Facing the Kobayashi Maru: Incident Response Tabletop Exercises

[Music] good morning besides cricket cricket there we go good morning hi hello a round of applause Oh Oh works like that all right pull out your wallets it's not working all right so this morning we're going to talk about facing the Kobayashi Maru this is my guide on Incident Response tabletops so without further ado let's go the right way me in a nutshell so my name is JC I work for snow offensive we're a local consultancy down here in South Jordan Utah I focus in social engineering Incident Response forensics one of my hobbies is a maker so if you guys see the cyber Attribution dice that pull it around that's me like a scumbag I totally forgot to bring

some of the COS out to the audience I'm sorry I'm also a former Marine did four years down in Pendleton as a radio operator I was fun a lot of the Marine Corps oddities and how I present will come through that will include me moving around and interacting with you this will be a somewhat interactive talk I get as much value out of it as you get so I'll pick your brains I'm curious what you guys do well I try and part some of my knowledge so snow offensive real quick we focus in offensive security style assessments so you're fishing fishing those things this falls under our training services we use tabletop exercises to essentially get

two things out of it first one is training your staff gets more familiar with your instant response plan and procedures and also testing so you actually learn if you're a bless you you actually learn if your instant response plan works or could survive the battlefield so let's get into it instant response tabletop so how I'm going to break it down is essentially we'll talk about what a tabletop is we'll talk about how to design a tabletop conducting the tabletop and then reporting so the very first thing I want to do is clarify why I'm giving this talk so throughout my eight years in information security I've noticed something and that's what I call the Chupacabra effect

yeah this guy knows that you pack a bra yeah the real one so the Jewpacabra is a funny story put your hands up if you know what the Jewpacabra is put them up I can't see alright so hey maybe a third of the room is raising their hands the problem with the Jewpacabra is exactly that a handful of people will state they know what it is however the people that raised their hands who has actually seen one I'm looking around the room and I'm not seeing any hands you seen a picture of a dead one I've got a pretty scientific Wikipedia diagram here that someone took the time to make that's the first sasquatch they're practically related so

that's the first problem that I've identified with the Chupacabra effect is that there's there's little to no first-hand experience the second thing is multiple opinions on expectations so for the people that raise your hands if I pulled you over into a room give you a piece of paper and told you to write down what it is what you think it looks like I guarantee that they would be all drastically different that's a huge problem and lastly where is the single authoritative source on the Jewpacabra

there is none and that is the joopa effect now for those of you who have been around incident response one Jewpacabra that I've identified as the incident response plan everyone has an opinion I've done just probably under a hundred incident response plan reviews right taking a company's incident response plan read over it identify problem strengths weaknesses those things I guarantee that none of them some of them had some common element but they all went crazy with some of the way they handle things it was really weird tabletop exercises are a serious group of cover in my opinion everyone and their mom will talk about them but if you have conducted them very few have conduct them successfully and very few

know what they are so before we get into it too much who here knows what a tabletop exercises all right you remember the whole analogy I just did what you put cover before we started I said I'm going to pick on you okay so who raised their hand who knows what a tabletop exercises I'm gonna go with you you're loving it today yes is it interactive I'm going to come up and talk excellent so what the was essentially we proposed a scenario and from the scenario we introduced details and as the details are introduced we respond to it based on our answer response plan that I paraphrase describe the response excellent that's a very good stab anyone have a different

opinion now it's a time uh here we go a different one a lot of people don't have instant response plans it's very true fact which is really fun to see him do it instant response tabletop when they've got no plan or documentation and they just kind of make it up on the fly any others this is a very good point this is what I was looking for so on Michaels point in the back sir your name Darryl Darryl now you're on YouTube say hi mom because they can only hear me hide arrows mom so there is no instant response plan we're testing all the parts of our instant response plan and we have an expectation that logs and

collections are there but no one really knows so this is where we start to get into different methodologies for infinite response tabletops some schools of thought are that you go through and you say okay well we're collecting Active Directory logs let's spend the next hour making sure all of our ad servers are producing logs they're all getting centralized that is a tabletop method I've seen I've also seen the tabletop method where they actually use the time to write their instant response plan which was an absolutely horrible idea because now the infinite response plan is tailored around officiate now and that was it and every once in a while I see that what I'll call the

