From cybersecurity-skills
Facilitates SOC tabletop exercises simulating security incidents to test IR procedures, train analysts, validate playbooks, and meet compliance without production impact.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.
Create a realistic multi-phase scenario with escalating complexity:
tabletop_exercise:
title: "Operation Dark Harvest — Ransomware Attack Scenario"
exercise_id: TTX-2024-Q1
date: 2024-03-22
duration: 3 hours (09:00-12:00)
classification: TLP:AMBER (internal use only)
objectives:
1: "Test SOC team's ability to detect and triage ransomware indicators"
2: "Validate escalation procedures from Tier 1 to incident commander"
3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
4: "Evaluate containment decision-making under time pressure"
5: "Test backup recovery procedures and business continuity activation"
participants:
- role: SOC Tier 1 Analyst (2 participants)
- role: SOC Tier 2 Analyst (2 participants)
- role: SOC Manager / Incident Commander
- role: IT Operations Lead
- role: CISO (or delegate)
- role: Legal Counsel
- role: Communications / PR
- role: Business Unit Leader (Finance)
scenario_background: >
Your organization is a mid-size financial services company with 2,500 employees.
The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.
Design scenario injects released at scheduled intervals:
injects:
inject_1:
time: "T+0 (3:45 PM)"
title: "Initial Alert"
content: >
Splunk ES generates a notable event: "Shadow Copy Deletion Detected"
on FILESERVER-03 (10.0.10.50, Finance Department file server).
The alert shows: vssadmin.exe delete shadows /all /quiet
Source user: svc_backup (service account)
This is the first alert from this host today.
questions:
- "What is your initial assessment of this alert?"
- "What additional data would you query in Splunk?"
- "Is this a Tier 1 triage item or immediate escalation?"
inject_2:
time: "T+10 minutes"
title: "Escalating Indicators"
content: >
While investigating the first alert, two more alerts fire:
1. "Mass File Modification Detected" — 2,847 files renamed with .locked extension
on FILESERVER-03 within 5 minutes
2. "Suspicious PowerShell Encoded Command" on WORKSTATION-118 (10.0.5.118)
— same svc_backup account used
CrowdStrike shows process tree: explorer.exe > cmd.exe > powershell.exe -enc [base64]
questions:
- "What is your updated assessment? What incident severity would you assign?"
- "What immediate containment actions would you take?"
- "Who needs to be notified at this point?"
- "How do you determine if this is confined to these two hosts?"
inject_3:
time: "T+25 minutes"
title: "Scope Expansion"
content: >
Enterprise-wide Splunk search reveals:
- 7 additional hosts showing .locked file extensions
- All affected hosts are in the Finance VLAN (10.0.10.0/24)
- svc_backup account was used to RDP to all affected hosts starting at 3:30 PM
- A ransom note "README_UNLOCK.txt" found on all affected hosts
- Ransom note demands 50 BTC, includes Tor payment portal link
- IT reports the svc_backup password was changed 2 days ago (not by IT team)
questions:
- "This is now a confirmed ransomware incident. What is your incident classification?"
- "Walk through your containment strategy — what do you isolate and in what order?"
- "Should you shut down the Finance VLAN entirely? What are the trade-offs?"
- "When and how do you notify executive leadership?"
inject_4:
time: "T+45 minutes"
title: "Business Impact and External Pressure"
content: >
The CFO calls the SOC Manager directly:
"We are closing the quarter-end books this weekend. Finance absolutely needs
access to FILESERVER-03 by Monday morning or we miss SEC filing deadlines."
Additionally:
- Legal asks if customer PII was on any affected servers
- PR reports a journalist called asking about "cybersecurity issues at [company]"
- The ransom note deadline is 48 hours
- IT reports last verified backup of FILESERVER-03 is from Wednesday (3 days old)
questions:
- "How do you balance containment security with business pressure from the CFO?"
- "What is your recommendation on ransom payment? Who makes this decision?"
- "What information does Legal need to assess breach notification obligations?"
- "How do you handle the media inquiry?"
