Tabletop Incident Training
Incident response training does not have to be a boring waste of time. Tabletop exercises at PayNearMe became an annual event that the incident response team came to look forward too. There are three key aspects to make it successful:
Give the audience a mystery to solve.
Keep the prompt relevant to the company and current events.
Involve as much of the audience as possible.
Whodunnit?
By giving your audience something to solve, you make them invested in the training from start to finish. I’ve had great fun with insider threat training by getting coworkers to play the villain. Take for example this prompt given to two employees ahead of the training:
Infrastructure Engineer - You are working with your coworker Sally to exfiltrate critical data to sell it on the black market. She will write up a script for you to run on the production systems. You covertly open up a port on the servers for an external server to fetch the data.
Software Engineer - You are working with your coworker Bob to exfiltrate critical data. You write up a script to dump the data into a file. Bob will open up a port for your external server to fetch the data.
This will give those two team members something fun to do during the training while also throwing in a wildcard for the rest of the team. Bob and Sally will have a chance to throw people off the scent and I guarantee it will be a training they never forget.
For the rest of the team the initial prompt could be as simple as “the security scanners noticed a new open port on the servers that was not approved.” That simple sentence can lead people down a deep rabbit hole. It will be up to you as the facilitator to fill in the knowledge gaps. Think of this as if you are the Dungeon Master in a game of D&D. You know everything and the players are there to ask questions and follow wherever the evidence leads them.
Keep It Relevant
If you use generic topics for your exercises, you will be doing a disservice to your team and will end up with a disengaged audience. If you are working in the online services space, why would you want to do an industrial control systems related prompt? There are plenty of generic topics that can be still relevant to any company such as insider threats or ransomware. The key to those generic scenarios is to keep them relevant. For example, if you are in a financial company, make that insider threat someone trying to illicitly move money. If you’re in a legal firm, make that ransomware prompt about them blocking access to client documents relevant to a current case.
Relevant can also mean timely. This is a great way to bring home the impact of the headlines that everyone reads about some other company getting breached. Its easy for non-security minded people to think “that could never happen to me.” You need to take every opportunity to open their eyes to the fact that it could be them. Take for example the multiple Okta breaches related to their customer support ticket system. Nearly every company has some form of customer support. Think about how that could be exploited by someone. Could they gain access to data or systems? The scenario doesn’t have to be 100% plausible, it just has to open their minds to the possibilities.
Audience Participation
Both who is and is not playing an active role in the exercise can be important. I always make sure that at least some primary IRT members are in observer-only mode each year. This forces the alternates to step up and take charge. Watch for who has the loudest presence in each training. Make sure that they rotate through observer-only mode some years so that others have a greater chance of participating.
The other half of audience participation is in crafting a prompt that involves everyone. As someone coming from a technical background, it is really easy for me to craft a prompt that heavily involves engineering but you’ll quickly find the non-technical folks checking out. An example could be the malware hitting production servers. That could quickly spiral into a technical firefight, but ask leading questions of other participants. “Hey legal, if this malware has access to customer PII, are there external parties who need to be notified?” “Hey customer support team, if this results in a disruption of service, do you have a plan ready to notify customers of the disruption?”