Jump to main content

CU Minute

Inside the Room: A Ransomware Tabletop Exercise Q&A

June 17, 2024
Inside the Room: A Ransomware Tabletop Exercise Q&A

Author: Shawn Flaherty, Director of Business Development, Think|Stack

Think|Stack recently completed a ransomware tabletop exercise (ransomware TTX) for a four-billion-dollar credit union in the Southwestern U.S. Over the past 18 months, we have increasingly seen more requests from credit unions who want us to help them simulate a ransomware event, evaluate their response capabilities, and deliver recommendations to strengthen their cybersecurity stance, as well as gauge their ability to respond to a ransomware event.

A ransomware TTX is a simulated, interactive exercise designed to test an organization's readiness and response strategies in the event of a ransomware attack. These exercises typically involve key stakeholders from within the organization. The goal is to create a realistic scenario where participants can practice their roles and responsibilities, identify gaps in the current response plan, and improve their ability to manage and mitigate the impact of a ransomware incident.

We feel the best way to share the value that these exercises provide is to answer the most common questions credit unions have asked about conducting a Think|Stack ransomware TTX.

What is the primary benefit to a credit union?

Regular ransomware exercises help prepare your credit union to effectively respond to ransomware attacks, minimize damage, and ensure a quicker recovery when an event occurs.

Who from the credit union should participate?

We will work with your staff to determine the ideal stakeholders. They typically include senior management, IT staff, a legal representative, marketing staff, and sometimes one or more board members.

How long does a ransomware TTX take?

Think|Stack typically spends several days gathering internal information and planning for an onsite tabletop. We generally suggest either a half or a single full day onsite at your credit union.

What type of information do you need from our credit union in advance?

If this is your first ransomware TTX, you may not have very much to prepare. The most important preparation is to determine your goals and objectives in advance of the exercise and decide who on the team should participate. Although some of these may not apply or may be dated, the additional items below are helpful:

  • Your current incident response plan Network and system diagrams
  • Communications plans
  • Documented legal and regulatory considerations
  • Business continuity and disaster recovery plans
  • Any recent cybersecurity assessments and reports

Do you need access to our IT systems?

No, accessing your IT systems is not necessary to conduct a ransomware TTX. These exercises are designed to be simulated and discussion-based, focusing on planning, decision-making, and communication, rather than actual system manipulation.

How often should you conduct a ransomware TTX?

The most important ransomware TTX is the first one. It will help the organization experience what it is like to go through a ransomware event. There is a huge difference between a credit union who has done even one ransomware TTX versus those who have not. While we would strongly recommend an annual ransomware TTX to train your team on how to respond to such an event, you can usually make an informed decision on frequency based on your credit union’s organizational changes, staff turnover, M&A activity, regulatory requirements, incident history, and risk profile.

What do we get after completing a ransomware TTX with Think|Stack?

At the conclusion of our engagement, you will receive all the documentation and recommendations you need to prepare for an actual ransomware attack. This will include detailed reporting, observations and findings, recommendations and an action plan, and lessons learned.

If I have an MSP or other current IT vendors, should they participate?

If you would like to conduct this exercise independently with just credit union staff, that is completely fine. If you would like to include them because they will be actively involved in a ransomware incident response, then absolutely, you can and should include them.

If you are ready to engage the cyberteam at Think|Stack to help you plan, administer, and deliver recommendations stemming from your own ransomware TTX, we would be happy to travel wherever you are in the U.S. and help lead your team through this valuable exercise. Please contact us with any questions or to discuss the next steps.

Learn more about Think|Stack and our cybersecurity advisory services at ThinkStack.co.

Our Family of CUSOs

 Interlutions CUSO Think|Stack logoQuantify CUSO