SIMULATION

TABLETOP
EXERCISE FOR
INCIDENT
RESPONSE

BY IZZMIER IZZUDDIN
@AdSecVN FB: AdSecVN @QuantriBaomat
 TABLE OF CONTENTS
EXERCISES ............................................................................................................. 3
TABLETOP EXERCISE 1: RANSOMWARE ATTACK SIMULATION ............................................. 3
ANSWERS TO TABLETOP EXERCISE 1 ................................................................................ 6
TABLETOP EXERCISE 2: DATA EXFILTRATION DETECTION...................................................10
ANSWERS TO TABLETOP EXERCISE 2 ...............................................................................12
TABLETOP EXERCISE 3: RANSOMWARE ATTACK ON CRITICAL SYSTEMS ............................16
ANSWERS TO TABLETOP EXERCISE 3 ...............................................................................18

EXTRA EXERCISES .................................................................................................. 24

TABLETOP EXERCISE 4: INSIDER THREAT BREACH ............................................................24
Phase 1: Detection and Initial Triage .............................................................................................. 24
Phase 2: Investigation and Containment ........................................................................................ 24
Phase 3: Root Cause Analysis ........................................................................................................ 25
Phase 4: Business Impact Assessment .......................................................................................... 25
Phase 5: Recovery and Post-Incident Measures............................................................................. 26

TABLETOP EXERCISE 5: ADVANCED PERSISTENT THREAT (APT) CAMPAIGN ........................27

Phase 1: Early Indicators and Detection......................................................................................... 27
Phase 2: Network Reconnaissance and Privilege Escalation ......................................................... 27
Phase 3: Lateral Movement and Critical System Targeting ............................................................. 28
Phase 4: Exfiltration and Potential Disruption ................................................................................ 28
Phase 5: Post-Incident Recovery .................................................................................................... 29

TABLETOP EXERCISE 6: SUPPLY CHAIN ATTACK ................................................................30

Phase 1: Initial Awareness ............................................................................................................. 30
Phase 2: Malware Investigation and Containment ......................................................................... 30
Phase 3: Threat Actor Objectives and Impact Assessment ............................................................ 31
Phase 4: External Coordination and Mitigation .............................................................................. 31
Phase 5: Recovery and Lessons Learned........................................................................................ 32

@AdSecVN FB: AdSecVN @QuantriBaomat

 EXERCISES
TABLETOP EXERCISE 1: RANSOMWARE ATTACK SIMULATION

Objective: To simulate a ransomware attack and evaluate the SOC team's ability to
respond across all roles (L1, L2, L3 and SOC Manager).

Scenario: During routine monitoring, the SOC observes unusual activity on the company’s
network. Several files appear to be encrypted and a ransom note is discovered demanding
payment in Bitcoin. The exercise begins with this discovery and proceeds through the
incident response lifecycle.

Network Alert (SIEM)

• Alert ID: 3029

• Severity: High
• Source IP: 192.168.1.24
• Destination IP: 45.77.89.120
• Description: Large outbound data transfer detected.

Endpoint Activity Logs (EDR)

Time Event User Action

10:02:34 Suspicious file user_123 File: "invoice_0321.exe"
AM downloaded
10:04:56 File encryption detected user_123 Encrypted files: *.docx, *.xls
AM
10:06:12 Ransom note created user_123 Note: "Pay 5 BTC to recover your
AM data."

Phase 1: Initial Detection and Triage

Inject 1: Suspicious Activity Discovered

1. A SIEM alert reports unusual outbound traffic to an unrecognised IP.

2. EDR logs reveal a suspicious file download followed by rapid file encryption.

Questions for L1 Analyst:

1. What initial actions should you take upon receiving the SIEM alert?
2. How do you validate if this activity is malicious?
3. When should you escalate this to L2?

Questions for L2 Analyst:

@AdSecVN FB: AdSecVN @QuantriBaomat

 1. How do you confirm if ransomware is active?
2. What additional logs or tools would you examine to understand the scope?

Questions for L3 Analyst:

1. What advanced forensic techniques can you apply to analyse the ransomware?
2. How would you identify the attack vector and prevent further compromise?

Questions for SOC Manager:

1. How do you prioritise the next steps while ensuring minimal operational disruption?
2. What communication strategies would you implement for internal and external
stakeholders?

Phase 2: Containment

Inject 2: Spread of Infection

• IT reports that three servers in the Finance department are inaccessible.

• Network traffic analysis shows ongoing connections to the external IP
(45.77.89.120).

Questions for L1 Analyst:

1. What steps should you take to isolate affected systems?

2. How do you document the incident for further analysis?

Questions for L2 Analyst:

1. How do you use network traffic data to contain the threat?

2. What mitigation techniques should be applied to prevent lateral movement?

Questions for L3 Analyst:

1. How do you analyse the malware to create actionable IoCs (Indicators of

Compromise)?
2. What advanced tools can be used to assess the full scope of affected assets?

Questions for SOC Manager:

1. How do you ensure containment actions align with business priorities?

2. What resources are required for immediate recovery?

@AdSecVN FB: AdSecVN @QuantriBaomat

 Phase 3: Root Cause Analysis

Inject 3: Attack Vector Discovered

• Email gateway logs reveal that the ransomware originated from a phishing email
sent to user_123, with a malicious attachment named "invoice_0321.exe."

