Ransomware rehearsals offer stage for IT and execs to connect

A ransomware rehearsal gets crowded.

During what’s known as a “tabletop” exercise, a combination of legal counsel, security officers, C-suite execs, and more may take over every chair in the conference room as they create a response-plan for a simulated cyberattack, sorting out answers to not-fun questions like:

Disclose or not disclose?

Shut down systems or keep them running?

And, of course: Pay or don’t pay?

According to incident-response pros who spoke with IT Brew, the tabletop offers a chance for a CISO, CIO, or IT staff member to get on the same playbook page as senior leaders, specifically regarding roles and priorities.

Don’t go IT alone. While a ransomware attack may begin with a phishing email and network intrusion, the response team includes more than just IT or security employees, given the cost of an attack, where the average price is just over $800K.

“They’re going to extort you for money. Nowadays, it’s not unusual for our clients to see six- or seven-figure numbers—in the millions or tens of millions for larger companies. That’s a pretty big decision that’s not going to be made by a CIO or security analysts alone,” said Dave Wong, VP at Mandiant, a threat-intelligence firm that conducts tabletop exercises and supports organizations in ransomware response and other incidents.

A question like “pay or don't pay?” is ultimately a business decision, according to a June 2022 report from Gartner: “It needs to be made at an executive or board level, with legal advice.”

A ransomware rehearsal is a chance for IT pros to communicate a plan with leadership, and there may be drastically different ideas on response, especially regarding ransom, said Jess Burn, senior analyst at Forrester.

“I remember speaking with a client who went through a very intense breach-crisis simulation exercise with the executives and the CEO said, ‘Of course, we’re going to pay. We’re not going to accept any downtime,’” Burn told IT Brew.

The IT executive, however, had a different idea. “The CISO thought they were never going to pay the bad guys,” said Burn.

What we have here is… A tabletop exercise finds communication gaps in an incident response plan, according to Drew Schmitt, managing security consultant at GuidePoint Security, a consultancy that also runs tabletop exercises and helps companies hit by ransomware.

“Because executives don’t get exposed to ransomware-type response scenarios every day, a lot of times they’re not really sure who the priority is in terms of communication, or even that some teams need to be engaged. So, a lot of what we find in gaps ends up being very procedural, and a lot of it’s based on communication,” said Schmitt.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.