Playing at Security: Building and Running Incident Response Tabletop Scenarios

let me just get this recording and we'll get started welcome along to this experimental playing at security workshop panelly discussiony thing and do interrupt at any time if you have questions if you want to debate if you want to discuss anything just drop it in chat drop it in q a if you're on twitch drop it in the twitch chat i can't guarantee that i'll keep an eye on twitch but i'll try to and probably keep an eye on slack and some other things if you throw it there but i can't guarantee anything outside of this actual zoom room so yes welcome along this came out of an exercise that well came out of the o wasp open security

summit where we ran through a few different scenarios and learned some lessons on how to run them and how to build them and what people can learn from them and this is just sharing some of the tips and some of the basics that you can do to develop and run your own scenario as well as some of my own personal experience in running these sorts of things and similar so playing at security oh yes there is also a slido up you can always throw questions there as well again i'm only guaranteeing that i'll keep an eye on questions that come up in the zoom i can't promise anything anywhere else i want to make the point first of all

that this isn't about gamification these scenarios don't have some sort of point scoring mechanic there's no leaderboard involved you're not applying game mechanics to building these scenarios it's um somewhat different than that so don't worry about gamification it's completely different it's also not about fun so while people have said that they've found the scenarios fun that isn't the aim it's really not the purpose of doing things this particular way although as i said it is fun it is enjoyable for people of a certain mindset as some of the people in the attendee list can attest having been through some of them but that's not the goal the whole purpose of running these tabletop scenarios and doing them in

this particular way is to let people fail safely so it's to allow things to go horribly wrong in a way that doesn't cause any actual damage because you don't learn from success you don't really learn that much from winning what you learn from is things going wrong if things go wrong in real life you've got real consequences if they're going wrong in what is effectively a game a tabletop scenario the consequences don't exist it's a completely different matter you can fail safely and you can fail in all sorts of new and interesting ways you can run the same scenario 50 times and find a new way to fail utterly each time and that's where it gets interesting

it is also about play and games and uh that's important and i will be going into a bit about ludology and looseology and various other bits and the philosophy of games and why they're important for this but just bear in mind it's not gamification it's games and it's not about winning it's about playing around and failing in a safe way so that you know how to deal with it when it happens in reality but first of all let's establish what we mean by play and what we mean by again because the something that can cause some argument there's uh whole philosophies around it and it all kicked off with a guy named bernard suits ironically i think his

surname must have had something to do with it so he defined a game as to play a game is to attempt to achieve a specific state of affairs which he called the prelusary goal loosely referring to playing games games using only means permitted by rules luci means he liked the word lucery where the rules prohibit use of more efficient in favor of less efficient means so that's constitutive rules and where the rules are accepted just because they make possible such activity so in a very roundabout way what he's really saying is the same thing a few other people have said so salem zimmerman they said a game is a system in which players engage in an

artificial conflict defined by rules that result in a quantifiable outcome so you've got some form of conflict and it's unnecessary it's entirely artificial you have rules that govern it and you have an outcome where you can get some sort of numbers around it that's one view numbers are optional but yeah costa can said a game is a form of art in which participants termed players make decisions in order to manage resources through game tokens in the pursuit of a goal so yes that's a game that's also project management if you follow in particular ways logistics all sorts of other things and mcgonagall not the teacher from harry potter different mcgonagall when you strip away the genre

differences and the technological complexities all games share four defining traits a goal rules a feedback system and voluntary participation so now you've got four of the main accepted definitions of games there to work with and if anyone disagrees with them they're not my definitions these are ones which have been developed by philosophers bernard suits was widely recognized as the first philosopher of uh ludology so go and argue with their work but what we're doing is trying to use these to let people learn about security and one of the first things is all of those definitions said there was some sort of goal now if you do any game design courses any learning about games whether it's

computer games or otherwise you will generally have a set of goals you might have a few extra ones but these seven goals are seen as the main seven so you can achieve your goal in the game or you can win the game by building something you can win the game by gaining control of something destroying something negation is an interesting one that's winning a game by preventing someone else from being able to do anything so for example preventing someone else from being able to make a move in a game in some games that means you've won there's a race where you're both trying to achieve a goal in a particular time there's solving so escape rooms puzzles

riddles they're all forms of games where you're trying to develop a solution and their spatial tetris is an example of a spatial game and obviously these goals can be mixed and matched and the reason i've highlighted six of them is because these six are the ones that are relevant if you want to do a scenario tabletop you can potentially look at building out a system as part of it you can look at gaining control as part of it you can look at destroying a system you can look at preventing someone from doing something you can look at a race to achieve any of these or to achieve something else and you've very much got the element of puzzles in

