When to Use

Workflow

Step 1: Design the Exercise Scenario

Build a realistic scenario based on current threat actor TTPs:

Scenario Structure:

Phase 1: Initial Detection (30 min)
  - SOC receives alert for suspicious process execution on file server
  - EDR detects Cobalt Strike beacon on 3 workstations
  - Inject: External threat intel report links C2 IP to LockBit affiliate

Phase 2: Escalation (30 min)
  - Ransomware executes on 40% of servers during overnight hours
  - Ransom note demands $2M in Bitcoin with 72-hour deadline
  - Inject: Attackers contact media claiming data theft of customer PII

Phase 3: Decision Points (45 min)
  - Backup assessment reveals immutable copies are intact but primary backups encrypted
  - Legal advises on breach notification timeline (72 hours GDPR, varies by US state)
  - Inject: Threat actor publishes sample of stolen data on leak site

Phase 4: Recovery and Communication (45 min)
  - Recovery time estimate: 5-7 days from immutable backups
  - Insurance carrier engages negotiation firm
  - Inject: Major customer threatens contract termination without update within 24 hours

Scenario Variables to Customize:

• Threat actor group and known TTPs
• Percentage of infrastructure encrypted
• Whether backups are intact, partially compromised, or fully destroyed
• Type of data exfiltrated (PII, PHI, financial, trade secrets)
• Applicable regulatory frameworks (GDPR, HIPAA, PCI DSS, SEC rules)
• Ransom amount and payment deadline

Step 2: Prepare Exercise Materials

Create the following documents for participants:

1. Exercise Overview Briefing - Ground rules, objectives, scope, and participants
2. Situation Reports (SITREPs) - One per phase, distributed as the exercise progresses
3. Inject Cards - New information introduced at specific times to force decision-making
4. Decision Point Worksheets - Structured forms for documenting group decisions
5. Evaluation Scorecard - Criteria for assessing response quality

Key Decision Points to Include:

• When to activate the incident response team
• Whether to shut down systems or contain selectively
• Whether to engage law enforcement (FBI IC3, CISA)
• Whether to pay the ransom and under what conditions
• When and how to notify regulators, customers, and the public
• How to prioritize system recovery order

Step 3: Facilitate the Exercise

Facilitator Responsibilities:

• Present each phase scenario and distribute SITREPs
• Introduce injects at predetermined times to increase pressure
• Ask probing questions to test decision-making reasoning
• Ensure all participant groups contribute (prevent IT from dominating)
• Document all decisions, rationales, and action items
• Track time management (many teams lose time on early phases)

Probing Questions by Phase:

Phase 1 - Detection:

• Who makes the call to declare an incident? What criteria trigger it?
• How do we determine the scope of compromise from initial alerts?
• Do we have the forensic capability to investigate or do we need external help?

Phase 2 - Escalation:

• What is our communication plan for employees? Do they know not to turn on affected machines?
• Have we isolated the network to prevent further encryption?
• Who authorizes system shutdowns that impact business operations?

Phase 3 - Decision:

• Under what conditions would we consider paying the ransom?
• What are the legal obligations for notification at this point?
• How do we handle the public leak of customer data?

Phase 4 - Recovery:

• What is the recovery priority order? Is it documented or decided ad hoc?
• How long until critical business operations resume?
• What evidence preservation is required for law enforcement and insurance?

Step 4: Evaluate and Score Responses

Score each functional area against defined criteria:

Step 5: Document Findings and Remediation Plan

Produce an after-action report (AAR) within 5 business days:

AAR Contents:

1. Exercise overview and objectives
2. Scenario summary and injects
3. Key decisions made and rationale
4. Strengths observed
5. Gaps identified with severity rating
6. Remediation actions with owners and deadlines
7. Comparison to previous exercise results (if applicable)

Key Concepts

Tools & Systems

• CISA Tabletop Exercise Packages (CTEPs): Free scenario packages from CISA designed for critical infrastructure sectors
• FEMA Homeland Security Exercise and Evaluation Program (HSEEP): Methodology for designing, conducting, and evaluating exercises
• Immersive Labs: Platform providing interactive cyber crisis simulations with real-time scoring
• Tabletop Scenarios (from NCSC UK): Exercise in a Box tool providing free guided tabletop exercises
• Ransomware Readiness Assessment (CISA): Self-assessment tool for evaluating ransomware preparedness

Common Scenarios

Scenario: Healthcare System Double Extortion Exercise

Context: A 5-hospital healthcare system conducts an annual ransomware tabletop. Previous exercise revealed gaps in HIPAA breach notification and clinical system recovery priority. This year's scenario simulates a double extortion attack targeting the EMR system.

Approach:

1. Design scenario based on Cl0p MOO (Managed Operations Operator) TTPs: exploitation of MOVEit vulnerability for initial access, data exfiltration of 500,000 patient records, followed by encryption of EMR database servers
2. Participants: CISO, CIO, CMO (Chief Medical Officer), General Counsel, VP Communications, Director of Clinical Operations, Privacy Officer, External IR firm representative
3. Phase 1 inject: EMR system down, emergency department diverting patients to neighboring hospital
4. Phase 2 inject: HHS OCR (Office for Civil Rights) contacts organization about reports of patient data on dark web
5. Phase 3 inject: Attacker provides decryption key sample for $3.5M, 48-hour deadline
6. Key finding: Organization lacks documented criteria for ransom payment decision and had not pre-identified an OFAC-compliant payment mechanism
7. Remediation: Establish payment decision framework, pre-engage ransomware negotiation firm, update HIPAA breach notification procedures with specific timelines

Pitfalls:

• Designing unrealistic scenarios that do not reflect actual ransomware TTPs, reducing exercise credibility
• Allowing technical teams to dominate the exercise while business and legal participants remain passive
• Not testing the communication plan (many organizations discover their notification list is outdated during the actual incident)
• Failing to follow up on remediation actions identified in the AAR, negating the exercise value

Output Format

## Ransomware Tabletop Exercise - After Action Report

**Exercise Date**: [Date]
**Facilitator**: [Name]
**Scenario**: [Brief description]
**Duration**: [Hours]
**Participants**: [Count by department]

### Exercise Objectives
1. [Objective] - Met / Partially Met / Not Met
2. [Objective] - Met / Partially Met / Not Met

### Key Decisions Log
| Time | Decision Point | Decision Made | Rationale | Assessment |
|------|---------------|--------------|-----------|------------|

### Strengths Observed
1. [Strength]

### Gaps Identified
| Gap | Severity | Affected Area | Current State | Desired State |
|-----|----------|--------------|---------------|---------------|

### Remediation Actions
| Action | Owner | Deadline | Priority | Status |
|--------|-------|----------|----------|--------|

### Comparison to Previous Exercise
| Area | Previous Score | Current Score | Trend |
|------|---------------|--------------|-------|