← All talks

Fuzzbuts v. Fuzzbutts Red Team v. Blue Team Tabletop Game

BSides Delaware · 20211:46:44320 viewsPublished 2021-11Watch on YouTube ↗
Speakers
Kelly Ohlert
Tags
CategoryCommunity
StyleWorkshop
About this talk
Speaker(s): Kelly Ohlert (@gwyddia) Audience: RPG nerds, compliance folks, security leads, anyone who has ever hated sitting through a tabletop exercise Description: I specialize in doing gamified tabletop exercises – D&D for IR. I’d like to run a game I’ve designed so that other people can see how great this is. This game, Fuzzbuts v. Fuzzbutts, pits a cat meme aggregator site against three separate red teams, each with their own agenda. The blue team gets three chances to harden their systems, and the red teams each get to make an attack. The scenario is resolved by a combination of GM adjudication, player wrangling, and good old fashion dice. This game can run with as few as 2 and as many as 15 people, with audience participation welcome. It runs about two hours Bio: Kelly Ohlert is a Security and Compliance Consultant and the Tabletop Exercise Practice Lead for Leviathan Security Group. She helps Leviathan’s clients navigate multiple compliance frameworks with an eye toward risk management and best practices. As Tabletop Practice Lead, Kelly designs and facilitates simulated exercises in order to prepare clients for incident response situations such as data breaches and malware attacks. In addition to her information security work, Kelly is an attorney of over 15 years of experience. Her years as counsel in a range of legal disciplines have given her a unique perspective on client needs, sensitive issues, and confidentiality. Kelly has completed the prestigious Certificate course in Cyber Wargaming from the Military Operations Research Society. She is currently working on a book on tabletop design and facilitation for information security professionals. She is known for her theory of gamification of tabletops and has presented on that topic at the well-respected security conference Security BSides Las Vegas, where she is a member of the staff.
Show transcript [en]

all right this is quadling josh marpette on day two of our second virtual b-sides delaware and i really should learn to pause twitch when i do that so uh we are in our second virtual b-sides delaware uh 2021 we are hoping that this again will be the last virtual b-sides delaware i'm telling you right now it is and uh next year we're going to be back in person bigger and better than ever we're going to be back at a university we're going to be hopefully we've still got to make negotiations with that look this is a weird time but we're having a good time here we're enjoying ourselves we're learning we're meeting people and we're having a great time

we've got oh my god we've already got uh five or ten people in the classroom today if you are not in the class right now where are you at get in here come on in here let's have fun because today for the first time here at b-sides delaware gwydia is going to be doing with fuzz butts and uh we're going to be running it's a game isn't it and fuzzbutt versus fuzz butts red team versus blue team tabletop exercise so we've got three separate red teams we've got all sorts of things going on and you're able to participate and be part of the stream and so we can totally profit okay we're nonprofit but whatever

we can totally have fun with you at your expense and we're going to watch you do a tabletop exercise now the good advantage of this is watching people actually do a tabletop exercise wow how many of you have have actually done it properly before we're going to have our very own gwydia from leviathan doing a tabletop exercise thank you so much and i'm going to turn it over and walk away have a nice day guys all right hey everybody so yeah i'm gwed i am from leviathan i'm our tabletop practice lead so i get to play d and d for fun and profit anyhow so we're going to go through pretty fun simple game not too mentally taxing for stupid

o'clock in the morning um called fussbots b fuzz spots so with that if our good friends at powerpoint want to actually help me there we go all right cheers everybody seeing everything cool um all right so this is the story so far this is the red team versus blue team game we're gonna get into the rules in a second but i really like to start with the story to kind of bring you in so fuzzbutts.com 1t very important is an up and coming cat picture aggregate aggregator site they allow users to set search for cat pictures by color breed size and sassiness their claims that their deep occurring algorithm harnesses the ability of real cats to recognize and hate scatter each

other to allow for excellent feline sorting and discrimination they have a security budget of yes but they have a small dev team and and their corporate mandate is everything they do and all their spending has to be done by consensus they're ceos billy couture who's yeah i think elon musk would uh with a much smaller footprint so once again our good friends uh here's the other players so fuzzbus is the blue team in this game the other players the red teams are minotaur they're obviously intelligent they're like all right we're worried about people getting into our data and again in a bit of good sense they're like cool let's hire some white hats so their goal find the most likely attack

vector or vectors and report back to fuzz but their budget is moderate like don't go crazy but if there's something within the realm of possibility i'll allow it um other second red team power brokers bunch of script kitties you can see what i did there um they have just you know these are they're trying to make money they'll do whatever they can they kind of just want to start trouble um buzzfest is coming up getting a lot of buzz for being you know cat memes and they think they might be a good target they have no money but they don't give crap about the law finally there's fuzzbutz.com see the letter t um they have a

different maybe not nsfw uh business model um and they and they were trying for confusion they lost in court uh billy coulthard again i think elon musk you know pasted them on twitter and so fuzz butts wants to basically take out their competitor here uh not they're not doing quite as well especially after having to spend all that money on that lawsuit but you know they're not they're pretty well healed again reasonable things i'll let you get away with so here we go red versus blue what are the rules blue team what we're we're going to just you guys are going to decide what teams you want to be on so any number of people can be on any

team that's fine you're just going to split up and kind of do this on the honor system blue team gets a move um a move is a discrete step that fuzzbus is going to take to harden their systems before an attack we're going to play this a little fast and loose we'll accept any reasonable uh any reasonable suggestion i'm going to suggest that one person speaks for the group or types for the group either way but they get three moves and you get to do it first so you're going to confer privately and tell me what you're going to do again however you've got to agree unanimously and that's the problem or solutions depending on how many of

you are awake um again you've got up to one month to make these changes so you're basically fuzzbots notes something's happening they get an idea they have a sense of the three kind of groups of threat actors but they don't they don't necessarily obviously know what they're doing so you're trying to basically get as much protection as you can using through to remove any reasonable changes to your system architecture whatever the hell you do will be allowed red team each of the red teams and again you can self select uh all the red teams or you know up one two or three of the red teams can be in play y'all can decide what you want to do there each of you is

separate each of the red teams gets one move so again a move is a discrete step that your team that your character thinks is going to get you towards your goal uh again split into a separate discord or if it's just one of you fine you're going to dm me y'all can assume up to one year's planning like minotaur would you know what we're doing i mean them uh um you know the workers have been working on it fuzz butts has you know lawsuits aren't short they've been planning their revenge so but it's got to be reasonable again i'll be reasonable or at least funny and i'll allow it what's the end game both sides are going

to present your moves publicly first blue then red i'm going to adjudicate them based on a combination of reason ability appropriateness i may ask you to say okay why are you doing this and how and uh probably go to the dice i'll usually approximate a percentage like on a usually a d10 a percentage of how likely it is if it's likely that's fine if it's not it's not and then i'll tell you what happens you know i ask in the end don't fight the scenario don't be a sore winner don't be a sore loser and let's enjoy the game afterwards if we have time we can talk about what worked what didn't what would you want

to see more of less of with two hours enough you know what do you think because not only do i like playing these games and running them i'd like people to be able to take something away from them because a lot of us have to play them a lot of these some people have to run these so let's think about what value this is to you if we have the time if the game's really cooking then i'll take my answers offline um and would this be useful to clients and clients being really broadly defined you may not be a consultant but there's somebody you're doing your thing for even if it's just you so maybe give a little thought to how this

type of thinking about security the sort of gamified thinking about security is going to work for you or whatever your concern is and at the end my cat members will tell you so that's it now that is it for the need for the slides though i'm happy to go back to any of them uh if necessary to describe anything this is where we are going to split up actually i'm going to ask you guys to split up but let's get a sense of how many people are here okay cool like we have besides me a total of nine so there's eight of you um feel free i think you guys can unmute right um and let's talk about who wants