golden child where they're actually doing it to this Darrel's definition which is correct that's the duper I see the Jewpacabra in a lot of things I try and do my talks around where there's very little authoritative knowledge around what things are and that's the impetus for this talk we've talked about what a tabletop is so I'm not going to quiz you there but Darryl hit the nail on the head it is a scenario slowly presented which your team members have a chance descriptively to respond to does that not make sense to anyone is interactive this is here for you this makes sense excellent any questions all right there's a handful of benefits to conduct into tabletop the one which gets me a

paycheck nine out of ten times is compliance the perfect framework is the PCI when I talked about getting two birds with one stone the tabletop exercise takes care of the testing requirement of PCI and the training requirement of PCI for your incident response plan compliance is a huge reason to do it it's not the best reason but it's one that gets being patron so the gentleman over here mentioned that it compliant is good because it helps build a cadence and I'll completely agree my problem with that is the PCI requires a change of once a year more mature it's 100% better than zero and my my PCI soapbox is PCI is amazing everybody makes fun of it but

if you imagine a world where those bare minimum requirements don't exist there's been so many incidents that I've responded where the root binding is you don't have a firewall they're out there more mature organizations I see go past the compliance and they do about for a year or they'll deal quarterly the way they do it to save money is they do three internal and then a big one hosted by an external party the next thing is to identify gaps this is the real root and soul of why you want to do a tabletop because it's better to identify the problems in your plan and your team members and your technology the gentleman over here sorry

what's your name mister logs sorry Devin like Devin pointed out during an incident is the worst time to figure out that you're not collecting logs and it's one of the most annoying things to do when you come on as part of Incident Response for a client you're trying to get up to speed with the situation and you get about five minutes in and you say okay I'm gonna need the log server this server this and they cut you off the table we don't keep logs well good luck Oh take off now there's very little you can do so identifying your gaps is one of the primary points of why you want to do a tabletop the

next thing that's also important is it defined responsibilities who in the room has an incident response plan see a couple hands not up which is cool for your student get that you're unemployed that's cool you don't work for a company that things are good if you work for a company you're on the IT team you don't have an instant response plan we've got problems of the people that raise your hands and you know you have an incident response plan how many of them include non-technical team members like your legal team your HR team how many of those people know that they're on the instant response plan good there's a handful of times when I'm doing these plan reviews that a company

will have their HR team their legal team and one of the first questions I ask is okay you list public communications is going to do these three tasks who from public communications has this experience and they look at me blankly and they say well we'll just hand it over to them and they'll figure it out that's their job during an incident is the worst time to figure out one you're on the incident response team and to how to do a breach notification trial-by-fire is cool but it's not the right way to do things any questions about responsibilities this is very beneficial when you're conducting one of these tabletops it to get everybody in the room look at them and say your

expectations of their role there's been a handful of tabletops that I've conducted where the tabletop screeches to a halt and sometimes it's fun other times it's just a bickering contest but we get into who is actually going to do what and that ain't my job argument another benefit the three that I listed first are kind of what I would call the primary ones these three are your secondary ones is to assess performance so as we do more and more we should start keeping metrics how many gaps we identify what type of issues are we coming up with as we get and I'll go into kind of the exercise maturity but as devin state there's other room for

questions such as what logs do we have that's not the point of a tabletop we'll talk about where you can actually exercise things like that but to assess performance of your team so here is a notional data breach that we have here's the situation here's how much data we lost we hand that off to a team like our legal and communications team let's actually see them produce the breach notifications let's see them make the publication's the internal statements let's give them a random reporter calling in and requesting comment these are things that they're probably not practicing a lot especially if you're a much smaller or medium sized organization if your organization that has a lot of publicity

time some of these things might be second nature to them some companies are in the news for more company related business they might do something or have access them to some data that gets them in the news one how would I say this example one company was dealing with very sensitive services

