Last month, we facilitated a ransomware incident response tabletop exercise for a client with approximately 2,000 employees. The organization had invested significantly in security tooling — EDR, SIEM, network segmentation, offline backups. On paper, they were well-prepared. The exercise revealed a different story.
The Scenario
We simulated a ransomware event that began with a compromised VPN credential (purchased from an initial access broker), followed by lateral movement through Active Directory, and culminating in domain-wide encryption with a 48-hour extortion deadline. Data exfiltration occurred before encryption.
What Went Wrong
1. Nobody Knew Who Was in Charge
The incident response plan named a “Security Incident Commander,” but when we asked who that person was and what their authority looked like in practice, the room went silent. The CISO assumed IT operations would lead. IT operations assumed the security team would lead. Legal assumed someone technical would make the call on whether to pay.
2. Communication Channels Were Down
The organization’s primary communication tools — email and Teams — both ran on the infrastructure that was “encrypted” in our scenario. There was no pre-established out-of-band communication channel. Fifteen minutes of the exercise were spent debating whether to use personal phones or a WhatsApp group.
3. Backup Restoration Was Untested
The team confirmed they had offline backups, but no one could answer how long a full restoration would take. Estimates ranged from “a few hours” to “maybe a week.” The actual answer, discovered during a follow-up technical exercise, was 11 days.
4. The Legal and Regulatory Response Was Unknown
When we introduced the data exfiltration component, the legal team was unsure about notification timelines. Applicable regulations required notification within 72 hours, but the team hadn’t identified which datasets triggered which regulatory requirements.
Key Takeaways
- Run the exercise, not just the plan. A written IR plan is necessary but insufficient. Tabletop exercises reveal the gap between documented procedures and organizational reality.
- Establish out-of-band communications in advance. Have a pre-configured channel (Signal group, satellite phone tree, physical call list) that doesn’t depend on your primary infrastructure.
- Test backup restoration regularly. Measure actual RTO, not theoretical RTO. Include the time needed to verify backup integrity and rebuild supporting infrastructure.
- Include legal, communications, and executive leadership. Ransomware is not just a technical incident. The decision to pay or not, public communications, regulatory notifications, and insurance claims all require non-technical stakeholders.
The best time to discover these gaps is during a tabletop exercise, not during an actual incident.