Virtually Simone

TTX: Pulling the Plug

One week ago BBC posted an article about Co-op’s fast-acting yet thoughtful response to a ransomware cyber attack (Source: BBC via Birmingham Mail). Co-op, also known as The Co-operative Group, is a British consumer co-operative ranging from grocery retailers to legal services. In fact, Co-Op Food, being its largest division, covers the largest geographical spread of any grocery retailer in Britain. Needless to say, their impact on the country is wide and far-reaching.

Reports of barren shelves in major supermarkets began circulating this past Thursday. Customers noted even early days of COVID are not comprable to how “worrying” these empty stores have become (Source: The Guardian). It can be a huge impact on not only the company’s image with consumers, but also in turn could cost the company millions of dollars in revenue. So we have to ask, “Was their response warranted?”

When we look at the other side of the aisle, Marks & Spencer (who was thought to also be targeted by the same cyber crime group known as Scattered Spiders) has struggled to recover at as quickly as Co-op has (Source: Cyber Magazine). While Co-op was able to prevent being locked out of their computer systems, three weeks after the initial attack M&S was still unable to provide online ordering services. Co-op predicts their shelves will return to normal after the weekend. And the reason for Co-op’s success? Yanking their own plug.

Cyber experts agree that Co-op’s response was the best route. Yes, as Scattered Spiders has noted, Co-op did tank their sales and “torch shareholder value” (Source: BBC via Birmingham Mail). I’m sure it is not lost on Co-op that rebuilding consumer trust will take time. But this was short-term pain for long-term gain. In this instance it was a good call.

This decision was made in a high-stakes, high-stress scenario where high-ranking officers need to act quickly. Co-op made this decision knowing exactly what the risks and costs were. For other companies, the ability to pull the plug is not an option. For example, some smaller regional hospitals employ the use of telecommunications to contact neurologists at specialized stroke centers to provide services to patients requiring time-sensitive diagnoses. The ability to use the Internet can quite literally be the difference between life and death. Surely the idea of ceasing Internet services would be out of the question for a healthcare company offering Telestroke.

Tabletop exercises (TTX) allow companies the opportunity to plan out exactly what they would do in a scenario just like Co-op and M&S found themselves in. So let’s imagine for a moment that we are the GRC Analyst that drafted the annual TTX (annual TT&Es are prescribed by NIST 800-53 for federal agencies) that prompted Co-op CISO Paul Love to make the snap decision to shut down Internet services during a ransomware attack (Source: NIST SP 800-53 Rev. 5). How does one prepare all the necessary technical, financial, and managerial factors to present to a team of executives so that when the time comes, absolutely no time is wasted floundering?

The cybersecurity community speculates that the likely initial access vector was an IT Help Desk agent that unknowingly assisted in “resetting a password” for a Scattered Spider actor impersonating a Co-op employee (Source: Specops Blog on RaaS). They then likely gained privileged access to the domain controller and were able to exfiltrate and encrypt the NTDS.dit file containing sensitive consumer and employee data. So this is the scenario we will use for our ransomware incident response (IR) TTX as an evidently clairvoyant GRC analyst.

NIST 800-84 describes TTX as a subset of a test, training, and exercise (TT&E) program and outlines how to design, conduct, and evaluate TT&E events in order to plan an IT emergency response. Before we proceed, let’s quickly review some terminology:

  • Test: evaluation tools that focus on recovery and backup operations conducted in as close to an operational environmnet as possible in order to quantify the operability of an IT system after it has been compromised
  • Training: both the informational presentation to personnel of their roles and responsibilities, as well as the participation of personnel in exercises and tests to demonstrate their skills and understanding of the subject matter
  • Exercise: a scenario-driven emergency simulation that validates the viability of the content of an IT plan through either discussion (TTX) or a simulated operational environment
  • Tabletop Exercises (TTX): discussion-based exercises in which a facilitator presents a scenario that initiates personnel to breakout into discussion about the participants’ roles and responsibilities in order to coordinate overall team decision-making
  • Functional Exercises: personnel validate their operational readiness in simulated operational environments by performing the specific duties they are responsible for as a part of their unique role as they would in an actual emergency situation

Say it has already been 9 months since our last ransomware IR TTX here at Co-op. Given the fact that TTXs usually follow training events within a reasonable timeframe, we’ve likely just completed annual training of processes and procedures. Designing the TT&E program this way allows personnel to more likely remember their roles and responsibilities so that they can confidently participate in the discussion. For a complex TTX like this one, NIST recommends giving the design team up to 3 months to design. Simple TTXs can be designed within at least a month’s preparation.