and the way that we've done these scenarios is you've got multiple parties who may all have varying goals so varying ways to win for a given definition of win then you've got the rules of games and this is a gns model so gamist narrativist and simulationist so the gamist model is very classical game lots of points lots of ways to achieve things very clearly define pathways narrativist model this by the way refers more to role-playing games than board games but there is crossover narrativist the important thing is the story in the whole thing and that you can engage people in it and simulationist is accuracy to real life so a gamist is about winning a narrative

this game is much more about exploration and discovery and simulationist is about reenactment so and then you've also obviously got the feedback system and this is taken from the monomyth heroes journey if again if you are interested in literature it's worth reading up on the hero's journey there's a complicated 12-step pathway of it which boils down to establish the story a crisis occurs and you arrive at a new equilibrium and you can repeat that over and over through different turns of a game or a single episode of a game all sorts of different ways you can use it but fundamentally it comes down to something similar to the denning cycle the only difference is your plan and do

tend to be merged together because you're deliberately introducing a time constraint which doesn't allow you to plan too far in ahead and voluntary participation so this is the bit i agree with um or disagree with voluntary is a very interesting word i'm a big fan of encouraging participation with the use of donuts or with the use of promising and educational experience or all sorts of other ways so voluntary you can take that bit out i just say you want the participation full and told is a good one i like that donuts are probably the best way unless you've got people who don't like sugar but okay so go with how do we actually play these

games so what's what's the goal when we are trying to do a scenario tabletop exercise so it might be a disaster recovery it might be business continuity it might be instant response it might be a more classic war game if you're in physical security or certain other areas so what's the actual goal what is it we want to do well we want to have a fail safe we want to be able to explore failure modes in a safe way so that we know how to avoid them in future so that we've got that experience because there's theory is a wonderful thing in theory we all know what to do or most people probably know what to do

if they're driving a car and it starts getting out on ice you have to relax possibly pump the brakes depending on how your braking system goes try to recover steering and get yourself pointed the right way lots of people know the theory of that unless you've actually done it even in a safe way on say a skid pan it's not something you can apply immediately so exploring things in a safe way where failure does not have a massive negative consequence gives us that opportunity to play around with ideas find out what works what doesn't without getting hurt and then when you're doing it for real hopefully you don't spin the car off the edge of a bridge

and the next thing is how do we want to build our rules now we're probably not that concerned about the game is part of it because we really don't want to encourage people to be trying to win at all costs because the moment you've got people trying to win a game they will find ways to do so there was a lovely one recently about some students uh quite a few students who found out how to game the ai that's marking their assignments a huge problem for the ai system but the point is if you start applying marks if you start saying you did better you won you lost then people will try to win and we actually want to avoid that in

these scenarios because the aim shouldn't be to win and crush all opposition it should be to explore different paths so we can scrap the gay missed concerns what we really want of the narrativist and a degree of the simulationist the problem with simulationist games is they tend to be very very complex and rules heavy if you've done tabletop wargaming with miniatures you will have come across this where there's huge numbers of rules to try and make it as realistic as possible great if you want to run a simulation but far too clunky for the sort of thing we want where we want to instead just get people immersed and get people to react realistically to different scenarios so simulationist

doesn't work well for that so the big thing we want to go for is narrativist and then what's our feedback system well we saw the monomyth and this is where we get into the specifics of what we've been doing with secure by scenario the feedback system we're using there is that you have teams each team has a turn turns are taken simultaneously and then there's a break where everything everyone's done is synced back by a person who is control who just tells a story about where we are now taking each team's input into account and saying this has happened right go off do your next moves so it's very narrative it's very open to interpretation

and it gives a great way to explore that type of thing but you do need to have some sort of feedback ideally at the end of it you then go back again and look over the whole session and go okay where did it go wrong what was interesting what can we learn from it do we want to run it again and try it slightly differently any questions on the whole philosophy piece before we um crack on to building the scenarios and how we actually construct them for that type of play because i'm going to grab a sip of water as my throat's getting dry okay so building the scenario we have got different approaches available you can

you may have done some of these if you've done instant response exercises in the past there's the parties who run them they're occasionally run by different groups for various reasons uh a lot of the ones out there are what i might call a reenactment so they're very simulationist but the drawback of that is because they're so complex at each stage and so fully fleshed out you're essentially running through a script you might have two or three choices you can take but everything's pre-prepared all of the injects that you're going to be dealing with are just ready to hand out depending on what players do it's not a bad thing it's definitely useful it's also really good if you want to