- "Can you recover from the 3-day-old backup? What data is lost?"
inject_5:
time: "T+70 minutes"
title: "Forensic Discovery"
content: >
Tier 3 forensic analysis reveals:
- Initial access was via compromised VPN credentials (svc_backup)
- Credentials were found in a dark web dump from a third-party vendor breach
- Attacker had access for 5 days before deploying ransomware
- Evidence of data exfiltration: 15GB uploaded to Mega.nz over 3 days
- Exfiltrated data includes customer PII (SSN, account numbers) for 12,000 clients
- The ransomware variant is identified as LockBit 3.0
questions:
- "How does confirmed data exfiltration change your response?"
- "What are the regulatory notification requirements? (SEC, state breach laws)"
- "What is the timeline for customer notification?"
- "Should you engage external IR firm? Law enforcement?"
- "How do you handle the vendor who was the source of the credential compromise?"
inject_6:
time: "T+90 minutes"
title: "Recovery Decision Point"
content: >
You are now 6 hours into the incident. Status:
- All 9 affected hosts isolated
- Finance VLAN segmented from corporate network
- LockBit C2 domain blocked at firewall and DNS
- No decryptor available for LockBit 3.0
- Wednesday backup verified clean but 3 days of data missing
- CEO asks for a full situation briefing in 30 minutes
questions:
- "Prepare a 5-minute executive briefing. What do you include?"
- "What is your recovery plan and estimated timeline?"
- "What monitoring will you put in place during and after recovery?"
- "What immediate security improvements would you recommend?"
Facilitator Guide:
EXERCISE FACILITATION PROTOCOL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. OPENING (10 min)
- State exercise objectives and ground rules
- Emphasize: "No wrong answers — this is about testing process, not individuals"
- Remind participants this is a simulation — no actual systems are affected
- Identify the exercise observer/scribe
2. INJECT DELIVERY (110 min)
- Present each inject on screen, allow 2 min reading time
- Ask guided questions to each role group
- Allow discussion but keep on timeline
- Inject additional pressure/complications as needed
- Record decisions, rationale, and gaps identified
3. DISCUSSION RULES
- Participants respond in-character (their actual role)
- Reference actual playbooks and procedures when available
- If participants are unsure, that IS the finding
- Facilitator may add "hot injects" if discussion stalls
4. CLOSING (40 min)
- Hot wash: Each participant shares one thing that went well, one gap
- Facilitator summarizes key findings
- Identify top 5 action items with owners and due dates
Score responses against expected outcomes:
evaluation_criteria:
detection_and_triage:
expected: "Immediately recognize shadow copy deletion as ransomware precursor"
scoring:
excellent: "Correctly identified within 2 minutes, initiated proper escalation"
adequate: "Identified after discussion, correct escalation path"
needs_improvement: "Did not recognize significance, delayed escalation"
containment_decision:
expected: "Isolate affected hosts via EDR, segment Finance VLAN, preserve evidence"
scoring:
excellent: "Immediate isolation, correct priority order, evidence preservation"
adequate: "Isolation performed but delayed or incomplete prioritization"
needs_improvement: "Considered powering off hosts (destroys evidence) or delayed isolation"
communication:
expected: "Timely notification chain: SOC Manager -> CISO -> Legal -> Executive"
scoring:
excellent: "Proper notification within defined SLAs, clear and concise briefings"
adequate: "Notifications made but slightly delayed or incomplete"
needs_improvement: "Key stakeholders not notified, unclear communication"
business_continuity:
expected: "Balance security containment with business recovery needs"
scoring:
excellent: "Realistic recovery timeline communicated, alternative workarounds proposed"
adequate: "Recovery discussed but timeline unclear"
needs_improvement: "Overcommitted on timeline or ignored business impact"
after_action_report:
exercise: TTX-2024-Q1 "Operation Dark Harvest"
date: 2024-03-22
participants: 10
duration: 3 hours
executive_summary: >
The tabletop exercise tested the organization's ransomware response capabilities
across detection, containment, communication, and recovery phases. The SOC team
demonstrated strong technical triage skills but gaps were identified in cross-
functional communication and backup recovery procedures.