they were dealing with sensitive services a tragedy occurred when that tragedy occurred and lots of tragedies like this occur the media immediately bombard this company tasks questions about what you're doing when you're doing it who you did it for so this company was well versed in handling disasters tragedies very big issues so when it came to things like a data breach this was actually second nature their issue was more with their business and we'll get into some of the things that we talked about during a tabletop but the business decisions so if I have an incident where do I make the decision to stop business processes in lieu of an incident so usually I get a lot of

things out of the public relations team that's usually a place that has a lot of benefit for tabletops but in this case it was more of your business operations the next thing is educate for those of you that have raised your hand about having an incident response plan how many of you have actually read it word by word I didn't see as many hands and I saw some hands that didn't raise before so one of the problems with innocent response plant it is supposed to be updated often at least yearly in many cases usually after there's been an incident sometimes it happens sometimes it doesn't happen when do you actually get everyone together and talk about the

changes talked about sir what's your name talk about when keys from IT has come over to networking what's Keith's new role yeah he had a role in the incident response plan back in IT the mallies and networking so how do we educate him on his new roles how many people in your organization move to different positions how many of them get new responsibilities so tabletop is a great method to educate our members and lastly synergize you don't have to raise your hand for this one but who here has actually been through an incident that has been pretty gnarly gnarly denali factor changing a handful of you how stressful was it gnarly this guy struck it off ain't no thing

this is every weekend some people it's the most stressful thing jobs on the line because that guy forgot to install the firewall that we told them about right others you know it's not too bad but an incident is literally one of the most stressful things that's going to aside from I guess downtime depend on your company an incident is going to be one of the most stressful things you do in an organization this is something that could have legal ramification cost ramifications to your business brand right think about target think about Home Depot you have huge brand reputational damage yeah you have a lot of stress on the line during an incident is not the time and place when you want

to learn everybody's little s intricity 's about how to work with them when you deal with an incident you're usually working with a large team of people some you've never worked with before I've seen in some incidents you have some lower-level IT guys networking guys that are now meeting with the board if you guys ever seen that happen it's the most hilarious thing to watch it's unfortunate but if you try and watch a low-level technical person try and explain the situation to the CEO there's two different worlds colliding they're talking over each other they don't know how to interact they don't understand the issues from one person's world to the others we can help bridge that in

the tabletop there's a handful of times when we'll do a tabletop operating the executive team in and the technical team and we'll go through the full scenario top to bottom when we do that you get the most amazing feedback ever it's absolutely beautiful it's like this coming to Jesus moment I get it here in my eye it's so much fun what happens is you'll especially for budget if you guys need budget will happen is they'll sit there in the beginning of the tabletop and they'll say okay well here's this scenario go through piece by piece and then as we get towards the end the c-level executive last questions like how come we didn't know this or where these logs

or how do I find out this information and you'll have that low-level technical person say well you didn't approve our budget to buy that syslog server that costs what 10 grand and then you just see this whitewash on your CEO space that we could have this huge issue compounded by the fact that we're not able to do any type of analysis because I wanted to pinch pennies it's the most amazing thing that you'll see actually come together when you start bringing teams from different worlds and on a tabletop now I mentioned I talk about this a little later on exercise maturity tabletops are great but they have a place they're not at the beginning they're not at the end of what I would

call your testing framework your very first thing is planning so this is for the guys that don't have an instant response plan that might not even have logs you want to start planning you want to build your instant response plan you want to look at some of your capabilities that's your initial that's your neutral initial procedural documents the next thing you want to do and this was spot-on to Devin's point you want to do these things right before you have a tabletop you don't want to flip them or they're not going to be effective and that exercises practical exercises you want to say all right let's have a scenario where we need to hold these logs can we do it let's

actually do it please do it literally go do it we we think we can hold for a year go pull me a year ago right we think we can see when the geographical IP address or the geographical location of an IP address from our VPN users go pull that data everything you think you can do you should be exercising and confirming you do it because if not when you get to a tabletop this is where we get into a lot of bickering where we'll say we can do things and again tabletops are very fast-paced they're notional like Darrell said they're notional so we're not actually going to have time to go in and dig out logs there's going to be a lot

of things moving on so if you say we can get logs I take your word for it tabletop isn't the place to find that you want to figure that out before figure that out before when we get to the tabletop you can stand up and say well we can't collect that a huge gap tabletops isn't going to take you all the way either after you conduct it for you they start losing value they sell value maybe once a year but where you want to move who gets a pen test every year fewer people that you have incident response plans kind of fun so from that many people usually get penetration tests why there's not many in this room