rerun a genuine so if you want to step through and say okay how did this materialize in this company what steps did they go through how would we deal with it but it is a reenactment it's uh it can be immersive it can be all sorts of things but it does take away choice then you've got more of a simulation where you've got more choice partly scripted out so you'll have key events that will happen and generally you'll have the response team or a blue team who are the only players in it and they are essentially playing against a system where things are just happening so if they don't act something will happen if they do act it

won't happen again limited choice more open more immersive but strictly certain pathways available because they're the ones that are prepared for now there are advantages to these two so the reenactment and the simulation options are much much easier to run because you've got all of the materials prepared you've got the scenario prepared mapped out anyone can really just pick up the script and run through it with a group which is fantastic i'm not knocking that approach at all it's really useful if you can't do the last one which is the lazy approach and i'm a huge fan of lazy approaches so the lazy approach is that there is absolutely no script at all so you're not saying

okay well we're planning out what the attackers will do you were instead saying this is the scenario at the start we're then going to drop some people into the attack team into the defense team into various other teams and say go nuts have fun play around see what you discover the problem with that is you then need to have certain things in place and we will get to those but one of the biggest things is all of that script that you would be using for the simulation or the reenactment has to be inside someone's head so you've got to have a central person and i do mean a person you could potentially do it as a group

but they are the ones who define how the world reacts to what the different groups of players are doing so there's a lot of work on that person and i can vouch for it being quite a stressful role and doing it for two hours is exhausting so i highly recommend not doing more than three maybe four turns of one of these exercises without a break unless you've got some support for that person but it does give almost complete freedom to everyone involved so it gives you that chance to fail completely safely it gives you the chance to depending on how much your control person knows explore all sorts of paths all sorts of different options

in complete safety not just for one particular team as with say the simulation of reenactment but for every group within that scenario and how do we build one of these scenarios well first of all we plant a seed now yes it's a bit of a naf image a bit of a simple idea but planting a seed in this case refers to just come up with one sentence and we'll go into the workshop soon so you'll have a chance to try this out for yourselves but you come up with one sentence an example of one that we've used was a sequel injection against a telco we had that that was the start of the scenario that was then much more fleshed

out another one we've had was a ransomware attack one sentence equally you could say an insider threat the whole point is to just give it that first starting thing that single line that lets you build off it the next step once you've got that seed is to design the main character so the main character is usually going to be not a person but an organization so your main character should be the organization you're simulating playing around with rather than anything else there will be other characters but this is the one you want to put the most effort into and it's still not necessarily a huge amount of effort that you have to put into it but it

is worth doing and any little extra bits you do will pay dividends later so how many employees do they have what sort of industry are they in how long have they been around are there any major events coming up are there any major events that have happened recently are there any things going on that the people playing will need to know about basically what's what's the state of the company and that should be maybe a paragraph at absolute most but other things you can do at this point and that i would recommend are things like just quickly designing a logo on a free logo designer somewhere you know get an idea of the corporate image because that will help guide your

thinking and more importantly that will guide the thinking of the people playing through the scenario and that's really what you want to do so then design the stakeholders and these are the smaller teams so your main character is the organization stakeholders will be the management team with that organization the technical team they might be an external activist group or they might be an external side the criminal gang or they might be a single soul actor externally they might be media either generally media or a particular media company because again if you've done a little bit of work you can give them some personality and you'll get very different reactions if you come up with a media company like

the bbc versus a media company like fictional one that we've used which was mean feed so you've got a much different uh query profile coming from them to the company during the exercises so again a little bit of work designing the flavor of them goes a long way equally every time we have a red team in these scenarios we just give them a name and the first one was the devil's hand that's now morphed into the devil's ham for a different scenario where they're much less ominous much more frankly kids messing around and coming across a data breach and deciding to cause some chaos so it guides the personality and it's all about giving people some sort of thing to

latch on to with their team and the point of designing these stakeholders you don't need a huge amount but it's so that when you assign people to the teams they know where they're starting they know what they want to do because if you walk into an instant scenario and you say okay your management you know you're the blue team go off and defend well it doesn't actually give them any direction at all whereas in any sort of real scenario you are going to have some sort of corporate or group culture that affects the way that you do things so if you've got meme feed they might go out and try to interview low-level employees first if you've got bbc

they'll go straight to their public relations contact at the company just a media example there if you've got an organized cyber criminal organization who are targeting a company they will be doing a very different thing to something more like an anonymous collective who've taken issue with some sort of political statement that the company has made so give them some personality doesn't need to be much a sentence or two is all you need to get an idea then for each of your stakeholders just pick the incentives now this is another thing to help steer them and the incentives can be very broad they can be very non-specific examples are meme feed they wanted the clicks on their news stories that was it their