Questions for L1 Analyst:

1. How do you trace the phishing email to its origin?

2. What indicators would you search for in other users’ emails?

Questions for L2 Analyst:

1. How do you correlate the phishing email with endpoint activity?

2. What recommendations would you make to strengthen email security?

Questions for L3 Analyst:

1. How do you use threat intelligence to assess the risk of similar attacks?
2. What additional measures can be taken to harden endpoints?

Questions for SOC Manager:

1. How do you present findings to executive leadership?

2. How do you allocate resources for long-term improvements?

@AdSecVN FB: AdSecVN @QuantriBaomat

 ANSWERS TO TABLETOP EXERCISE 1

Phase 1: Detection and Triage

L1 Analyst: Initial Actions Upon Receiving the Alert

1. Review the SIEM alert details:

o Note the source IP, destination IP and alert description.
o Check if the external IP (45.77.89.120) is recognised or flagged in threat
intelligence databases.
2. Validate if the activity is malicious:
o Query endpoint detection and response (EDR) logs for the source system
(192.168.1.24).
o Confirm the presence of file encryption activity and identify associated
processes.
o Check for ransom notes or suspicious executable files (invoice_0321.exe).
3. Escalate to L2 if:
o The encryption activity is verified.
o The external IP is found in threat intelligence reports.
o The ransom note is present.

L2 Analyst: Validating Ransomware Activity and Investigating the Scope

1. Confirm ransomware presence:

o Check file hashes of encrypted files using tools like VirusTotal.
o Analyse processes on the infected endpoint for ransomware executables.
2. Investigate the scope:
o Review firewall and proxy logs for connections to the external IP
(45.77.89.120).
o Query logs for similar activity across other endpoints to identify lateral
movement.

L3 Analyst: Advanced Analysis

1. Forensic Techniques:
o Collect the malware sample (invoice_0321.exe) from the endpoint.
o Use static analysis tools (IDA Pro) and dynamic sandbox tools (Cuckoo
Sandbox) to dissect the malware.
o Identify encryption algorithms used and potential decryption methods.
2. Prevent Further Compromise:
o Analyse phishing email headers to pinpoint origin and delivery mechanism.
o Develop Indicators of Compromise (IoCs) for rapid detection across the
network.

@AdSecVN FB: AdSecVN @QuantriBaomat

 SOC Manager: Incident Prioritisation and Communication

1. Prioritise next steps:

o Declare a major incident and initiate the incident response playbook.
o Assign resources to containment, eradication and recovery efforts.
2. Communicate with stakeholders:
o Notify executives of the potential business impact.
o Prepare an external communication strategy for affected customers or
regulatory bodies, if necessary.

Phase 2: Containment

L1 Analyst: Isolating Systems

1. Disconnect affected systems from the network immediately to prevent further

spread.
2. Use EDR tools to terminate processes associated with ransomware on infected
endpoints.
3. Log all actions and observations for further analysis.

L2 Analyst: Mitigation Techniques

1. Block external connections:

o Configure firewalls to block outbound traffic to the malicious IP
(45.77.89.120).
o Use network segmentation to isolate potentially compromised segments.
2. Prevent lateral movement:
o Reset passwords for affected accounts.
o Disable administrative shares and enforce least privilege access.

L3 Analyst: In-Depth Analysis and Recommendations

1. Create actionable IoCs:

o File hashes, IPs, domains and email identifiers should be shared across
SIEM, firewalls and EDR.
2. Advanced tools:
o Use packet capture tools (Wireshark) to analyse encrypted traffic patterns.
o Deploy YARA rules to detect similar ransomware strains in the environment.

SOC Manager: Containment Strategy

1. Align actions with business continuity:

@AdSecVN FB: AdSecVN @QuantriBaomat

 o Work with IT to identify critical systems that require immediate recovery.
o Evaluate the need for third-party incident response teams or law
enforcement involvement.
2. Resource allocation:
o Allocate technical resources to containment and recovery teams.
o Assign communication specialists to handle internal and external updates.

Phase 3: Root Cause Analysis

L1 Analyst: Investigating Phishing Email

1. Analyse email headers:

o Extract sender’s IP, domain and email path to trace the origin.
o Cross-check against known phishing campaigns in threat intelligence
databases.
2. Search other emails:
o Use regex searches in the email gateway for patterns ("invoice_*.exe").
o Identify if other users received similar emails or clicked the malicious link.

L2 Analyst: Correlating Phishing Email and Endpoint Activity

1. Correlation:
o Match the email timestamp with endpoint logs to confirm execution of the
malicious file.
o Check DNS logs for domain resolution linked to the phishing email.
2. Recommendations:
o Implement stronger email filtering with sandboxing for attachments.
o Train employees to recognise phishing attempts.

L3 Analyst: Threat Intelligence and Hardening

1. Threat Intelligence:
o Use platforms like MISP or Recorded Future to research the attacker’s
tactics and tools.
o Confirm if the ransomware variant is linked to an active APT group.
2. Hardening Measures:
o Enforce application whitelisting and disable macros.
o Regularly update endpoint protections and vulnerability patches.

SOC Manager: Leadership and Reporting

1. Present findings:

@AdSecVN FB: AdSecVN @QuantriBaomat

 o Create a detailed report summarising the attack timeline, root cause and
containment actions.
o Highlight gaps in security posture and propose actionable improvements.
2. Resource allocation:
o Request additional resources for vulnerability management and advanced
threat detection.
o Propose budgets for employee training and security technology upgrades.

