The document outlines a tabletop exercise aimed at enhancing cybersecurity awareness among senior officials, focusing on incident prevention, protection, response, and recovery. It includes a realistic ransomware attack scenario, discussion questions, and considerations for incident management and employee training. The goal is to identify cybersecurity gaps and improve organizational resilience against cyber threats.

1. CYBER INCIDENT
TABLETOP
EXERCISE
Facilitated by: <insert name here>

2. FACILITATOR
• Tell about yourself
• Credentials
• Experiences
• Knowledge
• Notable achievements
• Something interesting about you

3. EXERCISE OBJECTIVES
• Increase cybersecurity awareness to senior officials of cyber risk management, cyber related
planning, and other issues related to cyber incident prevention, protection, response, and
recovery of critical systems.
• Assess cybersecurity integration into an organization’s all hazards preparedness.
• Examine cybersecurity incident information sharing, escalation criteria, and related courses of
action.
• Examine cybersecurity incident management structures.
• Review cyber resource request and management processes.
• The primary goal is to identify gaps in cybersecurity.

4. ASSUMPTIONS AND ARTIFICIALITIES
• This exercise will be conducted in a no-fault environment and will evaluate the existing plans,
policies, and procedure as if players were responding to a real-world emergency.
• Earnest effort has been made to create a plausible and realistic scenario to evaluate and validate
identified objectives.
• The exercise is not to be viewed as a test of inspections of individual performance.
• There is no hidden agenda and there are no trick questions.
• The timeline here does not reflect actual times – ransomware is known to start extremely quickly
as low as three seconds after the file has been executed.
• Realistically once the IT department has been notified the majority of the data has already
been encrypted.

5. ANATOMY OF A RANSOMWARE ATTACK
Send
Email
Bypass
spam
filter
Hit users
inbox
User clicks
link
AV Fails
Malware
delivered
•Launch
processes
cmd.Exe
•Copies
Malware
•Adds reg
entry
Connects
with C&C
Encrypts
files
Ransom
Note
Delivered
Attempts
to move
laterally
across
Enterprise

6. IOC 1: GONE PHISING
• 11:00 AM – A <insert organization
here> employee reports to the IT
department that he received an email
from HR directing all employees to
update their timesheets in the
Employee Timesheet Portal. The
employee clicked a link in the email
that opened what looked like the
portal. However, after entering the
user credentials, the employee
received an unfamiliar error page.

7. INCIDENT DISCUSSION QUESTIONS
• Do employees know what constitutes
suspicious cybersecurity activities or
incidents?
• Do they know what actions to take
when one arises?
• What established processes exist for
employees to report cybersecurity
incidents?
• Would any additional reports or
notifications be made? If so, are designated
points of contact identified?
• What incident severity level or tier is a
suspicious email?

8. ADDITIONAL QUESTIONS
• What training do you provide in support of your cybersecurity incident response plan, business
continuity plan, disaster recovery plan, emergency operations plan incident annex, or other
related plans?
• Does your organization provide basic cybersecurity and/or IT security awareness training to all IT
users (including managers and senior executives)?
• How often is training provided?
• Does it cover:
• General jurisdiction, department, and/or agency policy review
• Roles and responsibilities
• Password procedure
• Whom to contact and how to report suspected or suspicious activities?

9. …CONTINUED
• What security-related training does your organization provide to, or contractually require of:
• IT Managers
• System and Network Admins
• Vendors
• Other IT personnel having access to system-level software
• Discuss your organizations reporting mechanism.
• Discuss your organization’s intrusion detection capabilities and analytics that alert you to a cyber
incident.

10. THINGS TO CONSIDER
• User training – do users know what suspicious emails look like? Are you sure?
• User reporting – do users know how to report an email? Are you sure?
• Alerting and analysis – are there systems in place to notify IT of impending doom?
• Know your network – do you know what is accessible from each device?
• Inventory, heuristics
• ADKAR – five tangible and concrete outcomes that people need to achieve for lasting change
• AWARENESS of the need for change
• DESIRE to support the change
• KNOWLEDGE of how to change
• ABILITY to demonstrate skills and behaviors
• REINFORCEMENT to make the change stick

11. IOC 2: NOTICABLE
MASS MAILINGS
• 3:00 PM – <insert organization here> IT
Service Desk receives five reports of
emails similar to the one reported
earlier. Further investigation reveals
that phishing emails were sent to 42
employees across all <insert
organization here> departments over a
two-day period. The emails directed
users to a spoofed website designed to
capture usernames, passwords, and
deliver a payload.