to be on what team and where we go from here this is this is only going to be as fun as of how interactive you all want to be

just testing to see if we can unmute that yeah everybody should be done mute okay cool so yeah now this just this is much more about talking back and forth like any game would be all right so is

oh excuse me all right really we're we're gonna do this now let's we're gonna do this apparently go back go back all right let us go into this okay so let's get a sense who would like to be on the blue team who is interested in playing as fuzzbest

i can be blue team okay who do i have who is that cool all right peter page your blue team anybody else want to be on blue team i mean if you're the only one then that's going to really make um going to make conferring really easy anybody else want to be on bluetooth i'll also assist with blue team okay cool all right we got one more all right all right if i don't hear any blues let's see who is interested if if at all in being minotaur hey nobody wants to be an editor it's not as much fun right how about the borkers

or fuzzbutts

anybody and we have a blue team i'll i'll play you know i'll play the other side if we have to but it's way more fun if you guys do let me know what you need i'll play any player all right let's i think i think that fuzz butts the the competitor is probably the most fun out of the three if you only have one red team that's probably the most fun so we have two people as uh we have two people as buzzbutz.com is the blue team we have one red at least playing as the uh as buzz butts their competitor anybody else want to jump on either the red or blue teams i'll jump on the uh red team to even it

out i guess okay you can either jump on the competitor or you can choose your own choose one of the other two uh which would be minotaur which is like basically the white hat group or the competitor since i've not done one of these before so that sounds good okay so we've got two people playing as the competitors we've got two people playing this blue team anybody interested in playing as either the security outside security consultant or basically you know the anonymous the out there the group that you can kind of sculpt any way you want who's just trying to wreck their crap and make some money anybody interested in this nobody wants to be the hack the planet

people come on right that's what i'm thinking right those are the people that like let's be honest nothing's that fun at 9 15. i think rando should be hacked the planet um as the person running this stuff i wasn't really paying attention but sure nice i love it your job's just going to basically be to come up with some some attack i did goddamn it quietly what i'm doing

whisper quietly or slightly angrily

so for the blue team how um you know how good can we assume their basic security posture is like we we have three moves and that do we have to i don't say waste them but do we have to spend them on like basic things like they have a sim they have xdr or they have like you know endpoint protection all their their their endpoints like are those moves or can we assume that like really basic hygiene is covered let's for the for the purposes of this yeah like your basics are covered i know you al dragon your idea of basics and everybody else's idea of basics is a little different but i'm going to go with be reasonable if

you come up with something ridiculous i'm going to tell you that you have a you know a 10 chance but yeah like i yeah you don't have to uh waste one of your moves to be like i have we would like this thing called this him no that'd be cool and you know if this is going if we make our move you know you make your first set of moves oh and feel free to be talking amongst yourselves on the moves while i'm talking um ideally you'll be the folks that are on blue team you know throw up or open up your own dms be talking about what moves you want to make red teams think about

it um and you know feel free to jump in too if you don't want to actually play one of the moves one of the players but you want to make comments it's fine we're sitting around a virtual gaming table this is this is chill so yeah give me give me anything reasonable if we go around and it's going well and i apparently don't buy my morning coffee um you there you may get a response realm so red teams may screw you you know screw with your [ __ ] and you may get a chance to respond and go back and forth a little bit because we got a two-hour slot if people are interested we'll keep playing the game

um so i'm hoping at this point actually since you've got the classroom you've got this class as long as you want well there we go so we can keep playing as long as this is fun um or you know talk about that or talk about tabletops you know the the the thing about doing these and again i hope you guys are thinking and talking in the background the thing about doing these is like just like a real regular you know like d or you know i play design in the tabletops for fun they go at the speed of the players to a certain extent you know the person and this is true when you're doing them for

real you know when you're doing them for a client sometimes it's pulling teeth which is kind of why i try to design these um and there's you know you have options there you can get a little crazy which you know you can run out run up cat memes um if you've got that one dude who that one old head who just like knows all the answers and nobody's talking you can what i call bad clans them out like okay great y'all went to lunch and you had the bad clamsher out for the rest of the scenario you can really you know you can put injects in which is you know dropping bad [ __ ] in

so my favorite is what i call the arizona bay scenario like okay guess what the entire west coast has dropped into you know earthquake dropped into the bay uh or dropped into the pacific ocean arizona now beachfront property which also means that all of aws west just drops all of everything else just drops and how do you deal with something that sounds ridiculous but could happen maybe not that much but like how do you deal with real catastrophe so there's a lot of ways to go with this even if you have to do tabletops or ir thoughts or you know writing standards and [Music] you know you really try you're trying to figure out the work

thinking of this in these kind of ridiculous terms is often useful like are you really preparing for the west coast to drop into the ocean probably not but what what sort of you know what branching pathways does that get you thinking about and it's a lot more fun to do it like that than it is to be like okay and then this backbone went down and then this happened and then this happened you're going to get the same effect but you're going to enjoy it a lot more and you know there's a lot even if you're not doing it you know formally there's a lot of nice game gamified tools you can use to be doing

this stuff like backdoors and breaches elevation of privilege yada yada all right checking in with our actual players blue team have you come up with three moves that you are ready to dm me or you know let me know secretly because obviously i don't want red team red teams getting all sneaky and changing um we have shoe moves and a bad joke where that is perfect okay so we're gonna i'm gonna let you i'm gonna i'm going to let you do those given the way we're doing it here usually i'd have you send them to me and i would do a little adjudication on it and then red would respond you know would respond secretly but in

this case because you know we're going for a little back and forth and because you promised me there was a joke we're just going to go with it so blue team let's move on okay um move one is a well implemented devsecops workflow where all code is deployed through a ci cd pipeline that automates vulnerability scanning um and does stuff like sas das sca um and flags vulnerable upstream code that needs to be patched all right that sounds reasonable absolutely reasonable given your finances you've got a small team tell me a little bit more about how you are and i didn't define small so and that's fine i'm again playing this a little fast and loose because

morning um how is that happening remember you've got one month to be doing this so how are you making that happen with a reasonably small team but a budget if yes are we bringing an outside consulting firm that that are experts at um at doing that sort of devops stuff with the security embedded in it and they set it up and train our developers on how to um push their code that way okay you know what i'm gonna say that's totally that's reasonable i'm gonna you know i i am gonna do a roll on it but it's i'm gonna say that you've got an 80 chance of that going pretty smoothly given the parameters that i've set

um i if i thought about it i would have done my dice roller in the second screen but nobody actually gives a chip yeah 90 you got that that that works that is reasonably that is reasonably in place now we'll see what the red team has to say about all that but i'm going to tell you that that's that's reasonably in place so what's number two xenophage you want to uh explain number two yep as soon as i can find my mute button uh number two is uh we have an internal threat hunting team um that does their thing on a daily basis so you know they they're out there kind of trolling the trolling the

network looking for uh looking for pretty much anything that's that's wrong or shouldn't be there and tracking it down okay did they exist prior to to this month when you started getting some until that these attacks were going to happen was this a pre-existing thing or did you spin it up the company had the company had a security department that had you know sort of a um a full-on yeah i mean they're a little bit more advanced than than you know your general yes no security team so they they weren't doing threat hunting prior to that um this is something new that they started because they've they've been made aware of the threats um but they're they're

they kind of gelled as a team and off they went okay all right i'm gonna say given that uh i'm gonna say you got and this time i'm actually going to do this um yeah i'm going to say you've got like 60 on that one so i think that's you know reasonable a reasonable thing that happened but you know that you had going on but you know so if i get you know six or below you're good two two two five eight great that happened um so that's part of your security posture at this moment um all right give me your third hold on give me a moment why didn't i put baileys in this i mean

