Looking for IR Tabletop tips:
What frustrates players that should be avoided?
What sorts of twists and turns work well to throw in challenges and keep things interesting without going into the realm of the implausible?
@JohnsNotHere @jerry Thanks for the tips. The event went better than expected for short-notice prep. Everyone had some fun, we learned a little about our IR plan, and a little about how to run one of these events. I was worried my scenario would be too short so I prepped two, and we didn’t need the second at all.
@nbering for the first go, I wouldn’t change peoples’ roles. To drive wider engagement, the scenario can start off with a call from Krebs, who is going to write a very public report about your incident.
@nbering Exercise design starts with objectives, not scenarios. The scenarios are not as important as the impacts that tie to objectives.
@lippard Sound advice.
I would say you need to figure out the end game. Is it to press the team till they break to identify shortcomings? Is it a check the box thing? Somewhere in between?
Tailor the scenario and confounding factors accordingly. Make them show they can produce a process document in a manner not impacted by the scenario.
@jerry @nbering 100% this. The show is a different realm where I purposely put people through their paces, but when I do these for an org I try to keep it more "reasonable". Sometimes there is no success criteria, and that's fine. Generally what I do is use a mind map to work out possible scenarios and go from there. Definitely a lot easier. If you want, and you're able, come find me at Cyber City and we can chat more in a few weeks time.
@jerry @JohnsNotHere I think I’ve got a good start for ideas. I’ve been working from Bruce Potter’s Oh Noes! game framework, reviewing @JohnsNotHere’s D&D episodes, and I’ve got some choice incidents inspired by the Bad Things Daily twitter feed, and adapted to our company.
Now I just have to try and predict what people will try and come up with some story paths that won’t be completely avoided by whatever the players actually do.
@nbering @jerry Another tip would be to think on your feet. People will always make choices you didn't expect, but that's okay! Try to think of at least 2 paths, one good and one bad, and if you can try to think of a "neutral" one. From there you can pick the die that will be used for probability, then make your call on the fly, i.e. 1-5 is bad, 6-12 is neutral, and 13-20 is good (assuming a 1D20 is rolled).
@JohnsNotHere Do you use supporting visuals for you scenarios, like screenshots of phishing emails or log snippets when working with more technical players?
@nbering Generally no. I haven't had to get to that phase yet, because I go from an "assumed breach" scenario, i.e. damage has been done. If people ask for the initial vector and it was an email, then I'll just play out the scenario by stating that certain fields were found, or that it was indeed phishing that got past the filters. Then I decide how many people fell for it, but that's usually immaterial.
@JohnsNotHere Ugh, typo. you = your
You'd be surprised how long one of these can take! For the show I purposely move them along, but trust me I would have kept @jerry and Andy a lot longer on their episode if only to hear those prophetic sighs of a man who's faced one too many AD infections. ;-) In reality I've run these for 90 minutes on a single scenario and not finished it. But the takeaways were outstanding.
A Mastodon instance for info/cyber security-minded people.