Speaking of the design team… who is on it? Design teams are typically made up of 3-5 people, each with a unique role to play. As a GRC analyst, we will be in charge of making sure the TTX aligns with policy, compliance, and documentation when creating TTX content. We will also need an IR or SOC Lead to lend us insight into the technical intricacies of how the scenario would likely play out. How would the ransomware infection path enter? An IT infrastructure representative would then outline the services the ransomware would affect. The facilitator will most often be the CISO and will lead the tabletop discussion. Lastly, we would also act as the data collector during the discussion taking notes on the decisions made, gaps of knowledge, and potential improvements in the plan.

NIST recommends tabletop exercises to last 2-8 hours but given what I’ve found with real-world CISOs’ accounts online—depending of course on the topic at hand—ideally a TTX would be wrapped up in half an hour to an hour at most. Given this, in order to respect people’s time, we need to hit important key notes as efficiently as possible. First, we must outline what the organization’s overall objectives for the TTX are and answer the following questions:

  • Have the expected participants been previously trained on their roles? If not, complete training with them first before proceeding.
  • How long ago was the last TTX for the subject matter?
  • Given the date of the last TTX, has there been any organizational changes since then that would require an update to the plan?
  • Has the TT&E guidance updated recently? If so, another TTX should be performed in response.

We’ve already determined the topic at hand: an incident response plan for a ransomware attack. This means the next agenda item would be determining the scope in order to narrow down our participants.

Given that our incident response plan will be involving the decision-making of senior-level personnel, NIST 800-84 recommends the tabletop exercise last anywhere from 2-4 hours. Operational-level personnel will conduct their own TTX separately (lasting up to 8 hours), and once both TTXs are completed both senior and operational personnel will combine participation to validate coordination between them. Let us now identify our participants. Here is who we will be inviting to the table and what their responsibilities at Co-op are:

  • Chief Information Security Officer (CISO) Paul Love
  • Chief Executive Officer (CEO) Shirine Khoury-Haq
  • Chief Information Officer (CIO) Rob Elsey
  • Chief Risk Officer (CRO) Stephan Gibson
  • General Counsel or Legal Director Dominic Kendal-Ward
  • Chief Financial Officer (CFO) Rachel Izzard
  • Chief Operating Officer (COO) Pippa Wicks
  • Director of Public Relations Russ Brandy
  • Chair of the Board Debbie White
  • Data Protection Officer (DPO) not publicly listed
  • Chief Compliance Officer (CCO) not publicly listed
CISOManages cybersecurity strategy and overall incident response
CEOFinal decider regarding public statements and ransom decisions
CIOManages overall IT infrastructure and business continuity
CROManages the enterprise risk portfolio
General Counsel Manages legal exposure
CFOManages financial response and insurance coordination
COOManages day-to-day operational impact
Director of Public RelationsManages messaging to the public, media, and employees
Chair of the BoardRepresents the divisions impacted by the attack
DPOManages GDPR compliance and leads personal data breach response
CCOOversees compliance with regulations such as GDPR, PCI-DSS, etc.

After we’ve determined the objectives, scope, and participants we will need our CISO’s approval before spending anymore time or resources on developing the TTX. We will propose our plan to conduct a TTX, our CISO will approve, and then we will *crack on* (British lingo felt appropriate here).

This is also the time when the CISO would help elect the design team personnel. Enter stage left our IR Lead and IT infrastructure representative. As the GRC analyst on the team, we are likely to be delegated as the logistics coordinator. That means at least one month before the actual tabletop exercise we will coordinate the TTX event logistics. NIST provides us a sample table of what these duties include:

Okay so we have our objective, scenario, scope, participants, design team delegations, and approval from our CISO. Now what? It’s time to design the exercise material. There are 4 types of documentation associated with tabletop exercises:

  • Briefing: an agenda for the participants
  • Facilitator Guide: outlines the purpose, scope, objectives, scenario, the IT plan, and a list of questions tailored to each of the participants
  • Participant Guide: has the same info as the facilitator guide aside from the exact questions
  • After Action Report (AAR): a summarization of the exercise’s evaluation criteria and how well it was met

When it comes time to finally conducting the TTX, to my amusement, NIST specifically suggests participants are given “name tents” in a classroom-like setting where personnel are all able to face the facilitator. Reading this came as a surprise to me especially since the high school I went to standardly employed Socratic sessions where all the students sat around a table. This would be my preference, nonetheless, I’m sure whichever setup is used will suffice.

