Ransomware TTX | Seven scenarios to include in your next TTX

Подробнее о видео

SANS Ransomware Summit 2025

Ransomware TTX: Seven scenarios to include in your next TTX
Gerard Johansen, Principal Security Solutions Specialist, Red Canary

Tabletop Exercises (TTX) are an excellent way for organizations to find gaps in their overall incident response processes and procedures. As part of a ransomware TTX, there are several considerations that should be included to ensure that the organization is prepared to address not only the technical challenges, but also key decisions.

In this presentation, we will look at seven different key scenarios that should be included as part of a ransomware TTX. For each of these, we will examine how to structure scenarios into a TTX, either as discussion points or scenario injects. Next, we will examine key points to address and what some of the potential outcomes might be. From here, we will discuss how to incorporate the responses into process improvements to enhance the overall organizational ransomware readiness.

The presentation will cover the following seven scenarios.
1. “Call it an incident?”: In the past few years, there has been a lot of discussion concerning the legal ramifications of calling an incident an incident. Legal teams are now advising incident response teams to avoid the loaded word 'incident' as it may incur legal and compliance obligations. Part of a Tabletop Exercise (TTX) should address proper terminology and classification of violations of security to ensure alignment with the legal and compliance requirements.
2 .“While you wait”: Many organizations engage third party digital forensics teams, either independently or through their cyber insurer. These teams may take some time to get organized after the call is made. A TTX should include steps the internal security personnel can take to either maintain or gather evidence or organize resources for outside help to hit the ground running.
3. “The Cloud Pivot”: Many organizations have taken at least partial advantage of cloud based infrastructure. Ransomware TTXs should include potential impacts to cloud based infrastructure or how critical services may be moved to cloud infrastructure in the event of a prolonged outage.
4. “Moving your investigation off the network”: A ransomware attack that impacts the entire enterprise may force the incident response team off the network. This may include leveraging cloud resources (which may incur costs) or use alternate tools and techniques to conduct
their investigation. It is not advisable to attempt to build out an investigation environment during an incident. This inject as part of a TTX forces the team to come up with a plan of action if the worst scenario is realized.
5. “Containment Strategies”: Every containment strategy comes with its own problems. Cutting off communications between the cloud infrastructure and the enterprise may make certain applications or credentials useless. Removing the ability for key servers to talk to applications or systems may delay products shipping. There are a host of scenarios that can play out. A well thought out TTX should include a healthy discussion of several containment strategies, what the impact to the organization these strategies will have and under what circumstances they need to be executed.
6. “Managing Credential Compromise”: This type of scenario is related to the overall containment strategies and deals directly with how credential compromise is addressed. Going beyond the simple one or two compromised administrator accounts, a TTX should address how
wide ranging compromises originating from the pilfered password store or the dreaded NTDS.dit file compromise. This inject should look at the impact a wide ranging password change may have and how the organization understands these impacts.
7. “Health and Welfare Concerns”: Ransomware attacks may take several days to weeks to fully get back to normal operations. During this time, the various teams responding will start to feel the effects of sleep deprivation and stress. To maintain a consistent level of the team, health and welfare considerations such as rotating teams, off site accommodations and even employee assistance engagement should be considered. A ransomware TTX should include a discussion of how teams will be rotated in and out and what measures leadership takes to ensure their team's health is considered.

The overall intent is for attendees to return to their organization with these seven scenarios and either take them as a stand-alone discussion or include them in their own exercises to better align their processes and procedures to address a ransomware incident. This forces the organization to pre-plan for specific scenarios, thereby reducing the time necessary to make key decisions which may limit the impact of a ransomware incident.

View upcoming Summits:

#RansomwareSummit #Ransomware #IncidentResponse