one and only priority was the clicks on news stories on the other hand um the devil's ham who were teenagers skiddies sitting at home they really just wanted to cause chaos and they succeeded in doing that with very different approaches in the same scenario when we ran it a few different times so one time they were much more professional because the personalities of the people running it fed in i then changed the brief very slightly not in actual informational content but in terms of flavor so i did that just by throwing some leak speak into their brief which completely changed the way that group behaved now it might have been also the personalities involved but there was definitely something about

latching onto it so selecting the incentives cause chaos management well your bonus might be riding on keeping some up time or making sure that you know the ceo doesn't get fired it might be all sorts of things technical it's probably going to be around uptime it's going to be around slas and service numbers in some way and it can be really interesting there because if you've given them that as an explicit goal and it's usually written into a contract so it is quite explicit then it makes decisions about shall we take down the system a lot harder because even though the consequences are not real they don't really exist people get attached to the team that they're part

of so they've got an emotional investment in achieving that goal they want the bonus at the end of the year it doesn't matter that it's not real but they they want to achieve that you just tell them in one sentence you want to achieve this and people believe it and run to it and so saying well we want to take down the system because we're concerned it just gives some weight to that decision rather than being able to take the easy option and say well we're just going to concrete all of the computers 60 feet down so that no one can break into them because that doesn't allow the team to achieve their goal then constraints so you've got your

incentives and you want your constraints again they can be quite broad they can be quite open or they can be very specific so constraints for meme feed might be you don't really have any high profile media contacts you've you just don't have that sort of influence a constraint for devil's ham well you are script kitties you don't have the knowledge to do things to really exploit the way that you're doing this and during the last scenario the um script kiddies ended up taking an offer for someone buying the data off them which was massively under market value now yes they were inexperienced but it's interesting to see how that plays out if they had been given the constraint

that yep or not given the constraint that you're inexperienced then the person moderating that team might have given them a bit more information about uh marketplaces on the darknet and the sort of value can get for data instead of them just taking the first offer they got constraints might be technology they might be about what you can use they could be almost anything but constraints are as important as incentives because incentives tell you what you're trying to do the constraints tell you how you can do it and again you don't need more than a sentence or two a lot of it can be down to interpretation so if i say you are devil's ham you are a red team

you are the bad guys in this you are a bunch of kids who are sat at home prevented from going to school not allowed out you just want so a little chaos have a little fun make a mess maybe make a name for yourselves in some way but you're you know 12 to 16 years old you have some awareness of computers you know how to download scripts of github you've got some idea of how to use metasploit because you can read the tutorials but you're not criminals you're not cyber criminals you're not well established in that sort of world you're more pranksters that's just a few sentences and hopefully gives you a really really clear idea of what that

team wants to do how they can go about doing it and that will tell you what they can do at each stage now how you interpret that will be down to the players on the team and this is why we bring moderators in or assistance in for the teams because then they can help make sure everyone stays vaguely on track but that interpretation doesn't matter you're allowed to interpret the brief in different ways then the next step is growing the seed out so to grow the seed you just take all of the information and flesh it out it really is that simple you've got your initial seed you've got your main character the organization in most cases

you have your stakeholders all of the different bits and pieces so here you want to flesh out the scenario into maybe a full paragraph about the situation and then that paragraph should be something that can be shared with everyone involved so every team should know that information you'll then want to flesh out a bit for each team so that they've got some extra information their own view on things examples are the first time we ran this when it was much cruder much less developed than it is now but we still had the idea of asymmetric information the management team knew about a particular attack that was going on because it was very visible they were getting complaints

from customers about it the technical team didn't know about that because they weren't getting complaints from customers the complaints were all going to account owner or account management people and they were all very broad they weren't raising tickets they were just saying we've got something odd going on the technical team were much more interested in the attack that they could see which was a full denial of service attack so just that very slight difference in information meant that the first term really highlighted how important communication was between the management and technical teams involved and it it really did hurt the scenario the consequences were quite nasty initially because they were focusing on different things and simply

didn't communicate effectively so it can highlight that type of thing and that's one of the main reasons you want to have asymmetric information across the different teams because if they've all got perfect information you won't pull out processes you won't pull out channels of communication or channels of approvals which simply don't work in reality right so next we do have the worksheet so hopefully everyone looking if you go to that it should and this is a test it should take you to a microsoft form where you've got some stuff to work with so if you jump over to that it is just a case of six questions on there i'll give everyone a minute or two to