Each of the participants will be given a guide and the facilitator will start off the exercise with the briefing, scope, scenario, and then kick off the discussion with one of the discussion questions in their facilitator guide. Discussion is expected to occur naturally between the participants and the facilitator will inject questions to make sure the group meets all of the objective points, or in case there ever is a lull. All the while, us as the data collector will be making note of which objectives were met based on the pre-identified evaluation criteria. This data will be used to create the AAR.

A debrief—also known as a hotwash—is conducted with the participants after the tabletop exercise is completed. This is meant for the participants to identify the areas they felt they excelled in and areas they feel they could use improvement. This hotwash will also be included in the AAR.

From the AAR we’ve created, we are now able to assign action items to select personnel to update the IR plan, as well as updating it ourselves. We are also responsible for briefing any managers of the results of the TTX and any updates that were made to the IR plan.

I’m really interested in simulating the GRC analyst’s role for creating a TTX like this. I plan on drawing from NIST documentation such as NIST IR 8374, NIST SP 800-61r3, and NIST SP 800-83r1 to draft an actual timeline and layout of what an incident plan would look like for a ransomware attack. From this I will be able to create relevant TTX material. More to come…

Sources:

Co-op Group. “Cyber Incident – FAQs.” Co-op.co.uk, 2025. https://www.coop.co.uk/cyber-incident-faqs

The Guardian. “Scattered Spider Hackers Blamed for UK Cyber Attacks.” The Guardian, May 16, 2025. https://www.theguardian.com/technology/2025/may/16/scattered-spider-hackers-uk-cyber-attacks-google-us-retailers

Birmingham Mail. “Co-op Cyber Hack Latest: Stores Affected and Customer Info.” Birmingham Mail, May 2025. https://www.birminghammail.co.uk/news/midlands-news/co-op-cyber-hack-latest-31657848.amp

Cyber Magazine. “Inside the Co-op’s Cyber Attack.” Cyber Magazine, 2025. https://cybermagazine.com/cyber-security/inside-the-co-ops-cyber-attack

Specops Software. “DragonForce Ransomware-as-a-Service: What You Need to Know.” Specopssoft.com, 2025. https://specopssoft.com/blog/dragonforce-ransomware-as-a-service

YouTube – Paul Love (CISO). “Cybersecurity: Protecting Retail in Real Time.” YouTube, 2025. https://youtu.be/2_FuwW_TSr8

YouTube – TTX Guidance (NIST). “Running Tabletop Exercises for Cybersecurity.” YouTube, 2025. https://youtu.be/7AdIxfsqlD8?si=FLaNzZrNaZ29DQuw

YouTube – Incident Response Training. “Simulating a Ransomware Breach.” YouTube, 2025. https://youtu.be/Qy8INpl0Al4?si=h6Rsxr8eiy9IrxyX

NIST Frameworks and Standards Referenced:

NIST Special Publication 800-84
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. National Institute of Standards and Technology (NIST), 2006.
https://csrc.nist.gov/publications/detail/sp/800-84/final

NIST Special Publication 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations. NIST, 2020.
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

NIST Special Publication 800-61 Revision 2
Computer Security Incident Handling Guide. NIST, 2012.
https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

NIST Special Publication 800-83 Revision 1
Guide to Malware Incident Prevention and Handling for Desktops and Laptops. NIST, 2013.
https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

NIST Special Publication 800-83 Revision 1 (Repeats in text—listed once above for clarity.)

NIST IR 8374
Guide for Cybersecurity Event Recovery: Ransomware Response. NIST Interagency Report, 2021.
https://csrc.nist.gov/publications/detail/nistir/8374/final

By:

Virtually Simone

Posted in:

, , ,

Leave a comment

Design a site like this with WordPress.com
Get started