@AdSecVN FB: AdSecVN @QuantriBaomat

 TABLETOP EXERCISE 2: DATA EXFILTRATION DETECTION

Objective: To evaluate and improve the SOC team's ability to detect, analyse and mitigate
a data exfiltration attempt through an unauthorised channel.

Scenario: Your organisation, a multinational healthcare firm, detects unusual outbound

traffic originating from a user endpoint. The traffic is directed to a cloud storage service
(Dropbox). Sensitive medical data may have been exfiltrated, putting the company at risk of
regulatory non-compliance and reputational harm.

Phase 1: Initial Detection and Triage

Inject 1:

• A SIEM alert indicates a large volume of outbound HTTPS traffic from a single
endpoint (192.168.2.45) to a suspicious domain (Dropbox subdomain).
• EDR logs show unusual processes initiated by an unauthorised PowerShell script
on the same endpoint.

Questions:

1. What are the immediate actions to validate the alert and triage the incident?
2. Which tools and techniques can L1 and L2 analysts use to confirm if data
exfiltration occurred?

Phase 2: Containment

Inject 2:

• The user ([email protected]) whose endpoint initiated the traffic denies

accessing Dropbox recently.
• Network analysis reveals encrypted payloads being uploaded to the destination.

Questions:

1. How should the SOC team contain the suspected exfiltration activity?
2. What measures can be implemented to prevent further data leakage?

Phase 3: Root Cause Analysis

@AdSecVN FB: AdSecVN @QuantriBaomat

 Inject 3:

• Investigation uncovers the endpoint was compromised via a malicious macro in an

Excel file (Project_Finance_Report.xlsm) received through email.
• Analysis of logs shows the compromised endpoint connected to other systems
within the internal network.

Questions:

1. What steps should be taken to confirm the attack vector?

2. How can the SOC team determine the extent of the lateral movement?

Phase 4: Business Impact Assessment

Inject 4:

• The exfiltrated data includes patient records and internal financial projections,
violating GDPR and HIPAA.
• Senior leadership demands an estimate of operational and reputational damage.

Questions:

1. How should the SOC assess the impact of the breach?

2. What actions should be taken to comply with legal and regulatory obligations?

Phase 5: Post-Incident Actions

Inject 5:

• The attacker-maintained persistence by installing a backdoor in the compromised

endpoint.
• The incident revealed gaps in DLP (Data Loss Prevention) policies and endpoint
security monitoring.

Questions:

1. What steps should the SOC take to eradicate persistence mechanisms?

2. What long-term improvements should be implemented to prevent recurrence?

@AdSecVN FB: AdSecVN @QuantriBaomat

 ANSWERS TO TABLETOP EXERCISE 2

Phase 1: Initial Detection and Triage

Q1: What are the immediate actions to validate the alert and triage the incident?
Answer:

• Log Analysis: L1 SOC analysts should immediately review SIEM logs to verify the
alert's authenticity. Look for the volume and frequency of outbound traffic to the
Dropbox subdomain and match it against typical baseline activity.
• Endpoint Review: EDR logs from the affected endpoint (192.168.2.45) should be
scrutinised for abnormal processes or PowerShell activity, specifically identifying
any unauthorised file access or execution of unusual scripts.
• Confirm Suspicious Activity: L2 analysts should corroborate findings by cross-
referencing network traffic with known Indicators of Compromise (IoCs) from threat
intelligence feeds, focusing on payload size, frequency and destination IP
reputation.
• Isolation Recommendation: If the activity is confirmed as suspicious, the endpoint
should be isolated to prevent further data leakage. Notify the incident response
team immediately for escalation.

Q2: Which tools and techniques can L1 and L2 analysts use to confirm if data exfiltration
occurred?
Answer:

• SIEM and Network Traffic Analysis: Use tools like Splunk or QRadar to query
network logs for large outbound HTTPS traffic and connections to external domains.
Examine TLS handshake metadata and timestamps.
• File Integrity Monitoring (FIM): Review file access patterns on the endpoint to
determine if sensitive files were accessed and modified.
• Hash Analysis: Compare suspicious file hashes (those
of Project_Finance_Report.xlsm) with known malicious signatures from threat
intelligence databases.
• DLP Solutions: Check Data Loss Prevention tools for any alerts triggered by
attempts to upload sensitive files to cloud storage.
• User Activity Correlation: Correlate user activity logs ([email protected]) with
endpoint behavior to identify discrepancies, such as login anomalies or
unauthorised application use.

Phase 2: Containment

@AdSecVN FB: AdSecVN @QuantriBaomat

 Q1: How should the SOC team contain the suspected exfiltration activity?
Answer:

• Endpoint Isolation: Disconnect the affected endpoint (192.168.2.45) from the

network to immediately stop the unauthorised traffic.
• Network Blocking: Update firewalls and web proxies to block traffic to the Dropbox
subdomain and other suspicious IP addresses.
• Account Suspension: Temporarily disable the account [email protected] to
prevent further misuse by attackers.
• Quarantine Devices: Any devices or systems that communicated with the
compromised endpoint should be identified and quarantined to prevent lateral
spread.

Q2: What measures can be implemented to prevent further data leakage?