i'm a professional all right hit me with your third so we're slightly concerned that you'll rule this unrealistic but we have users who um paid attention and took their security awareness training seriously hey there's the joke yes i i i swear to god i was just getting undefeated um i mean i'm i'm going to give it a i'm going to give it a two so so that there's actually a chance that you make in this uh [ __ ] now in fact in fact it's so much fun um okay so the problem is i rolled a nine on it um so you give people this training but you decide to do it live you decide to do it in person as a

mandatory everybody do it at once powerpoint slides at you and that you hand them out you print out all the slides you hand it to them um and it's at like 8 a.m uh and half of your people are west coast anyway and you're doing it daily easter and at least a couple of your people all they see is the shiny things in here oh click on the shiny thing if we email it to you you know you're because you say all right you know we'll follow up on this you know over the course of time and at least two people say you know get a really blatant fishing email and click on it so now you've set up all

of these great things and now you're going to be at sort of a disadvantage before the red team gets in because you've got a malware incident on your hands because you all decided to get funny um i'll say at this point you you are 40 of 50 of your team is now investigating a malware incident so good job that went about as well as real life right you see if that's c you unders and now you know why we're sitting here all right so red teams and if you've been listening to this and you've just decided like okay i've heard this and i i want to get in on this that's fine um let's we'll just i'll go through the red

team players and if you're like or the red team groups and if you're just like oh yeah if i were x i'd do this do it all right let's start with i think right all we had staffed so far was the competition so folks playing the competition what would be you know assuming you get one big splashy move against these guys what are you doing

my idea was that we leverage our very similar looking domain name to um do a fishing attack [Laughter] and since the training went really well maybe i'll actually get a couple hits all right i that is i'm giving you an 80 chance that that's going to work because their training went horribly let's do it that works that you you absolutely get it in fact they can at least right now prove it but it seems like the malware might have come from y'all however that being said you know the competitors unlike the power workers do have to worry about the law so i'm gonna say you guys have a pretty good budget so but i'm gonna say that you guys need

to i'm gonna in real life you know i'd have you guys make a role but i'm gonna say that you you're gonna have to survive whether or not it gets traced back to you so i'm going to say there's a let's say 40 chance so let's see what we got here when it gets traced back to you it does not so you've introduced you have absolutely through a brilliant uh fuzz bus related phishing scams hit them they're dealing with some sort of malware we'll do we'll figure out what that is probably in a second because anything i accounts wasn't um you know hacked and used to attack our competitor accidentally just no accidentally exactly no that's exactly

right they it doesn't come back to you obviously everybody thinks that it might be you but nobody can really can't really prove it and you did well enough that right at least right now i'm gonna say that there's like not social media blowback against you not reputational damage the role went well enough had it been a little lower i think people would be more suspicious but right now it's just been they like it could be it could have happened but didn't does anyone want to make an attack on behalf of the outside security company not not the one that not the ones that fuzzbutt said they hired to harden but you know pen testers does anybody want

to make an attack from the point of view of of some hired pen testers

all right i am then i'll i'll do it i'm going to say that um please assign some fairly junior people to this because after you know looking at it after finding out how profoundly expert your staff is in listening to your training say hi they uh they assign associates they assign juniors and so the juniors just decide all right we're going to just do a real basic port scan and see if we see anything open like that's their first attack you know not terribly sophisticated but that's where they're going to start based on putting the least effort in um for this so i'm going to say there's like a 50 chance they're going to find

something because you did you did actually take the time to harden your security posture it's just as if you know you know tibcak errors all the way down they find they do not you know somehow uh somehow they did not find anything on a basic ford skin so so far doing well does anybody have any ideas coming from the point of hack the planet i think we had somebody that we got volunteered to do that okay i was volunteered to do that uh all right remind me what i'm coming up with again i really was concentrating on other things and then quadling sold me out yeah no you're fine you're coming up with an attack against how would

how would a hack the planet kind of group hit a hit a like startup that's decently well set up like and your goals are you know your goals are what they you want them to be ideally you'd like to make a little money but you might just be going after their reputation you're just kind of a loosely associated group who is trying to make trouble whatever way you want sure um one of our operatives um took a stroll to get some coffee past their office and dropped a few usb keys out in their parking lot um which uh have some things that are going to happen when they get stuck into the machines okay uh given

given the wonderful training uh i'm going to say that that's like 70 likely let's see what happens well the magic will die oh yeah that that works so tell me what what was on those keys uh tell me exactly what was you know tell them what's interesting what they're coming up against now sure uh they were um uh a once the um once they get plugged in and the auto run launches the uh autorun launches the the usb key to open um it's now had it now has uh popped a shell on well assuming and i don't know well i suck at these games because they assume a lot i'm going to do it okay you

assume anything you want if i think it's unreasonable or out there i'll push back but or i'll let the dice decide it so i'm going to assume a late stage startup has employees with laptops that have administrator privileges on them or that run as administrators um and once that pops up uh that then um opens a channel two uh to a um c2 callback server that's totally reasonable i'm not going to even make a role on that that's especially you know i didn't say so but especially if we're talking the last couple years you know that's definitely going to have had to happen okay so this is where we're at blue team do you have a sense have you at all been

talking about how you might respond to that so can we um get a role for whether um either the edr or the the sort of outbound traffic monitoring to the to the sim and the the sock picks up the the evidence of this yeah and i'll say that's you really did put effort into that so i'm going to say that that's you've got a pretty high likelihood yeah you you catch it [Laughter] yeah but catching it and do doing something about it is its own issue so we've got some stuff so let's deal with it in line blue team um i'll tell you right now i'm going to go in terms we'll discuss uh the ransomware

and then we'll discuss um they're rather the malware which okay guess what um ransomware and then you know be and then what you found next so i think that covers the two i think that covers the two major things yes because they because you see yeah the four scans didn't come up with anything so let's start with blue team how are you going to respond to the to the um malware that definitely didn't come from your competitor no way no hell no chance and blue team i'm going to say that you know if now let's just go let let's just go from here and let's hear what you've got okay so we we detected it um

and are there's two let's let me be very clear there's you've got two things going on first we're going to resolve what happened from the other team from your competitors they you know they got ransomware in there um and then there's what you know column hexaplanet got through the usb keys so let's start because you didn't ask at any point whether you know whether you know when and where you caught the first thing so let's first deal with the malware that your let's just call it ransomware is that the your competitors manage to hit you with because your employees are so listen to you so well so um first so so we we detected the the

ransomware right i mean we we're gonna say we detected both of these attacks yeah well i'm just handling them in sequence because it it makes more sense there because they're going to have different effects on you you detect so you detected actually let me tell me how you would have you feel like you would have detected the ransomware how would you have found that so hopefully our our our edr system would have flagged um the ransomware i mean ideally it would have flagged it before it executed and started encrypting things but we could say that it yeah you don't you don't don't that's your hope all right i'm gonna give you i'm gonna give you a 50 on that to see

at what point you found it oh yeah not so much i mean youth you learned about it i wouldn't say you found it but you learned about it when you felt when you you know somebody reported they couldn't they they couldn't get into the customer um like the oh my god i'm too tired right now the database of people who have uh signed up for customized cat memes i'm way too early for me to whatever so you basically you know that database you can't access you find out about it because somebody goes and it and you get a splash screen saying [Music] that's how we found out about it that's how you found out about it i i

i rolled a one where i rolled the zero percent so yeah that's awesome that did not go well for you launched our incident response plan that we absolutely have um from from it being part of the basic cyber hygiene um to assess how damaging the ransomware has been how many of our systems are inaccessible now what did that okay you have an ir plan i'm going to say that you have a well-written policy in fact you you have you have a wonderful policies procedures you even have a playbook um you know it's beautifully written your outside security consultants know what they're doing and will give you the finest documentation possible how did you get that information to your

employees it was absolutely printed out so when their computers became inaccessible they still had it all right let's see you've got a 30 chance that it actually happened you had it printed out that's amazing cool so you have physical copies of this i'm going to re i'm going to ask the question again though how did you get the information to your employees how do they know how to use this you mean other than the documentation yes or maybe let me a better question would be is this was written within the last month i'll even let's even say like somehow you they handed it to you and it was beautiful and perfect on day two of the month so you've got