12. INCIDENT DISCUSSION QUESTIONS
• What is the incident severity level or tier of
this incident once multiple spoofed emails
are reported? What would prompt a
change in tiers?
• What immediate remediation and
protective actions would be taken at your
organization?
• Who is responsible for those actions?
• Have these options been documented
in plans?
• How are they activated?
• Would any additional reports or
notifications be made? If so, are the
primary, secondary, and tertiary points of
contact identified?

13. ADDITIONAL QUESTIONS
• What are the requirements and/or processes to notify organization leadership of a cyber incident
at each severity tier?
• Are these criteria the same across the organization?
• What resources and capabilities are available to analyze the intrusions?
• Internally?
• Externally through government partners?
• Through the private sector?

14. …CONTINUED
• What is the role of cybersecurity in contracts with third-party support vendors and crucial
suppliers.
• Have you discussed these types of concerns and risks with them?
• What mechanisms and products are used to share cyber threat information within your
organization and external to your organization (e.g. distribution lists, information sharing portals,
broadcast messaging)?

15. THINGS TO CONSIDER
• Does your IT team have an offline disaster recovery plan?
• Do you have a cybersecurity strategic plan?
• Cybersecurity policies
• Do you conduct regular internal security meetings?
• Do you conduct regular cybersecurity awareness trainings?
• Do you have an incident response plan?

16. IOC 3: USER
COMPLAINTS
• 3:25 PM – <insert organization here> IT Service
Desk receives calls and emails that the file
shares are not opening and the user is
receiving an error when attempting to “Open a
word doc I have always been able to open.”

17. INCIDENT DISCUSSION QUESTIONS
• What immediate remediation actions
would be taken?
• Who is responsible for those actions?
• Are redundant systems in place if the
impacted system is compromised?
• What is the incident severity tier of this
event?

18. ADDITIONAL QUESTIONS
• Do you have defined cybersecurity incident escalation criteria, notifications, activations, and/or
courses of action?
• If so, what actions would be taken at this point? By who?
• Who would this incident be reported to?
• Would any additional reports or notifications be made (e.g., to law enforcement for reasons
related to public safety)?
• Are points of contact identified?
• Would leadership be notified?
• Does the organization report cybersecurity incidents to outside organizations? If so, to
whom?
• What, if any, mandatory reporting requirements do you have?
• Are these criteria the same across the organization?

19. …CONTINUED
• What immediate protection and mitigation actions would be taken? Who is responsible for those
actions?
• What, if any, mandatory reporting requirements do you have? Are additional reporting
requirements in place for the loss of personally identifiable information (PII)?
• At what point in the scenario would you contact law enforcement?
• Law enforcement relationships
• What are your expectations of state and federal government?
• Are processes and resources in place for evidence preservation and collection?

20. THINGS TO CONSIDER
• Be prepared, an incident can happen at any time.
• Test your backups
• Test your response plan – being ready for the event know knowing the actions you need to take are key
to restoration efforts
• Do a simulation event
• There are no surefire ways to defend, only ways of mitigation
• Assess your vulnerabilities
• Know your risks
• Risks can be taken, have a plan for each risk you accept.
• Business continuity plan
• How will you sustain while systems are being restored?
• What is your mean time to repair?
• Identify CRITICAL systems

21. HOT WASH REPORT
• List the top three organizational strengths.
• List the top three organizational items requiring improvement.
• Set a plan to meet to discuss improvement strategies
• Develop highest needs
• Create a completable list of all improvements needed.
• Assign tasks and set expectations, goals, and timelines.
• Consider funding needed, funding sources
• Hot wash remarks/comments.