just let's do three minutes to fill in the scenario seed and then we can start talking through again throw things in chat throw things on the q a throw up questions any way you want to and i will respond as best i can if you've got any particular questions about something to fill in or want ideas or any guidance go for it but do that in about two minutes

so yeah the first thing is that scenario seed it's just the one sentence where am i

starting and what we'll be doing once you've got some sort of scenario planned out is we'll go through how you might use that so hopefully if you've once we've been through the worksheet together we can then pick one of the scenarios or pick one or more of them and use them as an example of how that might be run and what might happen at each stage so we'll do a generic one first and so yeah once you've got your seed you go on and the main character again it a sentence is absolutely fine here just the type of organization you're thinking of maybe a bit about the size of it don't bother about designing the logo at

this point this is very high level very brief stuff to give you an idea and i'm actually planning after this to take any scenarios that you come up with or take a few of them at least because there might be quite a few there and put them into an actual uh pack essentially where there will be some supplementary materials fake tweets and so on and we'll get to that later that someone could then use to take your scenario idea and run this type of exercise with it

so for those in the room um in the zoom room if you could just click the raise hand button right we've got one of them already and i see it's a cat fan if you click the raise hand button when you've done the main character stakeholders is a list is fine here again you don't need to go into too much detail example stakeholders we've had obviously you've got red team usually externals not an authorized red team but essentially the attackers you've got blue team internal defensive might be technical management those are usually the core three other ones that you then throw in might be media might be a regulator if you're talking about a data protection

type scenario or financial conduct or anything else could be a competitor a competitive company if you want to play this out with a marketing campaign even and look at ways that that could be subverted um could be activists of some kind all sorts of other things so stakeholders can be anyone you want to get involved but those first three blue team red team management are really the core you want for every scenario everyone else can effectively be optional so you can usually drop them in or out depending on the number of people you've got to work with so if you've got enough people you just start adding on extra stakeholders and frankly making life much worse for the

blue team or much more interesting for the blue team and the management team and but you you just build them out as you need so you can absorb greater numbers and then stakeholder incentives where that's what does that team actually want what are they after constraints what limits them what methods what tactics what techniques what tools do they have available and what do they not have available and flesh it out just free text filling out anything you can think of about the

scenario

okay so i'm going to pause blathering at you for a bit so if we resume at two o'clock when you all have had chance to fill it in and do throw any questions you've got at me in the meantime and i'm happy to deal with them but i'm just going to take pause from speaking so that i can catch my breath and possibly fetch one of the cats that's trying to eat a wire

so someone mentioned on one of the uh scenarios we've had in cat ate my homework we're not sure whether it's a this cat or this one it's probably this one she's the one who eats really odd things

and there we go threat model cat stud stood on keyboard

good

just done the uh flesh it out about a cat i do actually have a couple of headsets that have been chewed through so yes

i will say they're great for video conferences if you need a minute on any sort of work call to just collect your thoughts you just throw a kitten at the camera and people get distracted for a few minutes while you think things through wait children savage your ankles chew through headsets or can be thrown at cameras for distraction uh with which one it's important to know that okay all of the above right um yeah i i would use that the only problem is they they come with additional baggage compared to pets and apparently you can't just put them in travel cages and things people object to that i do have a travel cage that would fit a

child but i'm told that i'm not allowed to

i don't know why people just object to it i've tried it with my niece and nephew and their parents were very upset uh something about never babysitting again or they seemed to think that was some sort of punishment which probably means they didn't quite get it

okay i think we've got a few scenarios to work with now and do carry on and fill one in if you want to i highly recommend it and like i said i will look at fleshing them out and turning them into an actual pack and putting it on the secure by scenario github which needs quite a lot of work but does exist but next what you do once you've got one of these scenarios so we've been through how you want to build them which is all well and good and if you frankly play role-playing games tabletop ones larp anything similar you're probably going to know most of what i'm about to tell you but if you don't then hopefully this

will be useful so how do you actually run a session once you've built out your scenario and how do you get people engaged how do you get the right people in etc etc first thing is control is key so this was what i said about having one person who has to keep the whole scenario in their head deal with all of the responses deal with all of the thoughts about what's going on and sync everything up they are your linchpin they are vitally important if you don't have someone doing that the wheels will fly off even if you've got great moderators for each team if you don't have someone sitting in the middle hopefully not responsible for any

particular team then the wheels will fly off and you may as well just run different scenarios for each team the whole point is having that person who knows enough to tie it all together and that is the drawback of this method that you do need someone who can understand enough about the different ways that the scenario could go that they can respond to questions they can jump in interpret and deal with things and essentially they are being the computer they're being the simulation of the world so there's another part to it which is then you have to and this is also really important so you don't overload that person limit the ban yeah exactly like the gm

