Gamification of Tabletop Exercises

hey everybody it's guy mcdoodfellow co-chair of the b-sides las vegas proving ground track our next talk is entitled gamification of tabletop exercises by kelly ollert who was mentored by alan friedman all right hi welcome to gamification of tabletop exercises playing d d for fun and security i'm kelly ohler at gw via on twitter and i'm gonna talk to you today about how to use games in tabletop exercises uh these exercises they're scenarios meant to help clients test things like their incident response and business continuity plans hopefully before disaster strikes why do i do this because i'm a long time geek table top role player and scenario designer in my personal life i specifically design independent

tabletop rpgs and that's kind of what i love to do and i get to bring it into my work i have been a lawyer but nacho lawyer since 2005 so you know i'm used to speaking i'm used to herding cats and i'm used to knowing when people are just not paying attention and that's a big deal with these things as you'll see soon you can find me on twitter at quiddia so what does this talk about we're going to talk about what a traditional tabletop exercise is what a tabletop game is how do they compare why are games more interesting and how can we use games to improve information retention and thus security so we're going to talk

about the good the bad and the boring let's start with a little definition the department of homeland security defines a tabletop exercise as a discussion-based session where team members meet in an informal classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation cool i'm already half asleep and it's my own talk all right well what's a tabletop game then well a tabletop game is a group experience designed to get participants to solve problems by working together in an immersive setting and as you'll see the immersion is key a tabletop exercise as homeland security or fema or even a lot of regulatory bodies will tell you it's a more limited experience designed

to test a specific scenario or situation in the quickest and most efficient way possible really they're to confirm the status quo not to move forward rpgs games they move they evolve they draw you in they make you solve problems together and as you've heard me say and i'm going to keep saying they're a journey and they make you take ownership of that journey so that you're not just dealing with the status quo you're moving forward tabletop exercises have serious flaws and we're going to get to those but they do maybe the biggest one is that they're boring tabletop role-playing games are fun why because they encourage storytelling they're collaborative they're often something you'd actually want to do with your time

lots of us are gamers those who aren't generally like to watch a good story on tv read a good book play a good game something that draws you in so why do we care about things we do in our leisure time our copious free time that we all have we care because we learn through play we strengthen our ties when we take a journey together and solve problems we make memories and in the infrasex sense of things if we're making memories about what worked and what didn't on this tabletop journey we're going to take that home and remember that before during and after the actual incident happens so how are you going to be able

to use this information to improve your existence well i'm going to show you what a basic gamified scenario might look like and talk about how you might make scenarios you design or you need to run a little more fun and a little more useful like that and i'm also going to go into three common tabletop problems tabletop exercise problems that i hit all the time and show you some gamified solutions and how they are better solutions than just check check check off the boxes of your plans that being said exercises are a big deal there's a reason people use them they are designed to test people or processes before the worst happens uh they're you know if done well they're

tightly designed they're trying to just get you to practice with the trouble before it happens and they're usually based on some sort of pre-existing scenario or documentation and then it stays on target to make sure you hit all the high notes to make sure you hit every point of your ir and disaster recovering plans great they're also really great to help with regulatory requirements sock 2 fedramp iso all of them require that you show that you've practiced and dealt with these plans and as a rule they expect to see a tabletop iso in fact says while it's possible to pass an iso audit without a tabletop exercise it's unlikely because you'd need evidence of lessons learned to meet

the requirements the other thing is that these exercises can be a huge deal they can be really really detailed saisa every two years does operation cyber storm which is basically a war games the movie larp millions of dollars multiple agencies scaring the crud out of people and doing their best to accurately simulate what the worst would look like but generally speaking ain't nobody got time or budget for that so while exercises are kind of a big deal they're not that great actually as i've been saying they're often more about checking off the regulatory boxes or making sure people have read the ir plan then exploring the possibilities of what could happen when things go wrong or when things go

right tabletop exercises can also be really stressful because of the fear of failing if you're worrying you're going to look stupid in front of your boss or failing the audit and that inhibits creativity makes them less fun makes them more forgettable makes them not something people want to do but rather something people just want to endure or else or else whatever and also they rarely use dice and dice are really shiny so that's another way the tabletop exercises are just not as cool as tabletop games so let's talk about games tabletop games are pretty great says i they're designed to entertain by making people work together to solve problems but just because you're entertaining someone as we'll see

later doesn't mean you're not doing something useful you're going to if you're doing a tabletop game you're encouraging novel solutions and failures always an option they're more suspenseful than stressful stress is kind of defined as something in this context you just want to get over with you don't want to look stupid in front of your boss you want to pass the audit great suspense is making people want to know what happens next having them take agency over their role wanting to be sam and frodo trying to get the ring to mount doom these are the kind of stories we remember and tabletop games often use dice which i have said before are shiny and i'm not the only person doing these

