Table top Exercise Case Studies
CrowdStrike’s Tabletop Exercise program is designed to give an organization’s executive and technical staff the experience of responding to a targeted attack without the risk of an actual attack. We begin by getting to know your organization, reviewing existing incident response plans and interviewing staff to become familiar with your capabilities, assets, and vulnerabilities.
Drawing upon experience as incident responders, our team develops tailored, realistic attack scenarios—with attack methods often pulled directly from CrowdStrike Falcon Intelligence feeds. Participants are challenged to respond to all aspects of a breach, including technical containment and remediation, addressing legal obligations, safeguarding corporate reputation, and managing employee morale.
The following are example tabletop exercises we’ve led for clients:
A BAD DAY ON WALL STREET
A major U.S. investment bank wanted to test its ability to respond to a sophisticated, targeted attack on its network. Through a simulated attack on the company’s trading infrastructure, CrowdStrike challenged the company’s executive leadership to confront an existential crisis with legal, regulatory, reputational, and technological dimensions. CrowdStrike led the organization through a series of events in which fraudulent transactions occurred without detection, amounting to millions in losses. Mimicking the tactics, techniques, and procedures of known threat groups, CrowdStrike challenged the company’s technical responders to identify, assess, and respond to a realistic attack scenario while also translating the technical implications into actionable information for business leaders.
The exercise exposed conflicting expectations over key decision making authorities and gaps in the company’s ability to protect and restore critical systems. Following the exercise, the company revised its incident response plans and scheduled additional exercises to evaluate its progress.
UNCOVERING CORPORATE ESPIONAGE
A Fortune 100 manufacturing company, having expanded its IT security team and overhauled its incident response plans, wanted to test its ability to respond to a realistic attack. CrowdStrike simulated a targeted attack that compromised key executives’ email accounts, resulting in the theft of sensitive business plans that put the company at a disadvantage in M&A negotiations. The simulated attack mirrored the methods of an adversary CrowdStrike had observed targeting other companies in the sector. Afterwards, one participant confided the scenario was eerily similar to an episode the company had experienced several years earlier.
Participants took away a better understanding of the new incident response plan and their roles in it. They also identified a clear need to include additional stakeholders in the plan, define executive decision making authority, and deploy additional technical controls.
STEALING THE CROWN JEWELS
An exercise at a major U.S. technology company exposed the challenges of responding to a cyber breach when only partial information was available. Simulating real-world attacker methods, CrowdStrike tested the Security Operations Center’s ability to gather more information about an intruder who was skilled at avoiding detection and likely monitoring the company’s internal communications. When the investigation turned up inconclusive evidence suggesting attackers may have taken new product designs, corporate executives faced a set of critical business decisions against a still- uncertain backdrop.
The exercise highlighted areas where additional technologies could improve visibility, as well as a need to better define the roles and responsibilities of technical and executive personnel. “We failed this test,”one of the participants commented, “but we learned what we need to do to pass the next one.”
RETAIL UNDER FIRE
A large U.S. retailer wanted to test its capacity to handle multiple incidents at once. CrowdStrike developed a plausible scenario in which the company’s IT staff received and had to prioritize multiple simultaneous security alerts while juggling information requests from business leaders. When a system outage proved to be the result of a programming error, investigators pivoted to an antivirus detection, discovering payment card theft and thrusting business leaders into a more active role in managing the risk to the overall business, addressing legal obligations, and responding to news media.
Most participants were unaccustomed to working with one another, and the simulation forced collaboration in a realistic, high-pressure environment. The company revised its incident response plans based upon the exercise, and planned additional tabletops at regular intervals to foster continued teambuilding.