Tabletop Exercises

Gamified Incident Response Training

There is a card-based game out on the market called Backdoors and Breaches made and distributed by Black Hills Information Security and Active Countermeasures. Together they have built a tool that is capable of being used to provide practical training and awareness of incident response procedures to all ranges of employees at an organization. This is important because breaches or information security incidents need to be identified and mitigated with swift actions to avoid catastrophic damages within an organization, and all employees need to be a part of the security to prevent them. 

The game is led by an Incident Master (similar to a Dungeon Master in D&D) and the players work together to discover and build the incident that has taken place from Initial Compromise, Pivot, Persistence, and C2 & Exfiltration. The players have 10 moves to complete this while using the procedure cards available. Each procedure card has a procedure or tool listed with a short description as well as further information for additional research; these are all able to be used in actual incident response procedures. Each incident card has an attack technique that can be found in the real world and also has additional relevant information available for further understanding. The game is progressed by the roll of a D20 die and has other inserts such as a starting condition, consultants, and inject cards that give an interesting twist of events to the scenario. 

The Incident Master is responsible for making up the scenario based on the cards that are selected. This is just the surface, the training during this exercise is what follows. Each time there is a move, there should be discussion and collaboration on the appropriate procedure to use to discover the malicious technique that was used in the incident. This gives everyone a chance to get involved and learn together. Then after the technique is discovered, you can follow up with possible ways to prevent it or even what to do when discovered. Who do you contact? How to shut it down? What might it indicate? There's a number of possibilities to use this game as an opportunity to learn further. 

I played this with student organizations like Girls Who Code, WiCys, and ACM, IT security teams, and both undergrad and graduate students. There was never a dull moment and always a way to push forward as a team. The Incident Master is the key figure to unlock the most learning out of the game. The participants also play a key role by communicating their ideas and thought processes to share with the team and evaluate them together. This game shows not only incident response, but how to communicate, work as a team, critical thinking, as well as general security concepts.  

Use this online gameboard to play virtually and set up a custom game scenario focused on the audience you are training!
Online Game Board - Play Here

Please don't hesitate to reach out if you have questions, need ideas, or just want to get some interaction about the game!