leslie tarhart here talks about running tabletop exercises and busting out a d20 this isn't something that just came out of thin air people are doing this but more people need to do it because tldr these things can be pretty cool look if you're listening to this talk if you're at this conference if you're in this community you're probably a nerd or have the potential to be a nerd and we all want to have a good time and if we can learn something nerding out together all the better and if you're one of the people who are offended by dice you're probably listening to the wrong talk anyway so you know if they're really offending you throw them at me

i'll catch them and i'll keep them i keep talking about this stuff being fun that's for a reason almost all creativity involves purposeful play quick bio of abraham maslow a famous american psychologist he's best known for the idea of the hierarchy of needs you may have heard this it says that in order to do something like learn you first have to fulfill more basic needs like food water shelter safety and yes joy and fun and interconnection more recent science indicates that play is therapeutic and has been found to speed up learning enhance productivity and increase job satisfaction so playing isn't something we should just do while we're kids so let's play welcome to fuzzbotsv buzzbutts this is not a typo no matter

how much you think it is fuzz box beef bud spots is an example of an overarching scenario i built for an internal tabletop to give people a jumping off point for some of the other stuff i'm going to be doing later where this world can be sort of summed up in like three three sentences three paragraphs maybe fuzzbutts.com is an up and coming cat picture aggregator site their application allows users to search for cat pictures by cat color breed size and sassiness fuzzbutz claims that their deep purring algorithm harnesses the ability of real cats to recognize and hate each other to allow for excellent feline sorting and discrimination that rivals a google search fuzzbots has a security budget of yes

but a small dev team and a corporate mandate that all infosec spending must be done by consensus yeah their cell oh is billy culture a woman not known for her social graces especially on social media bam this is a scenario it's a funny scenario i think it's funny it says butts it has immersive elements that draw you in and they're silly they're silly but they're relatable here we have a startup with angel investors and a wacky ceo who probably just wants to pass their audit so why do we care well for one thing if you're doing something like this you can take a basic scenario with a company a budget and characters basically and take it in any

direction you want to do it specifically tailored to your client pull disasters off their risk register or slash the budget or make it not the ceo but an employee who's exfiltrating data whatever tune it up draw your people in if you're player you're laughing at this hopefully you're hooked you want to see where this goes thus in just a few minutes we can put together a scenario and tailor it to a client's needs but do it in an environment that grabs attention and gets people ready to go on a journey together and this doesn't have to cost them a lot this is an operation cyber storm here this costs nothing but time and creativity but it can save you a boatload of

heartache down the road when you've got people who are invested in your setup and your scenario who have practice for at dealing with the that's going to come up so let's look at some of those things some common table top problems and how a tabletop rpg approach is going to improve them problem one none of these people have ever been in the same room together i've run a ton of games that include pii breaches and in all of them never not once has anyone ever suggested getting legal involved even if they knew i was a lawyer even when legal was on the call in the tabletop what i'm not just saying this because i'm a lawyer and i want to be involved

in anything i actually would like to take a break but what i'm saying is people don't think that by having a legal come in early you can perhaps privilege some of the cleanup or make sure that your the next steps you take are following the law making things a lot easier down the road but people don't understand what legal does so they don't invite them in so how do we get people to understand each other well there's the idea of the classic idea of walking a mile in their shoes or in rpg terms character classes why by assigning each player a character class that isn't their work role it makes them have to see things from a

new perspective this is an example of what character classes might look like in the context of the fuzzbot scenario so you've got billy culture whose class is c suite minotaur security class security team fuzzbutts.com c two t's direct competitor not a typo and there and that might be you know a red team playing in your scenario and you'll see that i've given each of them abilities for example billy couture has the ability budget of yes which meant in that game at one time that player could have spent just once for something absolutely outrageous but only once to affect the scenario um eager pen testers was one of my favorite they had eager pen testers got the

license to kill which meant that just once in every game they had the permit the permission to nuke somebody's stuff from orbit like just take out a data center take out a computer do something just once and then you know fuzz butts has uh by another favorite the i just hate you so much meaning that once a game they were able to take a patently illegal action in order to get back at fuzz butts does it have to be this detailed no could it be yes why do you care well if you're a player it's fun it also helps you understand others roles and allows you to feel agency and suspense in the story from the company standpoint

character classes are something like them force your team to think laterally and start to understand what the other roles are practically speaking having your people know who to go to for what in an incident response situation can be critical both in terms of stopping the bleeding and in terms of the many thousands of dollars of cleanup consultants that you need to bring in if the incident isn't dealt with right the first time so let's talk about another common tabletop exercise issue one person's doing all the talking this happens in almost every exercise one person whether they're jerk or just this person has all the institutional knowledge or is just doing all the talking or both

this person probably has been there longer than anybody else and they probably do have all this knowledge they're also probably the most bored person and they really just want to check off all those boxes and get out of there and everyone else is smiling and nodding off as the owner or the security lead or even a player you're wasting time and money in this situation no one's learning anything while you might have checked off your box you're going to be the first with your backs against the wall when the revolution comes meaning an incident meaning money out of your pockets and as the person who's running it you really have no idea if anybody else

