Backdoors & Breaches, Fun & Games, Guest Author, How-To Backdoors & Breaches, How to, Infosec for Beginners, InfoSec Survival Guide, Tips and Tricks

How to Lead Effective Tabletops

written by Glen Sorenson || Guest Author

How To Lead Effective Cybersecurity Tabletops

This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Learn More by Having Fun

Imagine herding your team of proverbial cats for what they expect to be another eye-rolling “preparedness exercise.” But instead of the standard fare, you introduce a tabletop exercise (TTX) that’s less about enduring another meeting and more about engaging in a collaborative challenge. It’s like suddenly finding yourselves as the key players in a thrilling plot to outsmart security incidents, bad actors, and other subglobal disasters.

Tabletop exercises have long been a staple of security and BCDR activities, designed to simulate real-world scenarios for team training and preparedness. These exercises typically unfold boringly — in a meeting-style setting where participants discuss sterile scenarios. With some will and some skill, these monotonous exercises can be made much more engaging and even… gasp fun.

People do learn effectively (and arguably better) when they’re having a good time.

Make It a Game

You can build engaging TTXs by adding elements of gamification. This doesn’t have to be an all-or-nothing prospect. The benefits of a fun tabletop exercise are manyfold: identifying gaps in plans, improving team cohesion, and enhancing decision-making skills, all while making the dreaded drill a source of laughter and inspiration. It becomes the perfect blend of necessity and engagement, turning a chore into an intriguing, strategy-driven quest.

But How?

How do we craft and run a fun and effective TTX experience?

Know Your Audience

Is your TTX for a group of highly technical IT and security folks or do you have a mix of IT and non-technical business leaders?

Understand Your Objective

Are you training your technical IR team or are you raising awareness with business leaders?

Play with Assumptions

Don’t be afraid to make assumptions about the scenario and challenge assumptions made by the team. Yes, your EDR can’t be bypassed. No, your web app is not invulnerable behind a WAF. Yes, people will click links and cough up credentials and MFA codes.

Keep It Believable

Don’t feel bound by reality. You can invent a fictitious company and environment. It should be grounded in reality, but it doesn’t have to be real.

When there’s more fiction involvedegos and attachments to outcomes often become less involved.
This is a good thing.

Give players a character with a role that may be different than their normal daily self. Have someone play the company CFO bent on numbers, a Communications Manager more focused on their book deal, or the crazy Linux guy that has to use Microsoft technology against his will. Seriously, exaggerate roles and have fun with it. In doing so, you can greatly broaden worldviews.

Don’t Lose Sight of Reality

Bring in some realistic elements. Do a little homework.

A good source of inspiration is MITRE ATT&CK Framework and MITRE’s Cyber Threat Intelligence, which has a great deal of information about real-world campaigns, threat actors, and tooling. You should know the chain of events behind the scenes, but you don’t have to reveal every technical action.

Adapt and Be Flexible

You can shoot yourself in the foot if you plan too rigidly and the participants/players take it a direction you didn’t think of. Always do.

Randomize

Roll dice. When someone wants to take an action, determine how difficult the task is (a simple high, medium, or low will suffice) and make them roll dice to determine success or failure based on that difficulty. How many times in a real investigation have you wanted to examine logs for something specific, only to find you weren’t logging what you thought you were? Or the flip side, by some sheer miracle, an employee recognized unusual behavior, shut down their computer, and called the help desk?

Different IR roles (and characters if you’re using them) may have different strengths and weaknesses. Your legal counsel is probably not going to sift through logs and your crazy Linux guy may not be the best person to craft messages to customers. Modify dice rolls appropriately.

Bring pizza. Have fun. Learn. Grow!

For help structuring a gamified incident response, check out:

HackBack Gaming: hackbackgaming.com

Backdoors & Breaches: backdoorsandbreaches.com

Explore the Infosec Survival Guide and more… for FREE!

Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.

You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/