Incident Response Tabletop Idea

This is a scenario based incident response tabletop that I worked on with a colleague. I wanted to share with the world, as I have had immense success with this.  It amazes me how a simple dice roll, really draws people in to the event.  It sounds silly, but the sense of chance adds so much to a tabletop.  It really is just like life, in many ways.

I have done this with only one person acting as a “Complete Dungeon Master”, but it does work better if you have 2 people helping guide and referee things.  This way it is not the whole blue team against a single person, or 1 single person trying to manage the entire blue team during an incident.  I just think it makes game play smoother.

Let’s play a cyber incident response simulation game.

Person A will be the storyteller and incident manager for a virtual company facing a series of cyber security challenges.

Person B will take on the role of the company’s CISO in making strategic decisions to navigate through these challenges.

Here’s how we will structure the game:

  1. Setting the Scene:
    1. Start by describing the company, its industry, and the initial signs of a cyber security incident.
    2. for example,
      • The company is a global manufacturing company with >40,000 staff
      • A broad mix of technology (both legacy on-premise and various cloud-based infrastructure)
      • Most valuable information is intellectual property of their products.
  2. Injects: Present a series of 6 cybersecurity incidents (injects) in a sequential timeline manner, each an escalation making the overall cybersecurity situation worse. Each inject should pose a unique challenge, ranging from detecting unusual network activity to handling ransomware demands, data leaks, internal misinformation, insider threats, and regulatory compliance issues.
  3. Decision Points: After each inject, ask me, as the CISO, to make a decision on how to respond. Include considerations such as risk management, business continuity, public relations, legal implications, and internal communications. Provide at least 3 response options.
  4. Dice Roll: Once I make a decision, roll a die to determine the outcome. The die roll can range from 1 to 6, with varying degrees of success or challenge based on the roll. Adjust the outcome plus or minus 1 based on how well-thought-out any decision response is at the discretion of the storyteller.
  5. Points System: Assign points based on the effectiveness of each decision. Positive points for successful outcomes and negative points for less effective ones.
  6. Debrief: At the end of the game, provide a debriefing session to discuss the outcomes, lessons learned, and areas for improvement in cyber incident management as well as an evaluation of performance. Remember to keep the scenarios realistic and relevant to current cyber security challenges by your place of work.

Let’s begin with the first inject.

What is the first sign of trouble at the company?

 

Leave a Reply

Your email address will not be published. Required fields are marked *