you've had most of a month how have you communicated this like besides handing out physical copies to your employees do they know about it before this thing happens yes um they they were notified about it through email and we held a a training about it oh wow your employees are really good with training so i'm going to say this was your security team so you're going to get a better chance at this i'm going to say that there was a 60 chance that most of your people read this yeah okay people have definitely read the playbook they've read the policies and procedures um given the short amount of time they probably haven't had the time to

drill it they haven't had time to do a tabletop but they've at least seen these things before okay so give me a sense of what that might look like what are those you know uh what are the what does it look like what are you actually doing and if there's another you know out dragon you rock if there's somebody else on blue who wants to talk about this or even somebody else just in the group who wants to give some opinions on what this thing should look like you know feel free to help out blue in the interest of having more interesting discussion about what what a playbook for amount for a ransomware incident should look like what you would hope

that these guys had in it

all right um you know al dragon if you've got some ideas or you and your team member over there have some ideas hit me okay i don't want to monopolize the talking time um i mean if somebody else has ideas jump in at any time like don't worry about it but yeah so um i'm gonna say that um our our ir playbook is pulling machines offline um and you know quarantining them cleaning them and investigating what's um you know been infected and then restoring them from backups okay um who's the other member of your blue team is it xenophage yep that's me cool all right so you've heard what uh you've heard what el dragon just said

about that um how long do you think it's going to take for that to happen what's your goal well the goal would be to so we would prioritize um you know the different groups based on uh business need you know who's who's making the money who's protecting you know et cetera um so we would sort of prioritize the different departments and then work through them and it i mean time wise it's going to depend on how big the infection was i mean was every everybody hit or was it just a bunch of people in marketing or did do we have that sense of that um i mean from a from an ir playbook perspective it's it's

you know we it's a prioritization of the different departments making sure that everybody else is disconnected and bringing on bringing back online the most important bits first okay and yeah we're going to say that basically you what's what's locked is your is your customer list like everything internal is working in fact i'm even going to say because the rules were really good that for right now the only people who are noticing it are your customers who have signed up for your um for your special like um you know in your inbox get the finest cad memes tailored in your inbox so those are the only people you're hearing from right now so you're gonna say

that's your priority getting that up uh yeah and if we can i mean if if we can leverage the existing security like edr and everything that we have to make sure that there's a signature out there for um for all we got hit with okay um i'm gonna say technologically let's see that's gonna be seems reasonable uh you're gonna do it but it's going to start it's gonna take a while so you are starting to blue team you're starting to get customer complaints um you know it starts with a couple of emails but you're getting overloaded you're doing really well and it's not hard for people to you know you've got a really great like report a bug a vulnerability

disclosure thing on your private page so now you're starting to get some pressure from the outside um you're starting to risk reputational damage how are you going to handle that uh the way that all good companies do we're going to throw money at it and and hire some firms um so we we need we need some marketing firms to make sure that you know the right people crisis management firms to make sure that the the right message is going out there and we'll bring in uh an outside security vendor to help uh clean up okay and i'm gonna say you know al dragon do you have a sense of a vendor that you would want to use in

such a situation

leviathan oh you pander i love you i i i love this but we don't do reputation you know we don't do pr i was thinking specifically on pr um i know nothing about pr firms but um let's let's say whoever whoever our ceos brothers cousins you know whatever knows that that that heard about the situation and got on the phone really quickly to make the the sale that's kind of what i was hoping for all right and you're big enough that that philly culture really does know some decent firms so they say like there's a 60 chance that you get somebody that's 70 that's not and it's completely monstrous okay so you get so you hire an

outside firm that's really good at triaging the individual customers like they are they are definitely doing that they're somehow like putting enough person power on it that like everybody's getting a personal response they don't unfortunately they don't seem to know what twitter is so yeah your stock is starting to go down a bit and um and as a result let's just say that billy culture again elon musk in a skirt um is starting to scream at you so let's leave that as that point right there because you've got another red team issue to deal with that being um god damn it i've forgotten the other thing that you've caught as the heck the planet stuff the usb

stuff how do you know how do you figure out could you catch it how do you figure out that that's not the same as the ransomware

you don't yeah that's that's a tough one i mean it's it's a different tactic um and obviously we can assume a different strain of malware but i'm i'm not sure we could ever be 100 sure that it was it wasn't the same group so what do you do about that how do you respond to that attack at all like you caught yes you kept technologically you kept that from [ __ ] your [ __ ] up but would i allowed to say that on the stream oh well i did um oh hey um kelly i'm sorry by the way do you have like a running so so i put a scoreboard up on the screen do you have a running point

tally for this or no it's a scoreboard like not useful i am no that that absolutely works i've just kind of been mentally mentally going back and forth but i'll take a running tally all day like that's cool okay uh so i have it and i can just change whatever so if if you want to give a periodic score update i can always update on the stream for anybody who's coming in late nice what do you have what do you have nothing i have the scoreboard up okay um at this point wait i'm gonna think uh red zero right now no that's not true red one because they actually got the malware in um hack the planet did not

succeed so that's red red one blue deflected the yeah deflected that but is really up the creek so right now with the malware so it's 1-1 okay i will update the scoreboard in a couple of couple seconds and red's gonna get a chance to jump in again in just a second um you know there's just there's so much here um actually well i'm going to have you think about the idea of how you're going to respond you know how you're going to try to prevent the second the usb kind of stuff from happening again uh i'm we're going to go back to that but let's go to the red teams and anybody who you know again

i'm gonna go through the three the three teams uh three red teams and if as you've been sitting here you've been like oh no i want to get in on this or you have any ideas jump up you don't have to be the player that was there to begin with so whoever was playing people who are playing uh the competitor you have been watching you know that you you you know that the payload was deployed you don't know what's going on internally but you definitely see what's going on on twitter and you know their ceo so they you know like so that is what you know based on your original attack butts.com now what do you do i have one

good so we're all about chaos uh and we see we see they're taking hits we imagine that their team is busy so we want to make them a little bit busier they they they had mentioned that they have a uh bug bounty program correct oh yeah so there's nothing to say that during this bug bounty program that we have to tell them that we found anything so we go to their uh we do scans of their environment uh figure out where their web server is and we throw we we throw some scans at it and see what it has and it turns out that it has a vulnerability and we then deface their website because we're just not well i

don't say just because we're a hacktivist uh thing but we think that uh more more public the better so we deface their website and that to get some attention should be free yeah cat memes deserve to be free no caged cat memes free-range cats for everybody um and then we we po yeah so we do that because we know it'll be public and we know that it's gonna cause a little hopefully it causes a little bit more chaos and on on their uh on their reputation okay so yeah so this makes a lot of sense initially now you wouldn't have known that this you know your your red team wouldn't have known this but you know initially we

know that you didn't the the juniors over at minotaur didn't find anything uh when they did a fourth game but you're absolutely right it's freaking chaos and that's probably not priority one so i'm gonna give you i'm gonna give you like a 70 chance of finding something there so let's find out well magic magic not eight ball oh yeah that works the website is tell me tell me what the website reads right now um the what does it read right now um it uh it reads that all of all of the cat memes and pictures have been stolen from other creators uh we've we've created some uh other social media accounts to have those same things and

we've we've we've created some accounts complaining about it that point to it this is all of course completely false but um yeah okay so you're the site says that but you haven't you haven't set up like fake twitter accounts no no no no we have okay you have that's what i wanted yeah so because we wanted power along with the defacement we wanted whatever else was out there so we set up some fake social media accounts and things like that complaining about these very same things and that and hopefully that affects their stock nice um yeah no absolutely okay the player playing player players playing the competitors from the outside you see this like twitter was like their social media

