Scribd
Upload
120 views4 pages

2020 02 Table Top Exercise Phishing

This document provides instructions for a tabletop exercise to discuss how an organization would respond to a scenario involving a typosquatted domain sending phishing emails, and the vendor that manages the organization's public websites being affected by an attack. The exercise is intended to be brief and focus on identifying any gaps in the organization's business continuity plan or security policies based on questions provided. Participants are instructed to designate a facilitator, include relevant staff, and follow the discussion guide to evaluate how communication systems may be impacted and whether processes are in place to check for effects on other systems or loss of data.

Uploaded by

Ashwini Bala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
120 views4 pages

2020 02 Table Top Exercise Phishing

This document provides instructions for a tabletop exercise to discuss how an organization would respond to a scenario involving a typosquatted domain sending phishing emails, and the vendor that manages the organization's public websites being affected by an attack. The exercise is intended to be brief and focus on identifying any gaps in the organization's business continuity plan or security policies based on questions provided. Participants are instructed to designate a facilitator, include relevant staff, and follow the discussion guide to evaluate how communication systems may be impacted and whether processes are in place to check for effects on other systems or loss of data.

Uploaded by

Ashwini Bala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Business Resiliency

Workgroup
Mini TTX
Instructions
1. Break the scenario into meaningful learning points.
2. Read the scenario aloud to the group and ensure their
understanding.
3. Proceed to the discussion page to facilitate a conversation about
how your organization would handle the scenario, focusing on the
key learning points as you discuss.

These are intended to be brief exercises.


Take note of the questions being asked and the scope of the exercise.
Use the After Action Report along with these exercises to identify any potential gaps in
your Business Continuity Plan or your Security Policies.

DO: DON’T:
• Designate a single individual to facilitate. • Stray from the scope of the exercise. (You
may want a designee to keep the group on
• Be sure to include applicable members of track.)
other business units.
• Forget to follow up on any gaps identified
• Follow the discussion guide on the final during the exercise. An After Action Report
slide. Template is available on HSIN.

2
February Exercise

Recent media reports of a fast spreading human virus


has the public on edge. Members of your health
department are receiving emails from concerned
citizens looking to protect themselves and their
families.

Citizens report receiving an email from a typosquated


domain asking for PII and “symptoms”. The vendor
who updates your publically facing site is also effected
and is currently down to a potential attack. This vendor
also runs sites for your police, fire, and EMS.
What do you do?

3
Discussion

• How would you have the typosquatted domain taken down?


– Do you have proof that the false domain is false?
– Have you contacted the DNS registrar?

• Do you have a communications plan in your IRP for the public?


– Do you have an educational resource for the public to teach them about Phishing?

• How was the vendor information discovered?


– Ex. Public Meeting Minutes

• Has this effected any of your other communication systems?


– Phone, fax, etc.
• Is there a backup for communication if these are down

• Has your legal team been briefed?


– Responsibility on the vendor v. the municipality

• Has this effected any of your other municipality systems?


– Do you have processes in place to check?
• Do you have forensics?
• Have you lost any data?

• Mutual Aid Incident Response?


– Has this been reported?

NIST Functions Addressed: ID.RA-2: Threat and v ulnerability information is receiv ed from information sharing forums and sources, ID.RA-3: Threats, both
internal and external, are identified and documented, PR.IP-9: Response plans (Incident Response and Business Continuity) and re cov ery plans (Incident
Recov ery and Disaster Recov ery) are in place and managed, PR.IP -10: Response and recov ery plans are tested. RS.RP-1: Response plan is executed during or
after an ev ent. RC.CO-1: Public relations are managed

You might also like