Answer:

• DLP Policy Enforcement: Enhance data loss prevention (DLP) policies to detect and
block sensitive data uploads to unauthorised cloud services.
• Advanced EDR Features: Enable endpoint detection capabilities to prevent
unauthorised script execution (PowerShell lockdown or script blocking).
• User Awareness: Communicate with employees about the incident and reinforce
the need to avoid suspicious emails and report unusual activity immediately.

Phase 3: Root Cause Analysis

Q1: What steps should be taken to confirm the attack vector?

Answer:

• Email Header Analysis: Inspect email headers and metadata for the phishing email
containing Project_Finance_Report.xlsm. Identify the sender domain and assess its
legitimacy.
• Attachment Forensics: Analyse the malicious Excel file for embedded macros or
scripts. Extract and execute the macro in a sandbox environment to understand its
behavior.
• Endpoint Process Audit: Use endpoint security tools to trace the origin of the
malicious process, pinpointing when and how it was executed.

Q2: How can the SOC team determine the extent of lateral movement?
Answer:

@AdSecVN FB: AdSecVN @QuantriBaomat

 • Lateral Movement Analysis: Examine internal network logs for unusual connections
originating from 192.168.2.45. Look for unauthorised access attempts on file
servers, databases or other endpoints.
• Credential Dump Detection: Check for evidence of credential theft using tools like
Mimikatz or abnormal privilege escalation events.
• SIEM Correlation: Use the SIEM to correlate logs across the network for anomalies
tied to the same attacker TTPs (Tactics, Techniques and Procedures).

Phase 4: Business Impact Assessment

Q1: How should the SOC assess the impact of the breach?
Answer:

• Data Sensitivity Analysis: Identify the type of data exfiltrated, such as patient
medical records and financial projections, to determine regulatory implications
under GDPR and HIPAA.
• Operational Impact: Evaluate the criticality of affected systems and assess
downtime or operational delays caused by the incident.
• Reputational Analysis: Work with PR and legal teams to gauge the potential
reputational impact among customers and partners.

Q2: What actions should be taken to comply with legal and regulatory obligations?
Answer:

• Incident Reporting: Notify relevant regulatory bodies (GDPR Supervisory Authority,

HIPAA breach notification) within the required timeframes.
• Customer Communication: Inform impacted customers transparently, outlining
steps being taken to address the breach and prevent recurrence.
• Legal Review: Work with legal counsel to assess liabilities and prepare for potential
fines or lawsuits.

Phase 5: Post-Incident Actions

Q1: What steps should the SOC take to eradicate persistence mechanisms?
Answer:

• Credential Reset: Reset all credentials associated with the compromised account
and endpoint, enforcing stronger passwords and MFA.
• Backdoor Removal: Conduct a thorough forensic scan to identify and remove
backdoors or malicious scripts.

@AdSecVN FB: AdSecVN @QuantriBaomat

 • System Rebuild: Reimage the affected endpoint to eliminate any residual malware.

Q2: What long-term improvements should be implemented to prevent recurrence?

Answer:

• Enhanced DLP Policies: Implement stricter DLP controls to monitor and block
unauthorised data uploads.
• Regular Phishing Simulations: Conduct ongoing phishing awareness training and
simulations to reduce susceptibility to email-based attacks.
• Proactive Threat Intelligence: Integrate updated threat intelligence feeds into
security tools to detect similar attacks earlier.
• Network Segmentation: Improve segmentation to limit access and reduce the
impact of potential lateral movement.

@AdSecVN FB: AdSecVN @QuantriBaomat

 TABLETOP EXERCISE 3: RANSOMWARE ATTACK ON CRITICAL SYSTEMS

Scenario: At 10:30 AM, an alert is triggered in the SIEM indicating multiple endpoints (IP
range: 10.1.20.50-10.1.20.60) are exhibiting unusual file encryption activity. Employees
report seeing ransom notes on their screens stating, “Your files have been encrypted. Pay 5
BTC within 72 hours to retrieve them.” The ransomware has encrypted critical files on a
shared network drive used by the finance and HR departments.

• Affected Systems:
o Endpoints: 10.1.20.50-10.1.20.60.
o Network Drive: \company-finance-share01.
• Key Indicator: Suspicious file extension .locked replacing original extensions on
encrypted files.
• Ransom Note Path: C:\Users\<username>\Desktop\README_ENCRYPTED.txt.

Phase 1: Detection and Triage

1. What immediate steps should the SOC team take to validate the ransomware
attack and initiate triage?
2. What indicators in the SIEM logs or endpoint behavior can confirm ransomware
activity?
3. Which tools should be used by L1 and L2 analysts to identify the ransomware
strain?

Phase 2: Containment

4. How can the SOC team prevent the ransomware from spreading to unaffected
systems?
5. What containment measures should be taken at the endpoint, network and server
levels?
6. What steps should the SOC take to secure backups during containment?

Phase 3: Eradication and Recovery

7. How should the SOC determine the root cause of the ransomware infection?
8. What measures are necessary to safely decrypt files or restore from backups?
9. How should the SOC team ensure that all remnants of the ransomware are
removed?

@AdSecVN FB: AdSecVN @QuantriBaomat

 Phase 4: Communication and Legal Obligations

10. What communication strategy should the SOC adopt for internal and external
stakeholders?
11. What are the legal and regulatory considerations for reporting this ransomware
attack?
12. How should the SOC team coordinate with law enforcement agencies?