presence was being hit their stock was starting to slip before that and then this displacement happened so at this point looking at this what is the direct competitor doing

like who did we have esthetrax who do we have is the direct competitor i don't remember um i was one of them i think yeah um i'm not sure um just a negative pr campaign um to point out you know all their deficiencies and try and you know lessen their value um smear campaign type stuff i don't know yeah no that's that's absolutely legit i mean one of the things i like to point out in these games and encourage is like it doesn't always have to be a technological attack you know um yeah a smear campaign at the right time matters you know social engineering matters you know there's lots of [ __ ] so yeah that seems

totally legit just pile on the dish the danger for you guys is blow back right now about you know looking like bullies now rc you're the blue team ceo is known for looking being a bully anyway so even before this she was not you know beloved on the internet so i would just say there's a 30 chance that well there's two things let's see number one if it's successful i'm gonna you know in dragging their reputation more deeply through the mud dropping their uh share price and i'm going to say that's an 80 chance because they are screwed right now that totally happened however i'm gonna say in terms of low back and looking you you guys looking at

bullies 50 chance of that happening because the internet is fickle and full of trolls that does not happen so blue team blue team you are you know i know your security people may not care about this but your ceo but billy kelter like definitely cares about this the stock is dropping and you know what you may care because you know that ipo is around the corner without supposed to be around the corner and your stock up you know like your your early retirement is definitely on the brink right now so i'm gonna say at this point at this point you billy kotor is like basically comes down from on high to wherever your it war

room is and it's just screaming while you're trying to deal with this issue and the issue you were dealing we left for you to deal with at this point so now we've got three issues for you there's how are you preventing the usb key type attacks from happening again what are you doing about we still don't know exactly how we're going you're going to resolve the ransomware and you um and you're getting screamed at at your website's defaced and you're getting screamed at so your life sucks right now so blue team how you prioritizing this what do you hit what are you going to deal with first and why

i think we'd probably continue with the the ransomware first since that's that's that's kind of a direct revenue piece that we need to to handle um yeah i mean we already said that we're we're we pulled in marketing firms for um a part of this so you know i would hope that they're handling the reputation part of of all this as well uh as far as the usb sticks go um that's a group policy no more no more usb on the computers that just that port doesn't work anymore for anybody okay um well let's let's resolve and okay so the pr firm let's say i'm gonna see if they're stopping the bleeding on on twitter it's gonna be hard but i'm gonna

say it gets better it gets a little better but it doesn't matter because your ceo is still losing her [ __ ] and there you you've got a human element here like you know everybody knows that it's getting a little better and you're communicating well but you've still got a ceo calling for people's heads functionally who how do you deal with that when you've got a screaming person that can can can you in your offices al dragon i have i know that this has never happened to you so why don't you practice how this would go so i'm we're we're a small team but somebody is in charge of the security team presumably so that person has to tank the ceo and

get them out of the i.t area and into a conference room where they can discuss the situation all right that sounds reasonable and with a group this small she probably hired that person so i'm going to say it's fairly likely yes this happens however that means your security lead is in a board room getting yelled at right now so this never gets better for you blue team sort of um so yeah okay you're clear um you're absolutely clear i'm also going to say that yes disabling the usb ports absolutely key so now you you have two big issues one is that you're you know one is that the you're you've still got and um locked up data and the others that you

have you you have your website is defaced which means it's a little more difficult for you to be communicating to the greater world what's going on you do have a security you do have a pr firm work in that so i'll say i'll say that part the talking to the customers we can at least put on the back burner um you know you've stopped the bleeding with reputation getting screamed at so all right let's go back to let's go back to the elephant in the room what are you going to do at this point in terms of the fact that you the in the ransomware rain hard morning what's your next step um i've already forgotten where we left

off with the ransomware so we we contained it we were restoring from backup um and i i think that's where we left off i think you did um al or or xeno when is when was your last backup

um i'm gonna say that that we have a a continuous backup system so the the point in time recovery is uh is an hour um let's say like an hour recovery point going back three days and then like a week recovery point going back from there and then eventually becomes a monthly recovery point okay also on the scoreboard um that's going to be uh hack the planet home them so that's definitely going to be one for them um the opposite the um their competitor did a great job at launching a campaign without getting blown back so that's the point however they did manage to calm down their ceo so right now i think it's red three blue one uh blue two

all right so where all right you're doing continuous backup are you on prem or in the cloud either one of you can answer or hybrid my my vote is both there's an on-prem backup that then gets back up backed up to the cloud sounds reasonable um all right uh yeah that's fine and i'm not going to ask like which switch cloud it doesn't really matter if you're in google azure aws for for right now um yeah fine all right let's see yeah that that mainly works um you're able to get it yeah you lose a little bit of time but yeah you're back up and running pretty well at that point so that's another point for blue um all

right so you've you've got that you're back up and running um you're back up and running you've found the damn thing um that's fine what do you do now customer facing stuff is up that you're back running with minimal loss what's the next step for the blue team forensics um find out the initial attack vector for the malware and also the website defacement okay let's start with the website defacement uh [Music] you're pretty sure it was hack the planet and so i'm going to i'm going to say that i would say that's about 90 certain that you can trace that back to them you've you've also thrown so much damn money at this all right so

you know pretty much without beyond a shadow of a doubt it was hack the planet um who defaced your website what do you do with this information turn it over to the fbi and rpr firm and let them work out the best way to deal with it that's fair hack the planet you know you you know you know they've you've been nailed you're pretty sure you've got enough you've got enough you know tentacles and enough things that you would hear and have and be pretty sure that they know it's you do you care no and what steps if any are you going to take about you know regarding law enforcement or anything like that i don't know we'll probably just sit

back and watch and laugh like they're not gonna find they're not gonna find us um however that's assuming that everybody had really good opsec and that it was that people are using you know nobody has like that little program that they wrote didn't get traced back to a certain person that left their github open or some [ __ ] uh yes you know so so as i step back i'm like i'm actively i'm actively like picturing myself in this situation going oh [ __ ] uh so and that's exactly why these games are important yeah so i'm i'm going to begin uh i'm going to check my my hubris and go back and uh see what we have

facing i'm going to go look at our at our code that was generous see if i could trace back anything do we have any githubs that are traced back to us i'm gonna start scrubbing um because as as funny as this was now that we know leo is coming um we're gonna start scrubbing yeah and i'm gonna say like you've got experts you yo you know how to do it but you are pretty distributed so that's gonna you know that's a lot of that's a lot of surface area to scrub and you know when something like this happens a lot of people are going to go to ground so i'm going to say it's like it's a half

and half that you're able to successfully do this you are you're fine you somehow managed to cover your tracks like elio knows there's something but they can't you know they can't really nail anybody they can't do much of anything so you definitely do it um so yeah you you covered your ass and you're okay um you hit you got out and you're happy you seem to have met your objective so .4 extra point for red team one of the red teams absolutely met their objective i got i got like actively anxious when i thought about that that one guy that got drunk and forgot to use tour it's that one [ __ ] who like was just like let me use code that

i've used in my public dissertation [ __ ] huh and that right there like if if if i could have snapshotted two minutes of any game you know i've or of a game i've run and explain like why this is important that's it right there i can create a highlight of it for you like it's not being recorded that's perfect because like like you you go through these if you go you know if at work or whatever you have to go through tabletops like those i've noticed those moments don't happen like every once in a while you're like oh i should have done this but like that oh [ __ ] moment i've only ever had happen in

the game of five months um and i think it's because you i mean my theory is that people are thinking out of the box they're chilling they're thinking about things that seem that at first blush like you exactly as you just did you're like well this could happen this go wait a second as i'm thinking about this this could be bad because you're going you're going down that route um awesome so there's where we are there um competitor competitor you you know they you hit them they still you know they're dealing with things forensically um we haven't quite resolved the rent somewhere forensics yet so right now i would say you're doing pretty well you asked you

