Not If, But When: How Playing a Game Can Help
As companies continue to expand their virtual landscapes, they present more exploitation opportunities in the realms of people, process, and technology. We at Hunter Strategy understand that no environment is impenetrable, and no out-of-the-box plan covers all of the bases.
Performing Cyber Tabletop Simulations (CTS) helps to tighten that gap one step further by placing the right people at the table to discuss and review sections of their Security Incident Response Plan (SIRP) to determine what works, and more importantly what doesn’t work when they are tested.
The required state of mind
To truly have a successful CTS there are two major items to understand:
1. This is not a blame game or gripe fest. This is time to work as a team to find what can and cannot be done without shaming; You are a team, act like it.
2. Lessons learned is another element that is equally as important as this is where you guide you triaging efforts.
How do I get started doing something like this?
First, you need to know who the stakeholders are. Of course, you have the IT teams there, but it cannot just be them. Your CSO, CTO, CFO, sometimes even the CEO — get as many decision makers as possible. That includes the front desk receptionist if your scenario has physical elements to it.
Second, you need a scenario. One possible example is that HR received a credential harvesting phishing email and gave up their credentials. Another is a company device was lost/stolen and was reported late to IT. One more is the company webpage had a public facing login page and was brute forced in to.
Third, there must be someone to run it. Think “Dungeon Master” for this role. This can be your CISO, someone in Governance, Risk, and Compliance (GRC), or just anyone that is accountable for the application of your companies Incident Response Plan. These working sessions should either be an all-day event or split between two different days, back-to-back. This helps keep everyone in the same head space and engaged.
The Game
You now have stakeholders, your scenario, your Dungeon Master, and the times picked out when everyone will meet up and “play.” Next, you step through your scenario line-by-line with the understanding that security is all about layers; a single control does not work 100% of the time.
The following are two brief examples of a scenario playing out in discussion:
This is generally the idea. The scenario step is defined, the stakeholders identify what they believe are the answers, further questions are asked, notes are taken, and you move to the next one. No bickering, no blaming, just understanding.
To be successful, the team must be creative, and even have fun. Bringing items to the tabletop to make it interesting and random can make the experience more enjoyable and productive.
One example is use of a 20-sided die to roll against a sheet of predefined topics could pre-seed discussion topics. Example topic: The team lead called in with Covid and he can’t help with any actions needed. Addressing this topic will help validate documentation and knowledge transfer.
Another example is to use a deck of cards where one color is a success and the other is failure. This helps discover redundancies or to discover other avenues of success that some may not have known existed.
Conclusion
Whether you are a small business or a large corporation, performing a Cyber Tabletop Simulation can provide the insight needed to grow and improve in the spaces that matter, while empowering the teams involved.
If you’d like to learn more about Cyber Tabletop Simulations (CTS), please contact us via the methods below! We’d be happy to discuss more or answer any questions!
Contact Us