Phase 5: Post-Incident Actions

13. What steps should be taken to improve defenses against future ransomware
attacks?
14. How can the SOC ensure continuous monitoring for similar attack vectors?
15. What lessons learned should be documented and shared across the organisation?

@AdSecVN FB: AdSecVN @QuantriBaomat

 ANSWERS TO TABLETOP EXERCISE 3

Phase 1: Detection and Triage

1. What immediate steps should the SOC team take to validate the ransomware
attack and initiate triage?

Answer:

o Verify the initial incident report: The first step is to confirm the accuracy of
the alert and identify the nature of the attack. The SOC should examine SIEM
alerts and correlate them with user-reported issues. L1 analysts should
cross-reference the IP addresses of affected systems and investigate the
specific file modifications.
o Isolate affected systems: Disconnect affected systems from the network
immediately to prevent the ransomware from spreading. This is a critical
action to limit further encryption of files.
o Escalate to L2: Once confirmation of ransomware is established, escalate
the issue to L2 analysts for further analysis and response.
2. What indicators in the SIEM logs or endpoint behavior can confirm ransomware
activity?

Answer:

o SIEM Logs:
§ Spike in failed login attempts: This may indicate an attempt by the
ransomware to escalate privileges using brute-force methods.
§ Suspicious file changes: Logs showing rapid modifications to files
across multiple endpoints, especially unusual file extensions
(.locked), indicate that encryption is happening.
§ Network Traffic Analysis: Outbound traffic to unusual or external IP
addresses (often associated with ransomware communications)
should be flagged.
o Endpoint Behavior:
§ Files changing from their original format to an encrypted file extension
(.locked).
§ Presence of ransom notes, such as README_ENCRYPTED.txt, on the
user desktop.
§ Slow system performance due to the encryption process consuming
significant resources.
3. Which tools should be used by L1 and L2 analysts to identify the ransomware
strain?

Answer:

@AdSecVN FB: AdSecVN @QuantriBaomat

 o Endpoint Detection and Response (EDR): Tools such as CrowdStrike,
SentinelOne or Carbon Black should be used to examine endpoint activity
and identify the specific behavior of the ransomware, including the files it
encrypts and any associated processes.
o SIEM and Threat Intelligence Integration: The SIEM (Splunk, QRadar) should
be used to correlate logs and check for known Indicators of Compromise
(IoCs) or attack patterns associated with ransomware variants.
o VirusTotal: Use VirusTotal to hash suspicious files and check them against
its extensive database of known threats.
o Threat Intelligence Feeds: These can be cross-referenced to see if the
ransomware variant is associated with known IoCs (such as command-and-
control server IP addresses).

Phase 2: Containment

4. How can the SOC team prevent the ransomware from spreading to unaffected
systems?

Answer:

o Network Segmentation: Quarantine the affected network segments to isolate

the encrypted systems and prevent lateral movement. This can be done by
blocking communication between the affected and unaffected segments
using firewalls or network access control lists (ACLs).
o Block External Connections: If the ransomware is contacting external
servers, block all known malicious IPs/domains to sever the connection. Use
threat intelligence feeds to block IPs associated with the ransomware strain.
o Endpoint Isolation: Use the EDR tool to remotely isolate the affected
endpoints from the network, preventing further communication and
encryption activity.
5. What containment measures should be taken at the endpoint, network and server
levels?

Answer:

o Endpoint Level:
§ Isolate affected systems using EDR tools. Block any suspicious
processes or services.
§ Disable network shares on affected systems to prevent further file
encryption on the network.
o Network Level:

@AdSecVN FB: AdSecVN @QuantriBaomat

 § Block inbound and outbound traffic to suspicious IP addresses and
domains that are likely part of the ransomware infrastructure.
§ Disable SMB and file-sharing services if the ransomware uses these
protocols for lateral movement.
o Server Level:
§ Quarantine the affected servers from the rest of the network to
prevent the ransomware from propagating further.
§ If possible, disconnect critical servers, such as domain controllers, to
limit access to important credentials.
6. What steps should the SOC take to secure backups during containment?

Answer:

o Verify Backup Integrity: Immediately verify that backups are intact and
unaffected by the ransomware. Check that backups have not been
encrypted by comparing file hashes and file extensions.
o Disconnect Backup Systems: Ensure that backup systems (both on-
premises and cloud-based) are disconnected from the network or isolated to
prevent ransomware from targeting them.
o Backup Authentication: Verify the integrity of backup authentication and
make sure backup credentials are secure.

Phase 3: Eradication and Recovery

7. How should the SOC determine the root cause of the ransomware infection?

Answer:

o Email Gateway and SIEM Correlation: Investigate the email gateway logs to
identify any malicious emails with attachments or links that might have
triggered the attack. SIEM logs can help trace the attack's entry point.
o Endpoint Forensics: Examine the endpoint that first received the
ransomware. Look for evidence of phishing emails, malicious attachments
or suspicious executable files.
o User Activity Analysis: Review the affected user’s activity and logs to see if
they interacted with any suspicious links or attachments that could have
delivered the ransomware.
8. What measures are necessary to safely decrypt files or restore from backups?