absolutely hit them you did right you did actual damage probably financial damage reputational damage you managed not to get blown back from your own kind of whispering campaign kicking them when they were down if you you get let's see you can take one more shot you are seeing that they're coming up you can see from the outside or from you know whoever you your information tentacles um that they're working against they haven't lost a lot of data they're slowly rebuilding their reputation um their ipo is definitely now an extra year away because they're going to have to go through a mountain of paperwork and just to rebuild for value um that's their posture right now

um is there another hit you want to take yeah but i would say like when they started having to do pr and you know they're you know you know noticeably in the public that they're that they're hurt and they're paying security firms to you know repair damage done and stuff like that you know they're putting out a lot of money um for ads on cat memes so now it's like a really good time to appeal that court decision and take them back to court and hit them with more lawyers and and legal fees you know maybe the money won't work out yeah yeah that's a good point the copyright thing yeah the copyright thing was probably

settled or rather the trademark of fuzz versus fudzbuzz is probably settled absolutely but there's as a former litigator um i can say you know there's always something there's always something and you know even if the court even if the case gets dismissed there's there's good stuff there um with teams that gives you another wrinkle because um because i'm going to let i'm definitely going to let the competitors file lawsuits like there's no question that they've got enough money and lawyers to file some new at least nuisance suits where they go is its own thing but ah lou team especially al dragon you should freaking know better here at no point did any of you did either of you say i'm

gonna get in touch with legal or compliance so you yeah so you're on the back foot um i'm gonna roll i'm gonna say it's about 80 chance you get blindsided by this you do you do so you are now you're you've been your company has been hit with a shitload of claims by your competitor um and maybe they're it doesn't matter whether they're frivolous or not uh at the very least you're looking at a couple of years of litigation because legal is not involved your ceo is picked um so what are you doing with this because incident response was more than technology so we're going to update our incident response plan and make sure that legal

is involved yeah yeah we might as well learn some lessons there yes um are we still dealing we're still dealing with the reputation uh issues right absolutely and this ain't helping um this is not helping um this is i i don't condone this at all but uh it may be time to replace the cso and and start clean cleaning house a bit make it look like we're doing something um to kick that reputation up yeah okay so all right i'm going to say that i'm going to make a roll i'm going to say that's 70 successful and [Music] actually you do that and your reputation starts to you know and people the infosec community at the very least

loses their [ __ ] and like you're scapegoating this that and the other your ceo is happy because she doesn't know [ __ ] about [ __ ] she's just like we've made you know she's out on twitter saying we've taken decisive action but like the infosec community is not happy the cat meme like lovers are like peaceful um so yeah you're you're really taking more reputational hits while this case grinds through let's hop back to the forensic on the malware so you know we do know you're not going to trace it back to the other side they did pretty well with that oh red team another point for you because you you lawyered up successfully um

so maximum malware forensics you're not going to have traced it back to the other team because they they cover their asses pretty well but you know you still have this issue uh this is a thing that happened um you know you you might have unders i'm going to say you understand how it got in you know a combination of you know vulnerabilities and your idiot employees um but what are we what are your steps to keep this from happening again so that was the important part is the understanding how it got in so now we can we can improve our processes fix the the vulnerability on the website um yeah that was that was the main concern

of the of the forensics finding out all the pathways in and then being able to either patch them or add security controls for them or find some other way to account for them um excluding the idiot users because you know that's that's perpetual yeah but that's exactly it you know it's never worth saying it's not you know it's not if you have your next incident it's when like it's going to happen no matter what you do um in this case you didn't one thing you didn't have to deal with was somebody actually i shouldn't have even called it well probably shouldn't have called it ransomware because nobody was actually asking for a ransom because things went

a little differently um but yeah you know that's that's something you would would have had to deal with which hopefully would have triggered legal all right so i'm going to say that yeah you've you've cleaned up your your you know you're in good shape for what's coming next you're looking um you're still however i think the last sort of leftover tendril here for you guys is reputational damage and um the ceo is quiet but yeah you're still taking the reputational and uh legal pick damage is there anything that you think that you can do to help that you know to soothe that because really what's at stake now is your early retirement yeah yeah those of you who are still

with the company um you know congratulations person who has uh who has just been promoted to cecil um whether or not they want to um what are you gonna do like that's the last thing that's the sort of the last uh loose end that's there for you guys

i i i don't know a whole lot about restoring reputation um on a scale like that um i mean from the from the security team side um i think we'd probably you know maybe the new cso is is more of an open person and um decides to start you know being a bit more transparent about both to the public and internally about what's going on in the security team and what we do and how we do things so you know start blog entries and and talks and etc with with sort of uh recapping of what happened how we dealt with it you know lessons learned type stuff yeah all right yeah i mean i think that's a

reasonable answer how did i see you unmute for a second so i i also have no idea about about pr reputation improvements at all so i'm i'm just gonna go off the rails completely and say you know we we partner with a cat shelter um to bring kittens into the into the office and we set up webcams all over to just live stream it um as a as a pr campaign does anybody remember asana's uh the point thing about deploying office kittens their proposal to the boy office kittens which somehow is scrubbed from the damn internet and i can't even find it on the wayback machine um yes that i'm there's no role for that you

just you just deployed kittens in your office you are that blue team i want to give you two points for that um but i won't for fair but blue team definitely gets a point they they they involve kittens like that's if there's an i win button on the internet it can um yeah so that that's a very quick run of fuzz but the fuzz but i think you can see if the game you know with larger teams with more people how this game i love this game because it can scale like you know we had a two-hour slot but knowing it was early you know we can definitely do you know do some wrap-up and and stuff like that but

this is a game that scales this is so much fun really well isn't it and my and i will put this up this deck this deck and its materials and a couple of other scenarios i've done are up on my slideshare so i will i'll definitely throw those up or throw a link in uh so and they are free to use like guys those are mine uh one thing i love about my company is all of our ip stays rip so when i create these things and i put them up you know i'll scrub them of client data and y'all can use them um what are some like does that did anybody have any ideas of like hearing

other people like oh i would have done that differently like one thing i was thinking towards the end with the um [Music] with the reputational thing is maybe leverage the board you know if you've got one you know leverage the board to get the [ __ ] ceo out of there because she's toxic yeah i was uh i was kind of like internally screaming about why didn't you go to legal why didn't you do that i'm dead but that's me like i'm i'm very much i'm i've always been very much like okay nerds let's get the adults involved first and say like here's what's going on and but that you know i've also you know

your everybody's life experience varies and stuff but i've been in a lot of situations where it's like yes we have to address this but there is now pr and marketing and they are very much often the people who are who are loudest first and um like you need to you need to do something with them um but yeah that's i mean that's a really important part that we often forget about is as you know security people and nerds yep i will say so one of the ways i'll do these is role based like i'll do character classes and like you're legal you're this you're that um and i'll usually make people play whoever is you know like

make people play the thing that is farthest from what they are to get like security to understand legal the set in the other in games where i do not do class-based stuff seventy-five percent of the time nobody thinks about calling legal and compliance i think let's see do you know why did i see you on mute yeah i was just going to say it booting the ceo never even surfaced as an option i mean it's i guess it's one of those ingrained things where you're like that person's untouchable i i think to say like you know maybe the the board steps in and does something about the ceo yeah i mean yeah because like at least to me

like my in my head this is playing out over a very short period of time so if that happens like got the politics and that i wouldn't have even thought of that either yeah i think from like the competitor's standpoint you would have probably more above the board you know actions taken like targeting board or ceo or or hostile takeover type weird stuff businessy things and just you know not getting in the way if it just happens that their site gets hacked and their pr goes down the tubes because that would you know further their gains but i generally think about ceo or board specifically in this no um yeah can i throw something in the mix