knows how to do the stuff captain obvious is talking about which means it's really hard to write your report and to explain where the gaps are or even write something honest to an auditor saying no these people have it down so again as a company you could be paying for a marginally useless artifact so what do you do kill off their character well i call this the bad clam scenario this is you know you go you're having this you identify that sally as that person with that knowledge take a break sally comes back from the break oh geez sally you you had the bad clams when you guys all went for lunch you're out for the rest of the game um

and you get to observe this can work really well for somebody that has a big ego because you don't really want to insult the client or your co-worker by saying shut up get out of here but something like the bad clam scenario is a general way of sort of getting someone off stage you know i've taken questions in other formats about what that player does now well the person could take a well-deserved break or play what might be considered the least important role um you know coming back in doing that however there's the danger you might have to kill him off again which is actually going to take him off and this is still a client service this

is still a team thing you want to make people happy and get something done so why is this cool to do anyway why do you want to do it well as a company head or a security lead you're going to find that this is switching people off getting rid of this one talker is going to expose gaps in institutional knowledge and make people work together or sometimes more importantly show that they can't so you can identify that which makes it more efficient you're going to get better regulatory compliance because you know what you need you know where those gaps are you can close them and again cost savings whether we like it or not it's the bottom line you know in some

ways as a player once someone's out the stakes get higher and the game gets more interesting for you and again you're buying in more you're wondering crap what do we do if jim's out like what if he and if you want to do something that's not as dramatic as bad clams you can say he's on a vacation in bora bora and has no access whatever it is but the stakes are higher because now you're thinking what do i do if the co-worker i lean on if my mentor isn't there the third scenario is the common issue of everyone being asleep like i was when i was reading the definition from homeland security of what a table top exercises look

everyone is half asleep and expecting to go through a boring scenario with no impact hopefully you're not there now but if you are well let me suggest that we should take a trip to arizona bay congratulations i just dropped everything west of the colorado river into the ocean phoenix is now oceanfront real estate sorry las vegas people why by opening with a truly catastrophic scenario the players are going to be wide awake and out of their comfort zone and i know that testing your business continuity plan probably wouldn't be your first concern in this scenario but look right now right now listening to me you're awake you're alive i've got your attention and we've come so far together before i

nuked you from orbit why do we care you know what we care because these things absolutely can happen infrastructure is absolutely critical in an information society and depending on what you do and where you are your cog in the wheel may be necessary to get things back on track if you weren't nuked you need to know what happens when others are you're going to see traffic spikes you're going to see customer inquiry overload you're going to see dogs and cats living together mass hysteria and this could be your moment in the sun or you could end up being a vault dweller it's up to you but big things lead to big ideas but you know what earlier i said that

tabletop rpgs are less stressful this doesn't sound stressful does it well i'm going to tell you it's not it's suspenseful you want to know what happens in the arizona base scenario you want to know what happens to sam and frodo you want to know what happens in your journey because learning needs to have taken place at the conclusion of a learning journey tabletop exercises are just that exercises static moments in time that are intended to confirm the status quo not to move forward tabletop exercises are a journey they evolve they move they make you solve problems they make you take ownership of a journey and they've let you take what you've learned home and maybe in the next journey

will be a little more interesting so if you like this stuff what can you do well if you're in charge of running these things or designing them yourself you can steal a few ideas from me or from some of the folks i'm going to talk about briefly in the next slide and spice it up you know you don't have to go full arizona bay but you could say that you know aws u.s east one is down or you could say that you know that not the you know i didn't die of bad clams but you know is out to lunch and can't be reached or whatever you can you can tailor these things to what you

need but you don't have to have them all be we were sitting in the office one day and we saw malware spice it up if you actually have to do these things as a player and you can if you have the freedom rock the boat during the exercise be the clam eater be the maker of the bay or find something a little more low-key that works for you that makes it so that you're doing something that helps you understand what someone else is doing even if it's just asking a question from someone from c-suite well what would you do in this situation even if what you think that person would do is completely useless just asking a question breaks you out

of this exercise and makes you go on a journey with that person's character but as i said i'm not the only person doing this lots of people have been doing this sort of thing way longer than i have and there's a lot of good stuff out there for you to look at if you want to try some of this some examples there's back doors and breaches which many of you probably have heard of from black hills it's like the seminal incident response card game it's a lot of fun um hits on a lot of these topics and you know it's kind of like a tabletop exercise in and of itself but with shiny cards there's oh noes oh noes is kind of like

like a dms module of a few cindy ir scenarios it's very class and character based it's a lot of fun very readable very free you might also want to check out adam shostak uh he's a former microsoft engineer he's the author of fret threat modeling designing for security and he's a gamification of security deity and then there's me little of me on twitter uh if you check me out on twitter you're gonna see lots of cats lots of complaining and some infosec and you can always dm me or get in touch if you have any questions the point is that there's a lot out there and there's a lot in tabletop gaming that can help

anyone in our industry who wants to practice what's coming ahead to either prepare for techy doomsday or just for fun and profit thanks everyone i'll be here all the week