Dungeons & Dragons, Meet Cubicles & Compromises

Lately we’ve been running a very cool game with a few of our customers. There’s been some demand for incident response table top exercises. For the most part, these are not fun events. I’ve sat through more than a few stuffy meetings where people walk through an incident and then comb through polices, processes, and procedures. Gah!

Often, there are dry arguments about whether or not a procedure is sufficient or if X technology would really work the way it is should. More often than not people get angry and hurt, and very little changes.  When the whole event is over, most involved don’t ever want to do it again. It’s like slamming your hand in a car door… slightly interesting, but mostly just painful.

We didn’t want to do our table tops this way. (Cause we like to have fun, and not leave customers in tears.) Instead we started incorporating a little bit of randomness into the process with… you guessed it, a 20-sided dice, cause we’re cool like that.

 

 

“Finally! This shirt will be cool!”

The key is not to make it too complex. I understand there are going to be lots of people who insist there should be super duper complicated rules that require years of practice and memorization to get “right”.  These people also tend to be the people who love D&D but want to fight for hours over meaningless details instead of moving a narrative forward. Despite appearances, these people are not your friends and should be avoided at all costs.

“That is not how you roll for Magic Missile!!”

Growing up, the best D&D games were the ones where the dungeon master moved the story forward.  They were willing to simplify and bend the rules for the sake of the story. THAT is what we’re doing here.

UPDATE: The printable version can be found here:  www.blackhillsinfosec.com/cubicles-compromises-printable/

The Rules (dead simple)

For every action your IR team takes you roll the 20-sided dice. If the roll is 11-20, the action is successful. If it is ten or under it fails. Ka-pow.

You get a +5 modifier if your organization has documented procedures for the action.

You get a +2 modifier if your organization has someone trained to do that action.

At random intervals the IT Guru Master (Yes, this role might need a better name) gets to inject a random into the game. (It will help if the IGM has some pen testing experience.) Below are some examples:

-The attacker posts the incident data on Pastebin.
-Bobby the intern kills the system you are reviewing.
-It was a blackbox pen-test hired by the CEO… You can sleep well.
-Legal takes your only skilled handler into a meeting to explain the incident.
-Lead handler’s wife has a baby.
-An unrelated DDoS attack breaks out.
Feel free to add more.

If at any point the team tries to take an action and there are no policies or anyone trained, someone should note that as a gap to be addressed.

That’s it.

Quick Run Through

So, let’s take a starting incident and walk through a couple of action rounds.

IT Guru Master (IGM): Monday morning, the fog clears through the assistance of black coffee. You receive an email/ticket from the help desk that a user reported an AV alert pop up. The help desk technician failed to note the name of the malware. What do you do?
Tech #1: We would go and review that system to see if there are any strange processes

IGM: Do you have procedures for live systems forensics?
Tech #1: No.

IGM: Is anyone trained in live systems forensics?
Tech #1: No.

IGM: Please roll.

Tech #1 rolls a 3

IGM: The action fails. Please note the lack of procedures and training in live systems forensics.

IGM: The AV only caught the stager for the malware, it did not detect the memory injection stage. The malware is running on this workstation. The attacker then attempts to pivot from the infected workstation to another workstation. Does your team have host based firewalls enabled on workstations?

Tech #1: We do.

IGM: Do you have the alerts forwarded to a SIEM?

Tech #1: We do.

IGM: Are there procedures for reviewing and clearing alerts after they have been resolved? And are team members trained to do this?

Tech #1: We do. And, yes.

IGM: Please roll.

The Tech #1 rolls a 7 (the +5 for the procedures and the +2 for the training takes the roll to a 14).

IGM: You have detected the lateral movement. What is your next action?

Tech #1: We would isolate that system.

IGM: Do you have procedures for system isolation?

Tech #1: We do and we are trained

IGM: Please roll.

Tech #1 rolls a 13.

IGM: You have successfully isolated the system. However, it is now time for an inject. The attacker has posted some sensitive HR data from that system to Pastebin. A customer found it via Google. What is your next step?

Tech #1: We would immediately pass this information to management.

IGM: Management, what is your next action?

Manager #1: We would immediately contact the customer to get additional details and we would contact Pastebin to request the information be removed.

And on it goes. The goal is to work through as many incidents as possible to identify gaps in training and procedures.

If you want an added bit of fun, have the Red Team play the part of the attacker(s). The rules for them are simple, every action they take is a simple over ten roll to be successful. No modifiers. If you think this is mean, you’ve never been a pentester. This is more than generous.

The IGM can modify and add rolls for different actions being successful as they see fit. Let’s say the attacker dumps passwords. If the company still has LanMan the IGM will require a roll of two or greater to be successful. If the passwords are NT and a minimum of 20+ characters the IGM would require a roll over 18 to crack a password. (That’s just one example I like to use.) Please, feel free to change and add however you see fit to make the game more interesting, or applicable to your business.

We’ll schedule a webcast soon where we play a round or two to help everyone get a feel for this. It’s much more fun than slamming your hand in the car door.

Happy Holidays!

John