Answer:

@AdSecVN FB: AdSecVN @QuantriBaomat

 o Verify the Decryption Key: If the ransom note indicates the availability of a
decryption key, confirm its authenticity by conducting tests on a small set of
encrypted files. However, decryption by the attackers should be treated
cautiously due to the risk of failure and data corruption.
o Restore from Backup:
§ Prioritise restoring files from a known clean backup before the attack
occurred.
§ Perform a full restoration for critical systems (HR, Finance) to
minimise downtime.
o Test Restored Systems: Validate the integrity of restored files and systems to
ensure no traces of ransomware remain.
9. How should the SOC team ensure that all remnants of the ransomware are
removed?

Answer:

o Complete System Scan: Use anti-malware tools to perform a full system

scan on all affected and potentially compromised systems to identify any
leftover malicious files or processes.
o Memory Analysis: Analyse the system memory using forensic tools like
Volatility or Memoryse to check for any active ransomware processes or
payloads.
o Remove Persistence Mechanisms: Ensure that any persistence mechanisms
(registry keys, scheduled tasks) used by the ransomware are removed.
Check system startup configurations and scheduled tasks for any
unauthorised entries.

Phase 4: Communication and Legal Obligations

10. What communication strategy should the SOC adopt for internal and external
stakeholders?

Answer:

• Internal Communication: Immediately notify key internal stakeholders (IT, Legal,

HR, Executive team) about the ransomware attack’s scope. Provide a clear update
on the incident status, actions being taken and any impact on business operations.
• External Communication: Prepare a public statement for customers, partners and
regulators. Ensure the message is transparent about the situation, the steps being
taken to resolve the issue and any potential impact on services.

@AdSecVN FB: AdSecVN @QuantriBaomat

 11. What are the legal and regulatory considerations for reporting this ransomware
attack?

Answer:

• Data Protection Laws: Check if any sensitive personal or financial data was
affected, as this may trigger reporting requirements under laws like GDPR, HIPAA or
CCPA.
• Notification Obligations: Depending on the jurisdiction, the organisation may be
required to notify regulatory bodies about the breach (data protection authorities).
• Forensic Investigation and Chain of Custody: Ensure that all evidence is properly
documented for any potential legal action, including preserving the chain of
custody for digital evidence.

12. How should the SOC team coordinate with law enforcement agencies?

Answer:

• Incident Reporting: Contact local or international law enforcement, such as the FBI
or national CERT, to report the ransomware attack, especially if it involves critical
infrastructure or large-scale data loss.
• Provide Evidence: Provide relevant data, including ransom notes, affected systems
and IoCs, to assist law enforcement in tracking down the ransomware operators.
• Follow Legal Advice: Coordinate with legal teams to ensure compliance with laws
related to ransomware attacks, particularly when interacting with law enforcement.

Phase 5: Post-Incident Actions

13. What steps should be taken to improve defenses against future ransomware
attacks?

Answer:

• Security Awareness Training: Conduct regular training for employees, particularly

around phishing attacks and safe email practices.
• Endpoint Protection: Implement stronger endpoint protection with behavior-based
detection to prevent ransomware from executing.
• Backup Strategy: Ensure that backups are automated, regularly tested and kept
offline to prevent them from being encrypted during an attack.
• Vulnerability Management: Regularly patch all software and systems to minimise
the attack surface and address known vulnerabilities.

@AdSecVN FB: AdSecVN @QuantriBaomat

 14. How can the SOC ensure continuous monitoring for similar attack vectors?

Answer:

• Real-Time Monitoring: Implement continuous monitoring for signs of lateral

movement, suspicious file activity and unusual outbound network traffic.
• IoC Integration: Integrate threat intelligence feeds into the SIEM to automatically
detect and block known ransomware IoCs.
• Anomaly Detection: Set up anomaly detection to flag unusual behavior, such as
mass file modification or high-volume outbound traffic, which could indicate a
ransomware attack.

15. What lessons learned should be documented and shared across the organisation?

Answer:

• Incident Documentation: Document all actions taken during the incident, including
detection, containment and recovery steps.
• Root Cause Analysis: Share the root cause of the attack (phishing, unpatched
vulnerability) and recommend measures to prevent future incidents.
• Post-Incident Review: Conduct a debriefing session with all teams involved in the
response. Review the incident handling process and identify areas for
improvement.
• Policy and Procedure Update: Based on the lessons learned, update incident
response plans and security policies, particularly regarding ransomware.

@AdSecVN FB: AdSecVN @QuantriBaomat

 EXTRA EXERCISES
TABLETOP EXERCISE 4: INSIDER THREAT BREACH

Objective: To evaluate the SOC team’s ability to detect, investigate and mitigate an insider
threat incident while balancing operational and reputational concerns.

Scenario: Your organisation, a healthcare provider, has discovered that sensitive patient
records have been accessed and exported without authorisation. The data breach has
triggered alarms indicating potential insider involvement.

Phase 1: Detection and Initial Triage

Inject 1:

• A SOC analyst receives an alert from the DLP (Data Loss Prevention) system
indicating the export of sensitive files to an external USB device by an employee in
the IT department.
• Endpoint logs show anomalous access to files unrelated to the employee's role.