I don't know that's interesting one of the things you want to do is leverage your penetration test to be a testing method for your incident response plan so what I mean by that who here has heard the term purple team good a lot more of you you want to essentially conduct a purple team test you want to make sure that you have is a military word for you a liaison between your red team and your blue team so as you're performing your penetration test and let's say they're doing recon and they find a box and now they're doing a full vulnerability scan on that one box you guys should have some tool that might be lighting up that liaison is

there to look over the blue team's shoulder and say you see anything weird with that box right there no you don't yeah you're fired yeah and that's the idea is you want to make sure that you're leveraging a penetration test to give you more more capability specifically in testing so you guys are getting attacked test your instant response team to find it to stop it to prevent it that's what you pay them there to do right that's kind of the maturity model that I've come up with for instant response plan testing does that make sense is there any questions none sure

no not for so for an incident right you'll do as much as you can that's that's yet for a live if you really don't collect anything we're very limited on the stuff we can do right no that's fine you bring up a valid point so what I what I do when I develop it and I'll kind of show you this is I come up with multiple information so as because I don't get enough time to really meet with the client understand their infrastructure so I come up with things that they should normally be able to get if they have common tools in their environment so one of my favorite ones is oh my gosh drawn a blank what's

the it's like IP fix cisco has their own proprietary thing what is it it's aggregate count of all your data net flow that's it net flow so net flow IP pics that's one of my favorite ones because most people who in here is doing full packet capture don't you lie to me you got this hand that's kind of like half cocked and kind of doing it its foot it's partial packet capture huh okay okay oh so you are doing it then so you got seven days excellent so what's your name so Brandon Brandon's the only person in this room that's kept seven days a full packet capture good work Brandon Oh a tooth you guys have it too

excellent so full packet capture gives you a plethora of information however it comes at a ridiculous cost especially the more days you get one of the most cost efficient things is net flow it doesn't tell you as much information really doesn't tell you much at all but it does tell you how much data has gone from point A to point B so it's a great thing from a board level perspective if we're going through an incident and we're talking with the technical team and I say okay bf gates have a net flow or full packet capture like yeah we have net flow great you saw eight gigs go to this IP address which is great because

when you do an incident you're not always going to have all the details you'll know that your pH I server that holds all your pH I was compromised and now you know that eight gigs left a lot of cases that's what you get in an incident how do you respond so let's talk about designing and this this is kind of where we're going to get into the idea who here's a Star Trek fan okay good all the people with instant response plans excellent let's talk about designing a tabletop person talk about roles when I conduct the tabletop I have four primary roles I have the facilitator that's me if you guys are doing it internally that's whatever

brave person you decided to put at the firing line because this is the person that's going to deal with making the exercise flow dealing with problem child level getting to them coming up with information if somebody throws a curve ball then the next person you have is participant there's a big difference between participants and observers a lot of times you'll get into these rooms and a person from the risk Department wants to come in and observe which is fine however that person will want to interject and want to act as if I'm conducting an audit the most annoying thing in the world participants are there and they're designed to participate observers are there to sit back and watch when I build

the room I make sure if there's a table of conference table what-have-you participants are at it observers are in the back you're either standing against the wall or you're sitting against the wall you're out of the way you're not at the big-boy table that's the idea if not for me it's very hard to figure out who's actually a participant in who's an observer from an internal team it might be easier but from an internal tabletop it's a lot harder to tell the risk guy to shut up and stay an observer for me it's super easy next thing is your scribe when you're going through this things are fast paced you're essentially role playing a full

