Creating Fun Cybersecurity Tabletop Exercises

I have been a part of many boring cybersecurity tabletop exercises. The exercises are simple and lack a dynamic scenario an actual incident would produce. Unengaging tabletop exercises are a byproduct of compliance frameworks mandating them. So the tabletop exercises become just another check-box for annual audits. However, this does not have to be the case.

For this year’s tabletop exercises, I wanted to make them as engaging as possible. A tabletop exercise that engages the team will produce better feedback, security awareness, and improve cross-department communication. At the same time, I still need to check some boxes for compliance. So, I want to share what I put together to make fun, engaging, audit-compliant cybersecurity tabletop exercises.

Short on time? TLDR

What is a Cybersecurity Tabletop Exercise?

Cybersecurity tabletop exercises allow organizations to learn and recognize various risk scenarios and prepare for cyber attacks. It is a chance to assess how well your organization’s incident response plan performs and identify shortcomings. For that purpose, an exercise should consider several hypothetical situations that, if they came true, could have a significant adverse effect on your organization.

Participants in the exercise may include internal and external stakeholders, C-level executives, and a team from your internal security department. A knowledgeable facilitator or top management personnel oversees the entire exercise, analyzing an organization’s crisis management capabilities and ensuring that the reaction and recovery plans are effectively coordinated and disseminated.

Making Cybersecurity Tabletop Exercises Fun!

Backdoors and Breaches is an excellent tool for building fun tabletop exercises.

Backdoors and Breaches is a card game that crafts cyber-breach scenarios. A Team of Defenders, one or more players, will need to conduct an incident response to how the breach occurred. The Incident Master will build a narrative around attack cards he holds for the Defenders Team. The Incident Master is there to conduct the game, not defeat the Defenders Team.

The rules are pretty simple and explained in a simple-to-read PDF found here.

You will need to buy the game for only $10(I think it’s within budget).

Incident Master Tips and Guidance

The Incident Master’s role in the tabletop exercises is like being a Dungeon Master in D&D. You want to paint the scenario for the players and make it sound like something that could happen within the organization.

Scenario Building

Being able to come up with realistic and relatable incidents for your organization may take some practice. Take some time before the tabletop exercises to practice building scenarios. Draw a few cards and develop a scenario that fits the cards. Do this a few times until you have some stories built up in your head.

Building your scenario from the “initial compromise” and the “pivot and escalate” cards is recommended.

Make it Apply to Your Organization

The tabletop exercise is to prepare your team and identify shortcomings. To this end, we must align our exercise scenario with our organization’s threats and incident response capabilities.

The answers given by team members in the game should be specific to the company and its incident response capabilities. You may want to go a step further and remove procedure cards for software or tools you do not have within your organization. Maybe use this as a subtle way to hint to management for more budget.

Keep The Story Going

The goal is to keep the team engaged and working to uncover all the scenario cards. If the team is no longer talking and unsure what to do, add new parts to the incident story. Better yet, tell the team a quick story about a well-known breach related to a scenario card they have not uncovered yet. For example, for the “Credential Stuffing” card, I would tell the story of Dropbox being breached using the Linkedin password database breach. Darknet Diaries is a great source for interesting data breach stories!

Create Consequences for Failures

If a Defender rolls a low number, throw in some repercussions to the story for the failure. For example, say a 2 is rolled when attempting “Crisis Management”. Consequently, your customers are even more upset and file complaints with the Better Business Bureau(BBB). Now, who in the organization will be responding to the BBB complaint?

Incident Master Cheat Sheet

I put together an Incident Master cheat sheet. It is a collection of advice for Incident Masters given on the Black Hills Security Discord, YouTube, and website. A few house rules within the document improve some procedure cards for better gameplay. I did not create most of the content, but I put it all in one document to make it easier to find.

BackdoorAndBreachesIncidentMastersNotes Download

Compliance Paperwork

Let’s check those compliance audit boxes!

We must complete some paperwork to make our fun cybersecurity tabletop exercises count toward our annual audit. I have created a template for the Backdoors and Breaches game that can be filled out to document the exercise. This document should suffice for most auditors, but you must modify it to fit your organization and compliance framework. I have also included an example of a filled-out version of the document to reference.

Security_Incident_Response_Tabletop_Exercise_Example-v2 Download

Security_Incident_Response_Tabletop_Exercise_Generic-Template-v2 Download

Wrapping-Up: TLDR

Use the card game Backdoors and Breaches to build engaging tabletop exercises.
Treat the game like a Dungeons & Dragon session, build a story and be creative with the scenario.
Keep up to date on real-world breaches and how they occurred, then incorporate those stories into your game.
Fill out simple forms during the exercise to complete compliance framework requirements.