Discussion Points:

1. What immediate actions should the SOC take to validate this alert?
Expected Response:
o Review DLP logs to confirm the file exfiltration attempt.
o Cross-reference with employee activity logs (badge access, login times).
o Alert the Incident Response (IR) team for further investigation.
2. How should the SOC ensure that this is an insider threat and not an external
compromise?
Expected Response:
o Examine endpoint logs for unauthorised access by the employee.
o Investigate any potential misuse of credentials by third parties.

Phase 2: Investigation and Containment

Inject 2:

• The IT security team finds that the employee used admin-level access to bypass
restrictions.
• The employee’s recent activity shows a pattern of downloading and encrypting large
files.

Discussion Points:

@AdSecVN FB: AdSecVN @QuantriBaomat

 1. What steps should the SOC take to contain the insider threat?
Expected Response:
o Disable the employee’s access to all systems immediately.
o Secure the affected systems and preserve forensic evidence.
o Initiate enhanced monitoring on sensitive systems.
2. What additional evidence should the SOC collect to understand the breach’s
scope?
Expected Response:
o Review historical logs for prior suspicious activities by the employee.
o Examine email and messaging activity for indications of intent or collusion.

Phase 3: Root Cause Analysis

Inject 3:

• Forensic analysis reveals the employee used a backdoor they installed months ago
to access systems unnoticed.
• The backdoor was hidden in a benign-looking software update pushed to the
company’s servers.

Discussion Points:

1. How should the SOC team investigate and remediate the backdoor?
Expected Response:
o Perform a full system scan for IoCs related to the backdoor.
o Remove the malicious code and replace the compromised update package.
2. How can the SOC identify if the insider had external accomplices?
Expected Response:
o Review communications logs for external IPs or suspicious domains.
o Cross-check financial records for unexplained transactions.

Phase 4: Business Impact Assessment

Inject 4:

• The HR department reports that several affected patients have already contacted
the media, causing reputational damage.
• A local regulator has issued a notice requesting details of the breach.

Discussion Points:

1. What steps should be taken to manage the regulatory and public response?
Expected Response:
o Coordinate with legal and PR teams to draft a public statement.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Notify regulators of the breach, outlining steps taken to mitigate impact.
o
2. What operational risks need immediate attention?
Expected Response:
o Ensure ongoing patient data security.
o Prioritise patching any remaining vulnerabilities in the IT environment.

Phase 5: Recovery and Post-Incident Measures

Inject 5:

• The insider threat has been neutralised, but operational disruptions persist due to
increased scrutiny on data access processes.

Discussion Points:

1. What long-term strategies can prevent future insider threats?

Expected Response:
o Implement role-based access control (RBAC) and limit admin privileges.
o Conduct regular employee background checks and security awareness
training.
2. How should the organisation improve its insider threat detection capabilities?
Expected Response:
o Deploy user behavior analytics (UBA) tools to monitor unusual activities.
o Enhance DLP policies to detect and block unauthorised data transfers.

@AdSecVN FB: AdSecVN @QuantriBaomat

 TABLETOP EXERCISE 5: ADVANCED PERSISTENT THREAT (APT) CAMPAIGN

Objective: To assess the SOC team’s ability to detect, analyse and mitigate a multi-stage
Advanced Persistent Threat (APT) targeting a critical infrastructure organisation.

Scenario: Your organisation, a major energy provider, has experienced unusual network
activity over the past month. Threat intelligence indicates that an APT group is actively
targeting critical infrastructure in the region. SOC must investigate and respond to mitigate
the threat.

Phase 1: Early Indicators and Detection

Inject 1:

• SOC receives alerts of repeated login attempts on multiple accounts originating

from foreign IP addresses.
• Threat intelligence correlates these IPs with known APT group infrastructure.

Discussion Points:

1. What are the immediate steps to validate and respond to these login attempts?
Expected Response:
o Analyse logs from Identity and Access Management (IAM) systems to
confirm brute force attempts.
o Block the suspicious IPs at the firewall and initiate user account lockdowns.
2. What other indicators of compromise (IoCs) should the SOC search for?
Expected Response:
o Look for unusual logins, access attempts outside business hours or new
admin accounts created.
o Check for unusual data exfiltration patterns and correlated endpoint activity.

Phase 2: Network Reconnaissance and Privilege Escalation

Inject 2:

• SOC identifies anomalous traffic to a command-and-control (C2) server.

• Forensic analysis reveals that an unpatched application server was exploited via a
zero-day vulnerability.

Discussion Points:

1. What steps should the SOC take to contain the exploited server?
Expected Response:
o Isolate the compromised server from the network immediately.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Apply a virtual patch using a Web Application Firewall (WAF) or similar
o
solutions.
2. How should the SOC identify the extent of privilege escalation attempts?
Expected Response:
o Analyse system logs for unauthorised privilege changes or the addition of
new credentials.
o Monitor Active Directory for unusual activity, such as privilege escalation or
lateral movement.

Phase 3: Lateral Movement and Critical System Targeting

Inject 3:

• Internal logs show the attacker has successfully moved laterally to SCADA systems
controlling critical infrastructure.
• Anomalies are observed in the configuration of energy grid load balancers.

Discussion Points:

1. How should the SOC respond to the compromise of SCADA systems?

Expected Response:
o Segregate SCADA systems from the broader IT network.
o Engage OT (Operational Technology) specialists to validate and secure
affected systems.
2. What tools or techniques can detect further lateral movement?
Expected Response:
o Use network segmentation and micro-segmentation monitoring.
o Deploy endpoint detection and response (EDR) tools to identify malicious
behavior.