incident that could take between one and three weeks in two to four maybe eight hours having someone there to document and capture notes is a must I cheat and I bring an audio recorder which sucks because has anybody ever done transcriptionists work oh my god those people can't get paid enough transcribing audio is what we're seeing in the world does anyone have any questions about the roles awesome don't worry about taking pictures of my slide deck when it's creepy because I don't know what you're taking a picture of to at the end I'll put up my contact information shoot me an email and I'll send you the full deck and that way you're not getting

really bad images yeah take a picture of the contact information or swing by and pick up a card one of the two so as I was mentioning you have two types of facilitators you can have an internal facilitator or an external facilitator there's benefits to both the first one is for an internal they understand the company capabilities it takes me a little bit of a learning curve as I get in and start moving understand what you guys can and can't do next thing is you know where the skeletons are in the closet you know where the weak spots are you know what strings to pull in some cases it could be politically dangerous in your company to pull on those weak

spots the next thing is it's less formal usually having an external party come in is or not having an external party come in is something very less formal you guys can just get together on a Friday at 5 o'clock before everyone goes home because that's when incidents happen if you didn't know they always happen at Friday at 5:00 that's when I get the call we can I don't know why stop doing it there you know it's right before well well you guys figure it out 4:30 and they need to say to call me at 5:00 and then the fact is you guys have been messing with this since Monday you guys could've just called Monday and I can help out I and

the next thing is it cost less right you don't have to fly me in you have to bring me in you have to pay for me it's really great if you need to do these multiple times right if you do them quarterly you probably want to get some internal capability however there's benefits to an external person like myself one I'm impervious the company politics I'm the bad guy you can't mess with me I can piss everyone off in the room what's going to happen you have weak spots I'll find them I'll pull them right that's one of the benefits is people can't hide behind their title on their rank the next thing is you get an outside perspective so how

many people have worked at their company for over ten years right on 15 he had 20 and I almost sounds these gentlemen look like they're 14 years old and they've been at their organization almost 20 years while I applaud that one of the problems that I see seventeen seventy eighty oh my god is it your first shop you get it nice I hate that exactly and that's the thing is at least in my opinion right and we can get on a soapbox and go back and forth when I see things like that where it's a first job right and I applaud you guys I'm not I am picking on you I hate you guys but the thing is is like a

bumblebee you don't get to pollinate you don't get a go see how other shops are doing it so things like conferences going out networking is probably the most important thing because you don't get that experience that comes with job hopping every year like some people are you a yearly job hopper what 100 percent I need to quit you guys are probably like right on the hills of retirement so you've got to get that pension hopefully the state right state or federal it helps to pollinate bringing out bringing in an external facilitator brings that outside perspective of that's cool this is the way you guys have been doing it for the past 20 years and there's a lot

of shops that have people that have been there for years one of them they're badgers has little indicators every five years that they had been at the company and that was like their badge of honor right so people got really hoity-toity if they had lots of little stickers and other people didn't have any stickers they do a little dance really politically stupid but that's the benefit of having someone else come in is I can say hey you know I've seen other companies in your industry do things this way it might not hurt to check it out turn on the Travel Channel as a gentleman said I another thing is I can easily like I mentioned I can easily

pull on the the strings for the weak spots there's been situations where I've conducted a tabletop it's been a technical team it when you host these things people group together it's like the networking guys will be in the corner whispering the IT guys would be in the corner whispering they'll say something and all the time you'll see the nudge shut up that's my cue to jump on them and start date that when I see the nudge the gloves come off but that's one of the benefits of me is I can come in or any external facilitator come in and take on those problems bring them to light let your board see them because it doesn't do you guys any good to hide on

those things the other thing is it's more formal there's just something inherently formal about having an external party come in that might be important for compliance for the board for investors to see things like that a handful of you raise your hands you guys conduct a tabletop while your wallet any money you

so to Darryl's point

for some reason people like to keep it a secret so this Darryl's pointing out one of the benefits of having an external facilitator is you guys are going to get an external report finding those weaknesses can move on to the report that can find funding sometimes I see nudges because they say they did something they really haven't yet or or we've done it we said we've done it that's an excellent point that is that is beneficial as having that external report a handful of you raised your hand and said you guys can get tabletops is that correct how many of you have remote participants how do you like it fine excellent so as this gentleman says 40% of his

