Looking for IR Tabletop tips:

What frustrates players that should be avoided?

What sorts of twists and turns work well to throw in challenges and keep things interesting without going into the realm of the implausible?

Also, what sorts of things can I throw in to make sure all players are involved whether they would normally be part of the incident or not? Would you change their role in the game for the purposes or training, or try to rig the scenario to pull them in?

@JohnsNotHere @jerry Thanks for the tips. The event went better than expected for short-notice prep. Everyone had some fun, we learned a little about our IR plan, and a little about how to run one of these events. I was worried my scenario would be too short so I prepped two, and we didn’t need the second at all.

@nbering for the first go, I wouldn’t change peoples’ roles. To drive wider engagement, the scenario can start off with a call from Krebs, who is going to write a very public report about your incident.

@nbering Exercise design starts with objectives, not scenarios. The scenarios are not as important as the impacts that tie to objectives.

@nbering have you listened to @JohnsNotHere’s D&D role playing IR podcasts? Might be a bridge too far for such a short runway.

I would say you need to figure out the end game. Is it to press the team till they break to identify shortcomings? Is it a check the box thing? Somewhere in between?

Tailor the scenario and confounding factors accordingly. Make them show they can produce a process document in a manner not impacted by the scenario.

@jerry @JohnsNotHere I’ve been listening to them all afternoon. I’m not sure gasoline and matches is where I want it to go, but it’s been helpful to get the creativity going. 😉

@nbering @JohnsNotHere if you want to do it again, I wouldn’t make it a bloodbath scenario. Challenging, but achievable is a good place to start. Make them feel good about their performance, but make sure they leave with some action items.

@jerry @nbering 100% this. The show is a different realm where I purposely put people through their paces, but when I do these for an org I try to keep it more "reasonable". Sometimes there is no success criteria, and that's fine. Generally what I do is use a mind map to work out possible scenarios and go from there. Definitely a lot easier. If you want, and you're able, come find me at Cyber City and we can chat more in a few weeks time.

@jerry @JohnsNotHere I think I’ve got a good start for ideas. I’ve been working from Bruce Potter’s Oh Noes! game framework, reviewing @JohnsNotHere’s D&D episodes, and I’ve got some choice incidents inspired by the Bad Things Daily twitter feed, and adapted to our company.

Now I just have to try and predict what people will try and come up with some story paths that won’t be completely avoided by whatever the players actually do.

@nbering @jerry Another tip would be to think on your feet. People will always make choices you didn't expect, but that's okay! Try to think of at least 2 paths, one good and one bad, and if you can try to think of a "neutral" one. From there you can pick the die that will be used for probability, then make your call on the fly, i.e. 1-5 is bad, 6-12 is neutral, and 13-20 is good (assuming a 1D20 is rolled).

@JohnsNotHere Do you use supporting visuals for you scenarios, like screenshots of phishing emails or log snippets when working with more technical players?

@nbering Generally no. I haven't had to get to that phase yet, because I go from an "assumed breach" scenario, i.e. damage has been done. If people ask for the initial vector and it was an email, then I'll just play out the scenario by stating that certain fields were found, or that it was indeed phishing that got past the filters. Then I decide how many people fell for it, but that's usually immaterial.

@nbering @jerry Awesome! I'm glad it worked out for you!

You'd be surprised how long one of these can take! For the show I purposely move them along, but trust me I would have kept @jerry and Andy a lot longer on their episode if only to hear those prophetic sighs of a man who's faced one too many AD infections. ;-) In reality I've run these for 90 minutes on a single scenario and not finished it. But the takeaways were outstanding.

@JohnsNotHere @jerry Yeah, we went about 60 minutes on a scenario that was based on a combination of “security vendor demo reveals years-old breach”, mashed in with some details out of the company’s ticket archives.

@JohnsNotHere @jerry I threw in a twist right at the beginning by double-booking the CISO figure in the room during the vendor call, leaving the newest team member on the call for the vendor’s discovery of an IoC. The look on her face. 😱

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.