Phase 4: Exfiltration and Potential Disruption

Inject 4:

• SOC detects a large volume of data being exfiltrated to a known malicious domain.
• Attackers threaten to disrupt energy supply if ransom demands are not met.

Discussion Points:

1. What actions should be taken to stop the data exfiltration?

Expected Response:
o Block the malicious domain in DNS and firewall rules.
o Monitor outgoing traffic for any alternate exfiltration paths.

@AdSecVN FB: AdSecVN @QuantriBaomat

 2. How should the organisation address the ransom demand?
Expected Response:
o Notify law enforcement and legal teams about the ransom.
o Communicate with leadership and follow internal policies on ransom
demands.

Phase 5: Post-Incident Recovery

Inject 5:

• The APT group’s access has been eradicated, but system outages persist and
customers demand accountability.

Discussion Points:

1. What steps should the SOC take to restore normal operations?

Expected Response:
o Validate the integrity of all critical systems before bringing them back online.
o Conduct thorough system scans to ensure no backdoors or hidden malware
remain.
2. What measures should be taken to reassure customers and stakeholders?
Expected Response:
o Issue a public statement explaining the incident and steps taken to resolve
it.
o Offer enhanced monitoring and customer support services as goodwill.

@AdSecVN FB: AdSecVN @QuantriBaomat

 TABLETOP EXERCISE 6: SUPPLY CHAIN ATTACK

Objective: Evaluate the SOC team’s ability to detect, investigate and respond to a
compromise originating from a trusted third-party vendor.

Scenario: Your organisation relies on a widely-used software solution provided by

IzzmierTech Solutions. A recent update from IzzmierTech inadvertently delivered malware
as part of a supply chain compromise. Unusual activity has been detected within your
network, raising concerns of a larger compromise.

Phase 1: Initial Awareness

Inject 1:

• Threat intelligence reports indicate that IzzmierTech’s update server has been
compromised, distributing malware-laden updates to all clients.
• SOC detects outbound traffic from multiple endpoints to suspicious domains
linked to malware C2 servers.

Discussion Points:

1. What are the SOC's immediate priorities upon receiving this information?
Expected Response:
o Validate whether your organisation has applied the compromised update.
o Identify affected systems and isolate them from the network.
2. What sources of information should SOC analyse to confirm the extent of the
compromise?
Expected Response:
o Examine endpoint logs, DNS logs and proxy logs for indicators of
compromise (IoCs).
o Review system update logs to identify machines that received the update.

Phase 2: Malware Investigation and Containment

Inject 2:

• SOC finds that the malware installs a backdoor, allowing attackers to execute
commands remotely.
• Internal systems show signs of data reconnaissance, including scans for sensitive
file shares.

Discussion Points:

@AdSecVN FB: AdSecVN @QuantriBaomat

 1. How should SOC analysts contain the backdoor malware?
Expected Response:
o Deploy endpoint detection and response (EDR) solutions to quarantine
affected systems.
o Block communication to known C2 domains at the firewall and DNS levels.
2. What steps should be taken to identify how the malware spread within the
network?
Expected Response:
o Analyse lateral movement patterns using network traffic analysis tools.
o Investigate shared credentials or misconfigured permissions used by the
malware.

Phase 3: Threat Actor Objectives and Impact Assessment

Inject 3:

• The attackers use the malware to exfiltrate sensitive financial data to an external
server.
• Some compromised accounts belong to high-privilege users, raising concerns
about further access.

Discussion Points:

1. What strategies should SOC adopt to detect and prevent further data
exfiltration?
Expected Response:
o Monitor outbound traffic for unusual patterns, especially large data
transfers.
o Deploy DLP solutions to enforce restrictions on sensitive data access.
2. How should the SOC secure high-privilege accounts to mitigate potential risks?
Expected Response:
o Force password resets for all privileged accounts.
o Implement multi-factor authentication (MFA) for all critical accounts
immediately.

Phase 4: External Coordination and Mitigation

Inject 4:

• IzzmierTech confirms their software update server has been fully compromised and
urges all clients to uninstall the affected update.
• Regulatory authorities contact the organisation, requesting an incident report and
assurance of future security measures.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Discussion Points:

1. What is the SOC’s role in ensuring compliance with regulatory demands?

Expected Response:
o Collaborate with legal and compliance teams to prepare a detailed incident
report.
o Provide evidence of steps taken to secure systems and mitigate further risks.
2. What communication strategies should the organisation use with IzzmierTech?
Expected Response:
o Request detailed IoCs and technical support to aid in investigation and
cleanup.
o Negotiate for future assurances of supply chain security measures from
IzzmierTech.

Phase 5: Recovery and Lessons Learned

Inject 5:

• All affected systems have been restored, but the incident highlights gaps in vendor
risk management and patch testing.

Discussion Points:

1. What long-term measures should be implemented to improve vendor

management?
Expected Response:
o Enforce stricter vendor assessments, including regular security audits.
o Require third-party vendors to follow secure software development lifecycle
(SDLC) practices.
2. How can SOC processes be improved to detect supply chain compromises
faster?
Expected Response:
o Incorporate behavioral analytics to detect unusual system and network
activity.
o Create a robust patch testing and validation procedure before deployment.

@AdSecVN FB: AdSecVN @QuantriBaomat