um the reason i say control is apparently gamesmaster has negative connotations for people running these things and doesn't sound quite right but yes kind of like the gm they're doing the same thing you're just not using the same sort of rules as you would for a tabletop one the next thing is to limit the bandwidth between teams so between the different parties involved you want to have very constrained communication and the reason for that is if they can talk freely to each other your gm your control needs to be involved in every line of communication that's going on in some way shape or form otherwise they can't respond appropriately so the way that we're doing this with

the scenario so far and i am going to be trying something new for the next one but the way we've been doing it so far is to say that there's a single channel in slack and you've got uh each team has a moderator controller or a sub controller or sub gm assistant gm whatever you want to call it who doesn't really take too much part but can handle smaller decisions so they can respond to say just questions about technology and so on that don't really matter to the wider world but if the players in that team want to go down a technology rabbit hole absolutely fine they can do that that is a choice they can make

and their assistant gm can just run with that and let them do it it's only the actions and the communications to the outside world that that gm should filter through to central control in as we said the text channel and as i said the text channel is great because it does limit what they can do if you can't write it you can't do it at this point you might have control hopping between different breakout rooms or wandering between offices depending how you're doing it and able to do more detailed interaction you do almost certainly want to do that because it gives you the option to then respond more accurately to people and to give them better information and

most importantly it takes some of the load of the assistance because a lot of the time they will be new to it they'll be perfectly capable but they might just need that support of someone coming in and saying yeah you're doing fine yes you're allowed to answer that question you're allowed to improvise you're allowed to work with them it's only for big decisions that it needs to go through your central control so yeah limit the bandwidth and limit the time they've got we normally say about 20 minutes per round and that's because 20 minutes is enough time to make a few decisions take a few actions but not over analyze what you're doing it gives

an artificial sense of time pressure and when people are stressed when people feel like they've got a deadline they get more immersed they react more emotionally and therefore they're reacting more realistically if you said oh you've got as much time as you want you'll find people take more of a step back and will respond in a more idealistic manner and that's not what you're trying to do with these exercises so you want to limit the bandwidth limit the time that they have to decide things and next is it's delegation so as the control as the gm you absolutely want to delegate as much as you can to a moderator for the different teams now it helps if the moderators have some

experience but it's not essential and you can brief them in about 10 15 minutes and i know a couple of you in the audience can vouch for that having been through one of those briefs and then seeing how it plays out so you do need some sort of briefing but you can then delegate a lot to them it's something where practice is incredibly valuable so if you can have the same moderators from scenario to scenario that's absolutely perfect even if they're working on different teams each time it's just getting that idea of how you handle the communication what level of stuff you can do without talking to control and where you need to talk to them

what sort of independent decisions you can take and so on and then you've got the session format so this is it's an iterative process you have the briefing where everyone gets synced up on where you are in the scenario so initially that's the initial briefing and then break everyone out into different rooms or different teams however you want to handle it and give them their own individual slight brief if they've got a particular one and then you rely on the back channel for updates and during that time the person acting as control will be updating for the next synchronized briefing um now there is a variant of this which i still want to try and i think

will be really interesting which has been suggested which is to allow time travel so if you wanted to run a longer scenario without giving too many options you can allow people to essentially jump back in time you can say okay you made this decision that means that you as the blue team can't really take any other actions to change this you've committed so we'll talk about how that plays out and then we'll just rewind to before you made that decision and you can make a different one you can see how it changes so an example in the first one was um the blue team decided to revoke all root certificates so they no longer had access to the system the attackers

had done some stuff they had limited access to other systems but essentially took that blue team out of the game it wasn't a bad decision i don't want to pretend it was it was a very drastic one to take it was sensible at the time it was understandable at the time it wasn't a loss but it meant that they could no longer really take part and at that point you can say well you've done this this is how it would play out yeah exactly it's an example of failing safely so you've you've failed fine that's not a problem let's take a step back and let you try again maybe we'll mix the teams up this time

maybe we'll shuffle things around maybe we'll just go back that one turn rather than all the way back to the beginning and you do it with the same teams but a different choice and everyone's had a chance to learn but allowing time travel is an interesting way to give you the option of branching out and instead of having to re-run the same scenario 20 times to have 20 different consequences run it maybe three four times but each time have the iterative process where you can just take a step back start over from there right uh next thing and towards the end of the workshop or when i say towards the end after this it goes into more of a q a and discussion

