Tabletop Exercise Playbooks¶
Classification: CONFIDENTIAL — Internal Use Only Document:
security/redblue/tabletop-playbooks.md· v1.0 · 2026-03-16 · GPUS-IT
Scenario 1 — Ransomware attack on WDC infrastructure¶
Type: Tabletop · Planned: Q2 2026 · Duration: 3 hours · Owner: Director of Cyber Security
Participants¶
IT Admin, Director of Cyber Security, Network Operations, (optional) Legal/Communications
Scenario¶
A staff member opens a malicious email attachment. Ransomware executes on their workstation, laterally moves to the WDC network via SMB, and begins encrypting file shares on vmstorage.wdc.us.gl3. SKY and RAIN continue operating but the NAS backup destination is inaccessible.
Discussion injects¶
T+0 min: Staff member reports their workstation is "acting strange" and files are being renamed.
T+15 min: IT Admin confirms ransomware process visible on workstation. Network IOCs detected.
T+30 min: vmstorage NAS shows encrypted files. Backup cron at 02:00 may have backed up encrypted data.
T+60 min: Decision point — isolate network or maintain operations?
T+90 min: Restoration from GCS — which backup date is clean?
Key discussion questions¶
- How is the attack first noticed — Prometheus alert, Fail2ban, staff report?
- Who has authority to authorize network isolation? What is the escalation path?
- Are GCS backups intact? How do we verify before restoring?
- What is the restoration order? SKY → RAIN → SUN → WIND.
- What external notification obligations exist (donors, board, regulators)?
- How do we confirm the ransomware is fully eradicated before bringing systems back online?
Success criteria¶
- Escalation path followed correctly
- Backup integrity verified before restore decision
- Restoration order executed: SKY → RAIN → SUN → WIND
- Post-incident AIDE baseline update completed on all servers
- Lessons learned documented within 5 business days
Scenario 2 — Insider data exfiltration¶
Type: Tabletop · Planned: Q3 2026 · Duration: 2 hours · Owner: Director of Cyber Security + HR + Legal
Participants¶
IT Admin, Director of Cyber Security, HR, Legal
Scenario¶
A departing contractor with dnsadmin access on SKY/RAIN copies zone files and DHCP leases to an external USB drive during their final week. The action is detected by auditd 48 hours later during a routine log review.
Discussion injects¶
T+0 min: auditd log shows cp commands copying /var/named/ to /media/usb*.
T+15 min: Contractor has already left the building. SSH keys not yet revoked.
T+30 min: IT Admin revokes SSH keys. What else needs to change?
T+45 min: Legal asks: was any PII in the DHCP leases (hostnames → usernames)?
T+60 min: HR asks: what is the notification requirement to staff?
Key discussion questions¶
- What data was accessible with
dnsadminprivilege? Was DNSSEC key material exposed? - Was the offboarding procedure followed? When should SSH keys have been revoked?
- Does the DHCP lease data constitute PII requiring breach notification?
- What controls would have prevented or detected this sooner?
- Should we rotate DNSSEC keys following any potential key compromise?
Success criteria¶
- SSH key revocation procedure documented and tested
- Offboarding checklist updated with immediate key revocation step
- PII assessment completed for DHCP lease data
- DNSSEC key rotation procedure documented
Scenario 3 — DDoS against DNS infrastructure¶
Type: Tabletop · Duration: 1.5 hours · Owner: IT Admin + Network Operations
Scenario¶
A hacktivist group launches a volumetric UDP flood against the WDC public IP targeting port 53. SKY becomes unresponsive. Internal clients lose DNS resolution. RAIN continues to operate but is also experiencing elevated traffic.
Discussion injects¶
T+0 min: Meraki MX100 shows 95% WAN utilization. SKY BIND stops responding.
T+15 min: RAIN is still up but also seeing elevated DNS query rates.
T+30 min: Decision — apply BIND rate limiting or rely on Meraki to filter?
T+45 min: Clients on 192.168.120.0/23 are losing DHCP renewal because SKY's DHCP is also unresponsive.
Key discussion questions¶
- What is the failover time from SKY to RAIN for DNS and DHCP?
- Can Meraki apply upstream rate limiting or geo-blocking?
- How do we verify DNSSEC signatures are still valid during the incident?
- What is the communication plan to office staff experiencing connectivity issues?