strengths:
- SOC analysts correctly identified ransomware indicators within first inject
- Containment decision-making was swift and technically sound
- Legal team was well-prepared on breach notification requirements
- IT operations had clear understanding of backup recovery procedures
gaps_identified:
- gap_1:
finding: "No documented procedure for notifying CISO after-hours"
risk: High
action: "Update escalation contacts with personal phone numbers and backup contacts"
owner: SOC Manager
due_date: 2024-04-05
- gap_2:
finding: "Backup recovery testing has not been performed in 6 months"
risk: Critical
action: "Schedule quarterly backup restoration drill"
owner: IT Operations Lead
due_date: 2024-04-15
- gap_3:
finding: "No pre-approved media holding statement for cyber incidents"
risk: Medium
action: "Draft and approve 3 holding statement templates with Legal"
owner: Communications Lead
due_date: 2024-04-10
- gap_4:
finding: "Service account (svc_backup) had Domain Admin privileges unnecessarily"
risk: Critical
action: "Audit all service accounts, implement least privilege"
owner: IT Security
due_date: 2024-04-01
- gap_5:
finding: "Unclear decision authority for ransom payment"
risk: High
action: "Document ransom payment decision tree with CEO/Board approval requirement"
owner: CISO
due_date: 2024-04-15
metrics:
overall_score: "72/100 (Adequate)"
detection: "85/100 (Excellent)"
containment: "80/100 (Good)"
communication: "60/100 (Needs Improvement)"
recovery: "65/100 (Needs Improvement)"
next_exercise: "TTX-2024-Q2 — Data Breach / Insider Threat Scenario (June 2024)"
--- Track action items from tabletop exercise
| inputlookup ttx_action_items.csv
| eval days_remaining = round((strptime(due_date, "%Y-%m-%d") - now()) / 86400)
| eval status_flag = case(
status="Completed", "GREEN",
days_remaining < 0, "RED — OVERDUE",
days_remaining < 7, "YELLOW — DUE SOON",
1=1, "GREEN"
)
| sort - status_flag, days_remaining
| table gap_id, finding, owner, due_date, days_remaining, status, status_flag
| Term | Definition |
|---|---|
| Tabletop Exercise | Discussion-based simulation where participants walk through incident scenarios without executing technical actions |
| Inject | Scenario update introducing new information, complications, or decisions for participants to address |
| Hot Wash | Immediate post-exercise debrief where participants share observations and initial lessons learned |
| After-Action Report (AAR) | Formal document capturing exercise findings, gaps, strengths, and remediation action items |
| Facilitator | Exercise leader who presents injects, guides discussion, and ensures objectives are met |
| Decision Point | Moment in the scenario requiring participants to choose between options with trade-offs |
TABLETOP EXERCISE SUMMARY — TTX-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario: Operation Dark Harvest (Ransomware)
Date: 2024-03-22 (09:00-12:00 UTC)
Participants: 10 (SOC: 5, IT: 1, Legal: 1, Comms: 1, Exec: 2)
Duration: 3 hours (6 injects delivered)
SCORES:
Detection & Triage: 85/100 Excellent
Containment: 80/100 Good
Communication: 60/100 Needs Improvement
Recovery Planning: 65/100 Needs Improvement
Overall: 72/100 Adequate
KEY FINDINGS:
[+] Strong: Ransomware indicators correctly identified immediately
[+] Strong: EDR isolation procedure well understood
[-] Gap: No after-hours CISO notification procedure
[-] Gap: Backup recovery untested for 6 months
[-] Gap: No pre-approved media statement templates
[-] Gap: Service account over-privileged (Domain Admin)
[-] Gap: Ransom payment decision authority undefined
ACTION ITEMS: 5 (Critical: 2, High: 2, Medium: 1)
NEXT EXERCISE: TTX-2024-Q2 (June 2024) — Insider Threat Scenario