um creating impact so this is about how to get people immersed and involved because that really is what you want there's various reasons when people are stressed when people are emotionally involved they will learn the lessons much better and they will make mistakes that they would make in a real situation much more often and you really want that because if they make the mistakes then they're not going to make them so often outside it if you think about almost any form of training but martial arts in particular now a good martial art and i've missed the baltitsu session but a good martial arts training class will put you in safe scenarios which will get adrenaline

pumping which will give you that rush of fear excitement whatever you want to call it where you will react in ways that are more realistic you're more likely to flinch for example so they'll put you in that sort of situation one way you are completely safe and if you had the time to pause and think it through you would be perfectly aware that yes i'm safe nothing's actually going to hurt me but in the moment you forget that so the more you can immerse people the more you can draw people in the more likely you are to get that sort of drive through them to let them make those mistakes safely so that they don't make them unsafely

and getting people involved can be really really easy and minimum effort and this is what i'm talking about with the scenario packs so um create fake headlines there's tools out there to do that create fake tweets you can do a lot of these on the fly include logos include pictures of different people from the fictional company you know you have a picture of the ceo and someone makes a decision and you decide well this means the ceo's going to come in great just send them a picture of the ceo with an email attachment or with an email attached rather anything you can do to just add a little bit of life to the scenario you're doing and you

really don't need to go overboard with this a few small things will make much more of a difference than trying to do a full newspaper story so i have seen ones where not of this sort but more game like where they've got uh live media broadcast throughout the game throughout the scenario giving updates on headlines that's great it requires a huge amount of resources it requires a lot of planning a lot of forethought it usually needs something like a studio set up and frankly having a breaking news headline that just pops up during the sink is plenty people can fill in the gaps very easily so where you go quite light on the detail say you've got

just a tweet up there from the attackers where you've gone light people will fill in the story for you if you try to make it more simulationist if you try to make it more of a full here is what's going on people are more likely to spot errors and inconsistencies and will be drawn out by those so sketch out the details don't try and paint a full picture for creating injects these are just a few resources the term for something like a tweet or document or whatever you're throwing in is an inject because it gets injected into the scenario use whatever terminology you want that's just the one i'm going with breaking news headlines that's the one i

used earlier you can do newspaper clippings you can do safe profile pictures so this is an interesting one that site this person does not exist.com is usually quite good for speaking of cats tangling headphones usually quite good for generating yeah i know i'm trying to train her so that i can do the full dr blowfelt she's got the fur and everything it's brilliant but she's still a kitten she struggles too much to do that properly i've even got a nice chair that i'll be able to sit in and lean back and stroke the cat but we'll get there where was i yes so this person does not exist.com is absolutely brilliant for generating pictures of people that

aren't real pictures of people there is some fun you can have by say including people from your actual company but if you just want to play it safe or if you're not doing it for a company and are doing it more open something like that is perfect um social media mockups there's loads of tools out there to do those tweet generators twitter's a great one for this we're currently working on something where we can use actual twitter accounts rather than having fake tweets but that's a way off there are loads of tools like this out there when you're doing it online absolutely brilliant it takes five seconds to quickly throw together a fake tweet and you can just pop it up

in the next synced zoom session to show everyone okay well now the attacker is saying that they've got your credit card numbers as well which is a genuine one we've had right that's it for the slides from the workshop so what i'm hoping is that there's been something here that's generated to something for discussion something for questions thoughts anything you want to ask or talk about um either in chat in the q a or if you'd like i can add you to the panel and you can then talk about it more freely and we can have a conversation whatever works best so hopefully someone will ask something because i am relying on you to continue

and pad this out a bit otherwise it's going to be quite a short workshop and quite embarrassing it's awful sitting here in silence so yes questions discussion points anything else now's the time

okay actually having said that we have got your scenarios up so let's go through that let me get them open and generally in a company so one of the biggest problems i find with incident response scenarios is that they're almost always a single team they're almost always just one part of the company so it's usually say people in the sock or the instant response teams and that is a disaster because you're working with people who already theoretically know what they're doing and already think they think they know what they're doing let's say the best thing to do is invite everyone absolutely everyone and mix up which team they're playing in so we've had a brilliant scenario

recently where someone very new to cyber security joined in the blue team sector or blue team team and found it a fantastic learning experience did really well the moderator was able to essentially translate for them so they knew the processes they wanted to follow didn't necessarily know the terminology or the details of the technology and so anyone anywhere just getting people involved and i agree it is very hard to get management engagement in some organizations you can grow this out more easily particularly if you can say okay we want to open it up have some donuts we'll just have a few junior people maybe a manager or two from any area that's willing to get involved

