TableTop Simulation Exercises

Maersk - Had IR Plan but Didn’t Test It. Ransomware = 10 Days Downtime

In 2017, NotPetya stopped global logistics giant Maersk. They had an incident response plan. Problem? They never tested it. During the real attack, chaos lasted 10 days - no one knew who should do what, how to communicate with customers, whether to pay ransom. Losses: $300 million.

Without testing IR plans:

• Plan in drawer isn’t the same as prepared team
• During stress (real incident) people don’t know what to do
• Communication chaos - IT vs management vs PR vs legal
• Procedure gaps emerge only during attack (too late)
• Ad-hoc decisions instead of proven process
• Non-compliance with NIS2 (plan testing requirement)

Incident Simulation with Your Team at the Table

TableTop Exercise is a workshop - team sits at a table (hence the name), we present incident scenario in stages, team discusses and makes decisions. No code, no servers - this is planning and communication exercise.

What you get:

• Incident scenario tailored to your company (ransomware, data breach, DDoS, sabotage, etc.)
• 2-4h workshop with your team (IT, OT, management, PR, legal)
• Facilitation - we lead exercise, ask questions, observe
• Staged simulation - incident escalates, team responds
• Procedure testing - do they work in practice?
• Communication testing - who reports to whom, who makes decisions
• Gap identification - what’s missing in the plan
• Report with observations and recommendations
• Remediation action plan

Who Is It For?

This service is for you if:

• You have incident response plan but never tested it
• You want to meet NIS2 (regular IR exercise requirement)
• Team or procedures changed - you want to check if they work
• You went through transformation (cloud, OT+IT) - new architecture = new risks
• You see attacks in industry and want to be prepared

Typical Scenarios

Ransomware

Phase 1: Detection

• “Monday 7:00 AM - monitoring reports file encryption on file server”
• Questions: Who gets alert? How fast do they escalate? Who makes decisions?

Phase 2: Scope Assessment

• “Ransomware spreading - 50 workstations encrypted”
• Questions: Do we cut network? How do we communicate with employees? Who informs management?

Phase 3: Containment

• “IT wants to shut down entire network. Production protests - downtime is €120K/day”
• Questions: Who has final say? Is OT safe? How do we protect backup?

Phase 4: Ransom Demand

• “Attackers demand €2 million in Bitcoin. You have 48h.”
• Questions: Do we pay? Who decides? Do we report to police? How do we communicate with customers?

Phase 5: Recovery

• “Backup works but recovery will take 72h”
• Questions: What to restore first? How to verify ransomware doesn’t return?

Phase 6: Post-incident

• “Media asking about incident. Regulator requires reporting”
• Questions: What to say publicly? How to report to regulator?

Data Breach

Scenario: Customer personal data leak

• Stage 1: Database anomaly detection
• Stage 2: Leak confirmation (100K records with PII)
• Stage 3: Reporting obligation (72h to regulator)
• Stage 4: Customer communication
• Stage 5: Forensics and root cause

DDoS Attack

Scenario: DDoS attack on online infrastructure

• Stage 1: Website/API not responding
• Stage 2: DDoS confirmation (volumetric attack)
• Stage 3: Mitigation (Cloudflare? DNS change?)
• Stage 4: Communication decision (tell customers?)
• Stage 5: Recovery and post-mortem

Insider Threat

Scenario: Fired admin sabotages systems

• Stage 1: Production change detection (deleted backups)
• Stage 2: Perpetrator identification (former employee?)
• Stage 3: Legal notification
• Stage 4: Recovery and access audit

Supply Chain Attack

Scenario: Software vendor got hacked

• Stage 1: Compromised vendor information
• Stage 2: Risk assessment (do we use that software?)
• Stage 3: Systems isolation with vendor software
• Stage 4: Patching and monitoring

How Exercise Works

Typical 3h TableTop

Preparation (before workshop):

• We gather info about your company (architecture, processes, team)
• We design scenario tailored to your risks
• We prepare materials (slide deck with incident stages)

Workshop Agenda:

0:00-0:15: Introduction

• Rules presentation
• IR plan reminder
• Participant roles

0:15-0:30: Phase 1 - Detection

• We present first incident stage
• Questions: What do you do? Who reports to whom?
• Team discussion
• Observation and notes

0:30-1:00: Phase 2-3 - Assessment and Containment

• Incident escalates
• New information (spreading, additional affected systems)
• Team makes decisions
• We test procedures

1:00-1:15: Break

1:15-2:00: Phase 4-5 - Eradication and Recovery

• Crisis decisions (pay ransom? shut down production?)
• External communication (customers, media, regulator)
• Recovery plan

2:00-2:30: Phase 6 - Post-incident

• Lessons learned
• What went well, what didn’t
• Procedure gaps

2:30-3:00: Summary

• Our observations
• Top 5 findings
• Quick win recommendations

What We Assess

Observation Criteria

Communication:

• Does everyone know who reports to whom?
• Is there clear command structure?
• Does information reach right people?
• Is external communication consistent?

Procedures:

• Does team know IR plan?
• Are procedures current and complete?
• Are roles clearly defined?
• Are there process gaps?

Decisions:

• Who makes key decisions?
• Are decisions fast vs thoughtful?
• Is business impact considered?
• Are legal/compliance included?

Technical:

• Does IT team know how to isolate incident?
• Are backups available and tested?
• Is forensics possible?
• Is monitoring sufficient for detection?

Culture:

• Does team collaborate vs blame?
• Are there IT vs OT vs business conflicts?
• Is it blame culture vs learn culture?

Report Format

What You Get After Exercise

Executive Summary (2-3 pages):

• Overall team readiness assessment
• Top 5 findings (what needs urgent improvement)
• Top 5 strong points (what works well)

Detailed Observations (10-15 pages):

• Analysis of each exercise phase
• Communication and decision observations
• Procedure gaps
• Dialogue and decision examples

Recommendations (5-7 pages):

• Concrete remediation actions
• Prioritization (quick wins vs long-term)
• Estimated effort for each recommendation

Action Plan:

• Implementation task list
• Owners and timeline
• Success metrics