workforce telecommute excellent and what I find is companies that have that telepresence capability they've got essentially remote in their blood they can do video conferences they can do impromptu some people have Skype they join up in a Skype room some people hangout what have you it works well a lot of organizations don't have that yet they try and pull it off if you're yes sir

you

yes

right and that's that's where we get into my comment kind of remote is in their blood if you're not used to working in a remote situation if your technical team members are remote then you probably have a method to work with them remotely and that's fine my slide here is essentially when companies that don't have that remote capability there's still a lot it's very rare to see companies that actually believe in remote work they'll try and bring people in remotely because then the marketing guy doesn't want to come in and he'll take it via WebEx you can't do it like that so my comment here is it I guess I should really clean up the slide a

little bit my comment really isn't if you have a remote workforce abandon it no it's don't allow people to essentially participate remotely or in a method that they normally wouldn't so if I see people allow remote present for convenience of the employee for instance the marketing guy doesn't want to come in or he's off-site to schedule change the date if the guys normally on site let them be on site if your technical teams are remote or your employees are mostly remote and it's perfectly fine you guys most likely have the capabilities to host those meetings and handle those communications that's not an issue just don't try and have somebody just on a phone especially if

there are two doors over could see suppose the only thing when I build a tabletop exercise I build it based on what participants are going to show up and I have three primary methods first one is technical you can spend four to eight hours in a room talking about the technical aspects of an incident you can really get into the weeds for that reason some exercises are specifically designed for just those technical team members your sis admins your network engineers your helpdesk and we work through all the intricacies of responding where we get into some of the logs and some of the analysis next thing is just your executives see here just your executives so focusing on your C

levels right the people that have what I call an external foot in the interim the incident response plan where they have to where they might not be involved in every incident for the really big ones they are they're usually not well versed in instant response in technical situations one of the biggest findings that I usually have from your C levels is they want some type of weekly or monthly catch-up meeting just to understand what's going on and be kept in the loop because as we go through these things they feel really left out so you get a lot of value from the executive side where we talk about just responding to an incident from the

business impact point of view from the legal perspective how do we handle breach notifications as that talk a little bit about that earlier and then the really fun one is when we mix the teams there's two ways I mix a team I'll do the technical first in the morning and then I'll do the executives in the afternoon this is more of a traditional approach for me because usually it's the technical teams that figure out we have an incident they do some initial analysis they work through it and then they give the bad news at 4:30 I essentially designed the scenarios to work that way so we work through all the stuff and then after lunch I usually

take whoever my point of contact is and I let them brief your sea level teams that one's a lot easier because it's more hands-off what you have from that technical analysis from the first morning session is what you have there's no more data so your sea levels are completely free to run through the tabletop however you'll get the legal stall for those of you have done a tabletop internally how many of you have included your legal team how many of you okay so I got a handful of hands like three out of those three how many of you have had the legal stall where legal says I need more information or we'd have to figure out more before I could

answer that always a lot and that's the internal politics so I got I got one he's my boss other people agree the legal stall is is death and they're lying that's just what lawyers do lie but they do this stall technique it's not going to benefit you I've literally worked through all the analysis we have all the evidence with all the answers to any questions some of the answers might be no or we don't know caveated with we'll never know but what more do you need legal team and that's what they do they stall when you come in and you preface your executive table top that we have all the answers you'll have to make

decisions giving them that heads up changes the game a lot the other thing I do and I mentioned this earlier is I run the two teams simultaneously I make sure the c-level can watch the technical the technical can watch the sea level that's the whole coming to Jesus curing my eye it's an amazing moment because the sea levels can see what the technical team has to deal with how they're how they have their hands tied behind their back if they do and the technical team can see the impetus for why we do things from a sea-level perspective or why we need that information that make sense one of the most important things is selecting a date if you guys are

going to do this pick a date I usually aim for 30 days out just because trying to get on everybody's calendars is painful next thing is timing when I make table tops I usually do it following this metric if it's a single scenario with one team about two hours one scenario with a mixed team or two scenarios with the single team for hours and then two scenarios with both teams around 8 hours Logistics when I do one of these I have a handful of things first one I mentioned was a conference room kind of seating projector whiteboard I do my slides to work through these audio recording device that was my cheating way so I don't have

