How to Gamify Your Incident Response Planning (And Make It Fun)

Published on 7th May 2020 Author: Samantha Rutledge

Zombies are attacking the perimeter.

They’ve made it past the outer defense wall and are trying to breach the inner wall. You’ve bolstered your gateway defenses, but the flood of zombies found a weakness. Their attack breaks through. What do you do?

Roll for initiative.

No, this isn’t one of those Dungeons and Dragons articles or some Walking Dead game.

I’m talking about how to inject some fun into your incident response planning with gamification.

A necessary evil

In theory, we all recognize the importance of practicing incident response. Practice makes perfect, am I right? But when a real security incident is happening, it’s probably not the ideal time to discover the effectiveness of an incident response plan.

Many cybersecurity frameworks — as well as cybersecurity industry certifications —recommend at least one incident response plan tabletop exercise per year.

In reality, however, we know how dreadfully boring that practice can be. Reading through a bunch of policies, procedures, and playbooks in a conference room for hours is hardly anybody’s idea of a good time.

It’s a necessary task we grin and bear.

It doesn’t have to be this way.

It’s time to D&D the IRP

While listening to a security podcast recently, I heard an intriguing idea about turning an incident response tabletop exercise into a tabletop game — which made perfect sense to me.

I mean, let’s be real, many of us in cybersecurity are self-aware enough to know we are a bunch of nerds. How many of us can say we haven’t geeked out on Dungeons and Dragons or other fantasy tabletop games at some point in our lives? (Definitely not me).

Incident response practice in the form of a “Knights of the Round Tabletop exercise” adds a randomness factor simulating real-life scenarios that don’t always play out according to plan. This strategy could be a great way to cut down on the monotony of those incident response exercises.

For anyone unfamiliar with the game Dungeons and Dragons, D&D is a tabletop role-playing game much like a choose-your-own-adventure book. It features players who make up fictional characters for their desired roles in the game, a main storyteller (the dungeon master) and an assortment of dice. The dungeon master is in charge of setting the stage and progressing the storyline of the game. The players choose their own actions within the story, but the success or failure of those actions is determined by the outcome of various dice rolls.

In a gamified incident response scenario, here’s what it might look like:

Incident Master (IM): An employee reports a phishing email. How do you respond?

Incident Responder(IR): Investigate the email.

IM: Are there procedures in place for handling reported phishing emails?

IR: No.

IM: Note lack of procedures. How do you investigate the email?

IR: Check to see if there are any links in the email.

IM: Please roll.

IM: Yes, there was a link in the email.

IR: Ok, then I put the link URL into VirusTotal to see if it is a known malicious link.

IM: Please roll.

IM: The link is reported as known malware.

IR: Did the employee click the link?

IM: Do employees take security training?

IR: Yes.

IM: Add modifier for employee security training. Roll for outcome.

IM: No, the employee did not click the link. What do you do next?

IR: Find out if any other employees received the same email.

IM: Please roll.

…and the scenario continues.

Knights of The Round Tabletop for your company

For the seasoned D&D player, it probably isn’t a big stretch to formulate a D&D style game around an incident response tabletop exercise.

For those who haven’t played or are mere novices in the dungeons and dragons realm like myself, here are two resources I found to help with the process.

The first, “Cubicles and Compromises,” has a one-page, reasonably simple set of rules and gameplay. It makes use of a single d20 (20-sided die) as opposed to the traditional set of seven dice used in D&D. In this game format, it’s up to the dungeon master to come up with the storyline or incidents. This is a simple version of a tabletop game, making it easy for everyone to follow. As such, not every participant requires experience playing a tabletop game, but the facilitator should have solid D&D skills for this to run smoothly.

The other resource I found is called “Oh Noes! An adventure through cyberz and $#*!”

This game provides a free out-of-the-box downloadable starter kit. The kit comes with a guidebook, guide sheet, character sheets, and slide decks. Making use of character sheets means the rules become more like traditional D&D gameplay and a bit more complicated, so there is a bit of a higher learning curve. The guidebook provides detailed instructions for the facilitator along with the gameplay rules. The slide decks provide a structured walk-through to guide the flow of the exercise, as well as numerous pre-written incidents.

The pre-written incidents are a great resource, but probably not applicable out of the box for most organizations, so they’ll need to be customized to fit the organization’s environment. While it does help to have an “Incident Master” with D&D experience, it isn’t entirely necessary due to the amount of content and structure included.

Here at Fractional CISO, the team will be rolling out our own Knights of the Round Tabletop exercise for our next client’s annual tabletop in the upcoming months. And for the first time ever, I can actually say I’m looking forward to participating in an incident response tabletop exercise!

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Samantha Rutledge, SSCP

Samantha is a Senior Cybersecurity Analyst - she helps clients with cybersecurity evaluations, risk management, and policy and compliance initiatives. Samantha has a background in incident response, digital forensics and cybersecurity investigations. She has worked at Hewlett Packard Enterprise’s Global Security department and Centene Corporation’s Cybersecurity Incident Response Team (CSIRT). Samantha is a Systems Security Certified Practitioner (SSCP). Samantha has a bachelor’s degree from Western Governor’s University in Cybersecurity and Information Assurance.