always so not specifically about this scenario but every time i run a tabletop like every bloody time i try to run multiple iterations and when i start going hey guys have you cooperated with the other teams and they start looking at me funny like what what are you talking about and just have you consulted have you cooperated have you determined who's responsible and accountable for the various pieces of this these problems these whatevers like i had one where i had i.t security and compliance and i told it and security you know have you talked about which tools you could buy and use and they could use your tools and save their budget and they went we don't do that

well you'd save half the money because you're duplicating everything yeah like even in the commercial space not even the governmental space where it's legendary but cooperation is so foreign consultation cooperation you know what i mean [Music] oh yeah no that's that's absolutely true and you know whenever i give a talk or something on like you know like uh september i i did a thing in colorado where they wanted us to run a 18-person game um and then do a little wanted me to do a little talk on like what are the buzzfeed five most important things to get through a malware incident and i was like communication communication communication communication communication and they left and they was

like no really because you're right and one of the things you can do really well in a tabletop game is exactly make that point um i didn't hear because it seemed i was you know we had a smaller group but yeah that's freaking key it really is one of the ways i love to deal with that which sometimes works and sometimes doesn't if i'm doing it virtually um something i got to do a lot this year was i will just tell everybody okay here's a two-hour block and everybody has to be on call during that vlog and i'll start out you know like yeah everybody has to be on call on teams or god anyway you're in that two-hour block and

i just pull people in as they're requested so i'll start with all right customer service you know you're the first person head of customer service you start getting reports of and let them pull people in all right and i'll do this and this okay cool you know who do you talk to next and let them pull people in and it's fascinating to see when you act when not everybody is sitting around the table and you actually have to think of who you're pulling in and what you're doing how that fosters communication and i've definitely had a lot of people say like oh well i'm i'm nev i've never been in the room really with legal or with

something so you know an interesting way to make that happen and make people understand that the problems are solved more easily and efficiently when you have the right people in the room is make them put those people in the room because you know once customer service is there saying like yeah and i got this complaint cool what are you going to do about next i i don't i don't know that's security's problem well all right call security security i think security and security does this and then security doesn't call legal and you know and doesn't call c-suite or whatever but making people sit in that moment of pure freaking terror when they when they're like

i don't know what to do drives that point home really well um so this ransomware didn't go full ransom because just the way the dice rolls you know if i was doing this for if i were doing this for compliance like a sat2 or an iso or something like that i would probably push it into somebody called you and ransom uh you know actually calls up with a ransom to force them to get legal in so that like we could test that process um so just throwing it out there uh and blue or red can you know anybody can answer how do you think this would have changed if like would have changed what you did if

there was a demand um either somebody put a demand on twitter or you know or directly contacted you how do you think this might have played out differently well then it gets into convincing people not to pay and discovering whether they um stole anything that could be used to extort us if it got released publicly because i think i think we at least succeeded with the backups so we didn't need to pay the ransom to get our operation back up and running but there's always the the extortion threat of releasing confidential data publicly i think your ceo is going to be a wild card there too i mean if they're based on how the ceo was i i can imagine

they're just gonna do whatever they can to pay that ransom to get it out of the way um you know throw money at it and then probably at the same time start going crazy internally to uh screaming and yelling at people to make sure it never happens again what are some good reasons not to pay the ransom you don't negotiate with terrorists um paying the ransom doesn't mean that the ransomware people have deleted the data i mean it's there's no there's no way to prove that they've actually gone through and and got rid of whatever damning evidence that they have so so i mean for me it's you know you pay and the the ransomware guy goes oh cool they

paid well we'll come back next week and do it again and just use the same data and then you know or you pay and they release it anyway because you know it's just for the laws yeah i think it was true and then you brought up something that blue team yell didn't address and i decided you guys had taken enough hits so i didn't go down that route but yeah you restored from backup but who knows you don't know if that data got exfiltrated um and if it did yeah that's its own problem that could be released or whatever um another dimension another direction we didn't take with this one was this is sign up stuff people sign up

which means you almost certainly had pii um you know not calling legal could have been catastrophic there because you're doing you're doing pretty well your cat means you almost certainly have more than the 500 or a thousand or whatever you know each ag you know attorney general in each state requires um and you know and god help you if you have any gdpr exposure there because you would have on top of that had the i think it's 48.72 i don't know i look it up every damn time because the place where that should be in my brain is filled with mid 90s song lyrics but yeah i mean that's another thing you know something as stupid as a cat

aggregator like a cat meme site you don't think about it but as soon as i said cool what's locked down is the customer you know like your customer mailing list information that could have should have triggered checking out you know evaluating for uh making it not just an issue but a breach so i'll throw that out too had it been more of a you know had it been more of a breach situation how if at all does that change the way you go about this

i mean on the technical side i'm not sure that it's going to change a whole lot because i mean you still have to clean it up and restore um i mean it's mostly going to be on the legal pr side um i mean that happened and and we just have to own up to it um or you know depending on the ceo try to hide it okay al i al dragon i think i saw you on mute yeah but that that's what i was gonna say i i don't think it does change it the technical side it just adds legal and and pr complications and reporting requirements and this is actually where getting people in the room who don't talk

is important right because a lot of you and reasonably so don't get me wrong reasonably so are like i don't know what legal npr do and that's totally fine um you know i'm i'm kind of the rare duck that straddles them a little bit though i'll say i'm much more you know compliant than tech when i in fact when i design these if they're crunchier i almost always you know i almost always consult like what does this what should the tech sac look at um but it's important right like you don't have to know the law or you don't have to know exactly what forensic tools but having a sense that you know of what

the process is for the other person and the other people is important um just having a bunch of people who've never been in the same room together play one of these or swapping roles in character classes is fun um you'll see somebody if you check out the my slideshares you'll see a game at least one game where i've done that and i like to give them the power you know because obviously everybody should have a power um yeah it's that's why this stuff is fun and that's why you know the game way of it doing it is fun so let me open it up more generally um what worked for you guys as we played this what worked

i i thought all of it was awesome like i don't i nothing comes to my mind where i'm like damn that sucked don't do that again i like well then you know i like the most is like the fact that you threw multiple red teams at them because i yeah the fact that like there's just these little these little [ __ ] running around just creating chaos is i i like that one yeah i'm glad well and that it's all different goals right so i was able to say like all right you know hack the planet you've met your particular goal because your goals are different than like the pen testers they just they want to do a

good job and also enjoy the job the competitor wants to see the company think for their own reason so yeah it gives it makes the blue team especially have to think about it it's fun for multiple red teams and it also makes the blue team think like [ __ ] it's not just we don't have to think of hardening in some like weird amorphous way we got to think about like who wants to [ __ ] with us and why al i i like the dice mechanic as sort of an adjudicator because it cuts down on the tendency to argue about whether something would be successful or not like you know there there were a couple times where

i'm like well that wouldn't have succeeded because we said we you know did x but any any control can fail and there's always the you know did the person who implemented do a good job so i i like the idea of well you you know the dice didn't roll in your favor so you know that control failed and now you're screwed in that in that particular aspect and you have to deal with it yeah the key with doing that while running these um is be reasonable about it you know you know if i was an [ __ ] and be like no you think it's 30 no you know you you don't have to you know especially in something like

this is a more casual game you know i don't have to get super granular but yeah a reasonable random you know reasonable randomization to deal with the fact that yeah any control can fail um you know these get crunchier if i'm doing them for uh you know a compliance thing yeah i like it i like a little bit of randomness um you know i i'm actually working on a book on this that will take forever but one of the things i'm that i explain is why randomness is important and then deal with randomness and what i call like um crunchy crispy chewy rule sets and uh and needs and this would be a be like a chewy like a little little

randomization i'm glad that worked so i know some people i i've heard do these table tops some of y'all have been in these tabletops and some not at all but what do you what do people think they can take out of this for themselves or their clients or whoever well it really and i've seen this like up like up close at a lot of different places of the most one of the most important things is like involving other people outside of a technical space because there's there's so many silos in different places not every culture is the same i've been in startups that were like an enterprise and i've been in enterprises that were like startups and