to scribe things and then snacks and drinks if you've ever been through some of these it gets annoying people get hungry munchies whatnot try and put out some candy for some reason candy puts a little bit more sugar in people's blood they get a little bit more responsive and then they crash and die so the whole point of this talk the Kobayashi Maru so where's my Star Trek fans at excellent Darrell what is the Kobayashi Maru the unwinnable exercise that is how I design all of my table tops as an unwinnable exercise who thinks that's fair yeah one big big smiling hand goes up right here it's perfectly fair there's a there's a reason well it's not fair to

Kirk right that was the whole point the idea behind it is if we get fifteen thirty minutes an hour into a tabletop and I let you guys win all right yeah that's in the laws okay you found it you shut it down great what value is that going to give you as a quote from one of my former clients these guys literally said walk that you're a mean man they literally called me a mean man and the reason is because I bring Hellfire and brimstone I bring it all at the end of every tabletop you have lost all of your data you've been reduced in terms of brand identity worse than Target worse than Home Depot that's the whole idea if I

don't drive essentially to the biggest data breach you guys could have as a company I'm not going to be able to focus on every bit of your incident response plan so the whole point of the Kobayashi Maru is I'm going to design this to failure to figure out how you guys fail figure out where all your vulnerable spots are and that's that's the idea when I do it I essentially start with some type of real-world attack what what's going on in the news what's famous then I add some practicality that's where I essentially map it to your industry and then lastly I top it with the risk you has a PCI shopper you guys a HIPAA shop guess what

data's going out the window I mentioned that I use a slide deck so essentially like Darrell mentioned earlier the talk now uh when I do this I essentially take that scenario that Darrell mentioned and I slice it up into little details and I slowly present that out one of my best scenarios is a lost laptop out of the people that do tabletops who does who has like their best scenario that work really well no one who here has done a lost laptop excellent lost laptop is the best because you can start from something so weak to again the biggest data breach of your company so I usually start with a laptop on a Friday employee going home

had it jacked out of this car but because he's a scumbag employee and doesn't do we work on the weekends you never noticed Monday comes around he's looking for his laptop can't find it check his office calls his wife so I can't find it Oh can't find it all right about noon I'll report it what happened over the weekend well it got stolen it got stolen now this is where you start dealing with the people because they'll say well we have use names and passwords right right well this guy isn't the best employee he tapes his username and password right or we have to factor guess what was in this laptop bag is token so as you do

analysis you find out the attacker connected over the weekend they've been in the network they siphoned data it's a great low risk to end of the world scenario conducting tabletops conducting what I've given tabletop training a handful of times to organizations to help them offer this as a capability this is the heart and soul of it when you conduct it you're essentially playing Dungeons & Dragons you have a handful of things you've got player knowledge versus character knowledge who works my D&D fans excellent right so you know what I'm talking about we're all in the room it's usually not always the case right so you have to take into account that this might start off with IT we're

ten minutes into the incident legal please don't comment yet you have to let the scenario grow a little bit let them show that they're involving legal one of the reasons I do that is because part of your incident response plan is communication procedures how do you bring in people how do you notify so I try and test that early and then just consider everybody in scope you provide information as needed you change the scenario as needed as people are clever when I get a room with some of the company's most clever people they're going to throw curve balls that I have to be able to adapt one of the other things is making sure people participate

getting in their face making sure people answer like I said one of the benefits is testing and training so making sure your participants are engaged in general harassment I think is the title for a mean guy for no reason you got to make sure the stress is there the issues are there the realism is there avoid groupthink this is one of the biggest problems as the tabletop goes on people will just start to Mass together and say yeah that's a good idea let's go this way or gentlemen over here mentioned that guys my boss you usually don't disagree or recommend other methods from that of your boss what I try and do is make sure that if I see that twinkle in

