach.

Remarkably, 40% of ransomware victims pay two times, 10% pay three times, and 1% actually pay four ransoms to their attackers.

"That's part of why a tabletop is so important," Davidoff says. "You're actually walking through these issues, and everyone from frontline responders to executives are learning. Because a lot of times your frontline responders will be getting pressure from executives to restore as soon as possible, so they skip steps, and then the attackers get back in, and you have a worse problem. And they usually charge a higher amount the second time."

Enterprises that run these kinds of simulations tend to avoid those mistakes. "We've actually been able to see how those changes that we've made and tested inside of an incident response plan have benefited organizations in a very tangible and real sense," Durrin says, "in the speed of recovery, the quality of recovery and how the organization is actually able to get back on their feet after suffering from an incident."

The difference can be found in the bottom line. According to the IBM Cost of a Data Breach Report 2022, organizations with rigorously tested incident response plans save an average of more than $2.5 million over those without plans. So tabletop exercises aren't just a fun team-building activity.

"Those first few minutes and hours after an incident are absolutely critical," Davidoff says. "Everyone should make sure they're prepared."