but make it open make it available and then you can start getting that senior management involvement and the only other thing is of course i'm not sure how valuable it is in most cases to have senior management very engaged and very involved in it because most of the time they won't be the ones doing the immediate instant response they'll be more at the strategic possibly public relations area which is one reason it's useful to have the media team there has been some fear about people getting it wrong that has usually been laid quite quickly because since you're doing it in a game and since you are making it very clear people might be in roles that they don't

normally work in helps people relax essentially you're saying no one's necessarily got experience no one has any set expectations you explicitly do not set a win or lost condition so there is no oh well you lose you're awful it is narrative it is explorative rather than you can get it wrong and fail it's not you get it wrong and fail is you get it wrong and learn something new whether it's about your role or someone else's role you are learning something you might understand then why they might take certain decisions as well so the understanding there is really useful um having senior management involved could add to limiting bandwidth the management team is generally what we've said is

senior management but you could have managers in each teams or just mixed in my concern would be that if you have senior management before you've got the anarchic structure established and you'll get much more of a hierarchy because the last thing you want is a senior manager to come in and just dictate to their team what they're doing because that takes away the learning you don't want anyone dictated to you want that freedom to explore so if senior management are in it's worth them understanding that they are just part of a team no one is senior to anyone else except for where the teams are so where you have a technical team and a management team

and you explicitly say well the technical team needs to get authorization from the management team for things then the constrained communication can make that really interesting it's yeah so there's a lot you can do but you have to keep the teams themselves quite egalitarian in outlook um yes yeah dd's very right there we have had problems with some of these events uh getting them early enough to get teams formed early so most of them have been run uh we've had enough people to run the teams but it's been okay you're going to be in this team today you're going to be red team wherever rather than being able to plan it out more beforehand which has worked absolutely fine but

running it as a more corporate company event you might want to plan it out further in advance and have people aware of where they're going to be beforehand

right so let's take um some of your scenario seeds which i have here

and just do a quick sketch through of some of them um i will say the cat ate my homework one i mean i've got a whole threat modeling workshop on cats but the cat my homework one yes you could use there's no reason this just has to be for cyber security instance it's any instant response you can run through this type of thing and so you could say okay well a cat has eaten something that's dangerous to it also i've no longer got my homework so there you've got stakeholders you've got a vet you have possibly education team who are expecting the homework you have student who is expected to produce the homework and you have parent

who is looking at a 500 pound vet bill because it homework you might say well we've got the cat too and you really you're the cat team and you really don't want to go to the vet and i know that sounds silly but the point is it's a framework and you can tie in anything you want to it quite quite happily another one that's come in with the c business email compromise so yeah that's a nice clear one main character would be the payments clerk maybe the finance team working something like that you might say it's the company and then the stakeholder would be the finance team obviously affected customers someone's not being paid if you're doing it down the invoice

fraud route or depending on what type of bec it is maybe you've lost customers money because of it that does happen the ico there might be some personal data breach there might be some data transferred stakeholder incentives well yeah fairly clear you've got financial loss reputational loss you've got damage to loss of trust you've got compliance for customers if you had them as stakeholder you might have well i've lost my money i can't make any transactions i'm really annoyed about that you might have media involved and obviously their incentive is i want to get a really good headline yep stakeholder constraints so key stakeholders on holiday i always love this one and i think it's an exercise every

organization should really do when they're doing any sort of instant response remove at least one key stakeholder and see how quickly things fail because you've almost certainly got at least one key dependency and it's one person who happens to know how the business works and if you take that person out of the process it's amazing how quickly things can fall out unexpected log on on office 365 from an unusual country yeah a suspicious log on that could be the seed of your scenario and then you play it out and flesh it out and say okay so where did that log on actually come from and what happened so maybe it was fraud maybe it was

actually the ceos on holiday and logged on from fraud we have had i have had situations where a suspicious log on has been because he's senior executive was meant to be on holiday and decided to log in and so it was flagged up locked them out a bit of panic around the whole thing as you'd expect um but yeah the stakeholders senior management team technical team obviously your office 365 admins incentives well senior management team they want a quiet life they want to know that there hasn't been a leak and smt well yeah constraints do we have enough budget for the licenses do we have enough budget for the it team are are the it team actually capable of

fully investigating this have we given them the required permissions do the admins exist do we want to upgrade to the microsoft e5 license which gives us some extra protections how do we want to respond yeah so that hopefully gives you an idea of how you can take some very simple scenario ideas and flesh them out and i will be taking these and doing something with them and putting the packs up which will take probably a few weeks but keep an eye on my twitter if you want to see what happens with those scenario ideas and if you want to be involved in the next exercise that we do okay any other questions

in that case i am going to stop the live stream okay and stop recording