it's it's getting all the relevant players together and realizing now is not the time to be the first time to do that like that that should have been the corporate culture from a long time ago and if it wasn't why wasn't it who who wasn't advocating who who didn't have the foresight to do that so that's the most important thing for me is when that comes out and even still you'll go back a year later and they didn't learn their lesson and say hey didn't we talk about this you know or some people really take it to heart so yeah getting getting all the stakeholders far before the [ __ ] hits the fan yeah yeah this is the annual thing too

is really interesting if you're doing it for compliance you're doing something that's got to be on an annual cadence it's like we did the thing to get you ready you know for you like we did i do this you know i we did the thing to get you ready for your audit here's our findings you know here's the deliverable okay you know my part of this is done i'll see you next year and come back i'm like really are you kidding me like really same [ __ ] anybody else find any particular value in doing you know tabletops or especially tabletops that are more fun than your average bear well in general it promotes just like

the conversation and you know if you if you make it fun enough i mean you can it can be part of the culture too so i mean just blowing off steam and doing something like this at work um you know there's there's not necessarily any major consequences to to what happens at the table top um everybody kind of learns a little bit about each other and and you know you know just the overall fun of it and do you this do you feel does anybody feel like by doing this in a more gamey way it takes some of the pressure off as opposed to like a regular tabletop where you're looking around absolutely like yeah

100 this is so much better than like here's all your binders and like no 100 percent i like i talk all the time and when claudium was like hey you could be one of these people i was like oh no and then it got to be fun immediately and like yeah that's so much better than the stuffier other ways i've seen it done one of the things i talk about is stress versus suspense like tabletop regular tabletops can be really stressful not so much because of the scenario but because your boss is sitting there half the time like if you're on the security team and your security lead's there like hopefully your relationship with that

person's cool but if it's not you're like i want to you know i don't want to be the person who looks like they never read the information because binders suck um so yeah like i've gotten feedback saying like by doing this everybody gets to step out of like they're like everybody gets to step out of reality a little bit especially if it's silly like cat means like but you know i've taken these silly scenarios and depending on the client like all right i'll run it completely straight lace the same damn scenario but if you put a couple of cats or dogs or something in it all of a sudden people want to know what happens next as

opposed to like looking over their shoulder so that's pretty cool i think using something that's not the company that you're at it makes it easier for people to make decisions and then call things up because then you're not at the end of it there's no there's really no way to point fingers and say you know you should have done your job better yeah absolutely and like people will innately be can just be stressed like that's just some people's natures but if you throw in fun things it's like an automatic diffuser when it comes to it because somebody just has to remind like hey look cat meme and you're like cool and then like that little stress

level goes down a little bit so but yeah like like you know like if you're tied to the actual company and this is all these things now you have all these like institutional uh like grudges and [ __ ] that start coming up but if you just throw it in it's like a cat meme thing it definitely diffuses that yeah yeah like and and that's the idea like the process was the same i mean we had like we had that rando had that you know light bulb moment that is very real right but you know you know like very real like a useful thing that you're going to take but yeah without it being without pointing fingers and stuff like

that so like you know to the extent that i i've definitely people who have heard my feel about this but not yet played in one of these games like well nobody's going to take it seriously like you don't have to take it seriously as long as the messages are there like that moment of oh crap did i get could we get everybody to scrub is the [ __ ] point um and people are gonna remember it too that's the other thing if you're having fun like you're going to remember it you're not going to just say well we got through our we after all the binders you're going to just like with any like you

know any tabletop game you're going to remember that time that somebody did something crazy like y'all are going to remember that blue team in the first round decided to try to rely on their on training and how horribly that went um and that's going to you know next time somebody's doing a training you're going to that you might think about that like oh yeah there was there was that time whereas i find you know you don't retain i don't retain stuff even when i'm running them i don't retain stuff from the straight lace game like oh right i i'll go for like the next year to do again security cadence i'll do the next years of one of my clients that

really like wants it to be straight-laced and i won't remember about their findings from last year i'll look at my deliverable and be like oh you did that but the people who do that i get to do this with i think it's just they it works out really well any other questions comments concerns things you thought worked didn't um anything like i'm happy to answer anything about this these games anything or to give you 15 minutes of your life back i just want to say thank you for doing this especially this early yeah i i appreciate it uh i appreciate the opportunity um and i know i you know i answered the cfp super late

because this last couple of months has been insane with going around the country doing these and getting used to traveling for the first time in two years so what's yours i totally space what's your you know what that actually brings up and yeah we do have we have a good five more minutes until i gotta transition everything um what's been your so you're playing this now with a bunch of like hackers and nerds and stuff on a actual hacker con uh what's been the reaction the way that you do this in the actual enterprise and in with companies how do they respond have you gotten companies that are like this is too fluffy and this should be more blah blah blah or do

you have do you get positive responses doing this i have gotten everybody who has ever played in one of these i've gotten a positive response i've had a couple of times when i've done you know like the presentation to the client like okay you want a tabletop yeah okay well we can do it straight laced or we could do it like this and there's a continuum between like straight lace then all cat memes and i've had some clients shy away from doing that um just a couple days ago i had the weird experience of i was pitching the idea to a group of cisos like do you want you know let's run a tabletop and they were like and as soon as they

and they're like well what do you mean oh it's like d and g like they jump back as if it was like they were on fire like what nerds do so but anytime i've gotten people into a game playing it always it's so far always been a really positive experience but sometimes it's just selling people on this idea that you can be you can do this get this done and have fun which is part of the reason that i'm writing this book like it's kind of like a game going to be seriously a gay masters manual on how to do this trying to make it look more make the steps of designing one of these more formal to kind of

um to kind of maybe educate and have people who might shy away from it because it sounds too nerdy be more into it but yeah as soon as i get somebody into a game and you know you saw it as we got started like everybody's feeling out their space once that happens they always sing and it's nice it's a lot of fun and um have you done it like across different verticals like do you find like finance or retail or you know blah blah and do you find they react similarly to it so the one i did in colorado was um it was an investment firm that was doing a retreat and they wanted they got their

technology partners which was everything they were like csos accountants um yeah lots of different verticals and they got it too and this was one of the ones where i switched roles where they had character classes and it was cool because what everybody said was they were uncomfortable they didn't know what they were doing and but they left with a deep understanding of what people on another vertical did so that's super cool um i'm actually in the process of planning one for december for 40 accountants who you know who they're they're so uh no their ceo sorry wants to scare the crap out of them because they don't want them to be the employees from the that the blue

team dealt with so that's going to be fascinating um i think it's going to i think with a mixed group it's really interesting because people can inform themselves i'm really interested to see what it's going to be like to do it for a you know a smartphone level tech group yeah well you're awesome you just this was this was so good and you were you were an amazing game master this was a lot of fun thanks well i'm i'm here in philly for you know running things for fun and profit um like i said i'll put up my slideshare and every once in a while i'll you know poke people saying hey i'm testing out a new game anybody want in

so i'm happy to run things sweet okay well then we are right at the time we need to be at uh kelly thank you so much and for everybody who else is watching on stream uh all of these videos will be cut up later this entire game will be available for for uh playing again and um up next we have was it why is cyber security like soccer but uh yeah about 10 minutes and uh we will be right back

you

Related talks

31:02
The Security Vulnerability Assessment Process, Best Practices & Challenges
BSides Delaware · 2012
28:25
Post-Exploit Threat Modeling with ATT&CK
BSides Delaware · 2016
48:45
Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443
BSides Delaware · 2012
57:35
Presenting Threat Intelligence Automation Using Jupyter
BSides Delaware · 2017
22:25
Introduction to the use after free vulnerability and why it matters
BSides Delaware · 2012
40:35
Defense In Depth: Designing Networks That Survive First Contact
BSides Delaware · 2012