the eye like somebody's got an idea that's a little different make sure to call on them figure out what he or she wants to do how they want to drive and make sure that idea has a stage to be presented the problem child for those of you that have conducted your tabletops if you guys ever had a problem child juice is a networking guy I don't know why no it's the networking guys it's not operate in networking guy right here the problem child there's almost at least one there's always one in the tabletop this is the person that's going to sit there and poke holes in the scenario and say oh that can't happen oh we've got this

or no way so usually the networking guys like picking on sometimes sometimes but there is always a problem child I can guarantee it I don't know who it's going to be for you but there will be a problem child there will be someone that tries to shut you down the second you identify who that problem child is you have to do your damnedest to shut them down as fast as you can come up with some this is why you have to be quick on your feet come up with some alternative when I do the lost laptop once they said oh well there's no way he could have had it use a man password taped on it's like yeah yeah

there is a mate they worked with me some of them brought up um oh we we have full disk encryption like that's great and the username password is taped on it it's happened right so you have to just keep fighting and and really get them to stop you have to make an example you have to stand up to them if you don't this happened on the first one if you don't they will steamroll your exercise and reduce it to nothing question it is Captain Kirk you've got to watch out for Kirk you've got to watch out for the Kirk's so after action summary at the end of the tabletop I do a quick debrief I make sure everybody this is where I do

allow the observers to talk and to contribute I try and figure out what went wrong what went well what other gaps this is big because somebody might be sitting on something when we move past it we didn't get a chance to talk about it next thing is reporting handful of ways to report the easiest thing to do is a t-chart here's your strength here's your weaknesses next thing you can get a little bit more crafty with is some type of SWOT analysis who here is not familiar with the SWOT analysis handful of you guess what Google is your friend I've got five minutes left it's essentially a matrix of your strengths weaknesses opportunities threats that

when you hash it out looks a little something like this where your strengths and opportunities map to your natural priorities your threats and strengths map to some easy defenses and so forth now with five minutes left I'm going to impart on you the most important adage from the Marine Corps and that fight how you train and you train how you fight and it sounds a whole lot simpler than what this guy was saying so we change it up a little bit essentially when you get into a tabletop you work through it how you responded then is exactly how you're going to respond when an actual incident happens when I leave and that's my final words for that group there's just this

huge wave of realism that either we're rock solid or holy crap we're screwed this is again not the only way to prepare for an incident but it is one of the better ways and it's a method in which you can figure out where your gaps are before an actual incident happens so with that as I mentioned we've got five minutes left I can ask answer some quick questions here's the final slide that you actually do want to take a picture of or come up to me and grab a card shoot me an email I'll send you the slide deck I think that's it so questions comments concern save grounds alibis so the question was how real do I make them

whenever possible I be as descriptive as I can because you could say Oh a laptop and we've done that right we've had some organization where we don't want to name names but when you say a laptop right but when I actually say Oh Jim the account executive for the western region everybody all the sudden gets a solid look because they know exactly what Jim has on his laptop so whenever practical and available I make sure to use as much description as possible even if it means pointing the finger it's worth it because then we don't have to play this game up okay well it's also got this data and it's got that everyone knows what Jim

has so the question was so the question was on this scenario which laptop would you pick the the one was not as much juicy detail so the one with as much juicy details right but I get that right wellthank Kobayashi Maria right what's going to destroy the company at the end of the day shim with all the customer information and the largest accounts on his laptop sorry Jim question no this this this is an excellent comment so the gentleman a really good point one of the difficult parts in some of his tabletop Sigma training is when does a customer go from an event to an incident half of the customers I work with they'll actually

have a definition that's its own finding right there the way I do it is I essentially just keep compounding the problems and through every stage until we make that determination I'm asking so have we declared an incident and as I got to the communication lines and this is the last question we can chat afterwards I'll ask okay is this an incident no we're still an IT we're still analyzing here's more information is it an incident yet no we're still analyzing okay well here's some more information oh it isn't incident okay now I expect you guys to follow your communications involve other parties so with that hopefully I think we just had more of a discussion than a question

that's all I have I'll be around the back I got to clean up for the next speaker we can chat more thank you everyone for your time this has been fun thanks for being engaging [Applause]