WHO WOULD HAVE THOUGHT that someone would come up with an incident response card game? It’s an odd idea, but clearly organizations need more training when it comes to responding to a cybersecurity breach.
An April 2019 study from IBM Security and the Ponemon Institute found that 77% of respondents did not have a cybersecurity incident response plan applied consistently across the business. Of those who did have plans, more than half (54%) did not test their plans regularly. For SMBs in particular, almost half (48%) do not have a response plan for a cybersecurity incident, according to risk assessments conducted by ConnectWise in 2019.
Perhaps some gamification may help boost those numbers. Created by Black Hills Information Security and Active Countermeasures, Backdoors & Breaches costs just $10 and you can buy it on Amazon, at various Security BSides conferences, and several other venues. The full rules and description of the cards are available from the website. You’ll also need some 20-sided dice to go with it. That’s a hint that playing this game is going to be a bit like Dungeons & Dragons.
Spoiler alert: As a security training tool for your team, it’s pretty awesome.
How to Play
Backdoors & Breaches will test and train your team in how to respond to security incidents. In the style of Dungeons & Dragons, there is an Incident Master who comes up with the scenario and keeps the game moving. The other players (“”defenders””) live in the scenario that the Incident Master creates.
There are 52 unique cards in the deck, and six types: Initial Compromise, Pivot and Escalate, Persistence, C2 and Exfil, Procedures, and Injects. The Initial Compromise card represents how the team first finds out about the security incident. Example: “”The attackers use social engineering to trick a user into running malware.””
Each card contains a mini lesson under the headings of Detection and Tools. In the case of the social engineering Initial Compromise card, the detection methods are endpoint security and user awareness training. The tools used by the bad guys to create the incident are a phone, evil intentions, and trusting people. Each card contains links to YouTube videos to teach about the detection and tools items.
Since this is a learning game, this is where discussion should happen. The Incident Master should ask things like, “”If some evil person called up and convinced a trusting person at one of our clients to install malware, how would we find out? Is that sufficient? Should we be doing something more to prevent this type of incident?””
Injects cards provide twists in the game that modify the scenario. Example: “”The attackers not only convinced your trusting person to install a piece of malware, that malware has now turned into ransomware.””
The players can ask the Incident Master anything that they like, but when they decide to take an action the only tools they have to work with are contained in the Procedure cards that they’ve drawn. Whether those actions are successful or not is determined by a throw of the 20-sided die. There are a fixed number of moves that the team can make before either uncovering and shutting down the source of the infection or failing.
What You Will Learn
The level of fun and seriousness in the game play will largely be driven by the Incident Master. Either way, you will find that playing this game with your technical staff will expose the strengths and weaknesses of your team. These include:
- Who emerges as a leader?
- Who asks the best technical questions?
- Who is concerned about business continuity?
- Who is strong at troubleshooting?
- Who gets lost and doesn’t understand the jargon?
- Who gets quiet and doesn’t get involved in the game play?
- Who is a team player and who isn’t?
What I learned about my team the first time we played was that there were some glaring gaps in technical knowledge in some staff. Also, the team was easily distracted by putting out fires and would lose sight of the goal of determining the source and scale of the malware infection.
As IT people, we are service-first people pleasers. We want everyone to get back to work as quickly as possible and it’s hard to say no to someone on the phone who wants you to get them back to work right away. But there’s no point in doing that if the bad guys are still in there manipulating people and destroying data. Keeping your eyes on the prize while working through the scenario with the limited tools you have available requires great skill. Backdoors & Breaches, with its built-in educational videos and tips, can help you bring your team closer together, get them more focused, and identify training gaps.
The possible scenarios here are endless. Just make sure that your Incident Manager is a highly technical person because the team is going to pepper him or her with questions about the incident and they need to be prepared to respond to every bizarre query and understand the tools that they are going to throw at the situation.
Black Hills Information Security has done a great service to the IT community by producing this card deck, which keeps selling out. For $10 and a handful of 20-sided dice, you may just be able to up your incident response game.
AMY BABINCHAK is owner of Harbor Computer Services, an MSP in Royal Oak, Mich.; owner of Third Tier, which provides advanced IT support services to vendors, consultants, and IT departments; and managing partner of Sell My MSP, a listing service for people wanting to sell or purchase a small IT firm.
Images courtesy of Black Hills Information Security
