Shall We Play a Game

but anyway um really appreciate the uh besides knoxville team for i'm reviewing and accepting my presentation um i've really wanted to give this talk um for a little while um it is uh going to cover um how to take your company um cyber security physical security operational exercises um and make them more fun um so i'm trying to work on adapting tabletop gaming logic and gamification uh techniques um to your would be normal boring tabletop exercise where everybody gets around the conference room and just always goes down the magical happy path and everything works out and everybody always wins which we know is not always the case but let me get it right into this so

uh there we go so i work for a federal power company um i am on the twitters you can find me at tn ballsfan29 um i am currently working on a book covering these concepts that i hope to publish around um end of october um on amazon um i have a lot of experience with exercise planning development um and conducting them i've been our agency lead planner for at least six different um agency level exercises um participating in uh the e i sac grid x exercise participated in cyberstorm um which is a dhs exercise uh participated in some agency level ones um covering both the cyber components as well as your natural disaster and physical security types of attacks

so i've also been a member on the gridx working group i've been the co-cyber team lead i'm helping create the national level cyber injects for all of the electric sector so needless to say i've been doing this for about 10 years in various capacities and then prior to that served in the us army for five years while there conducted the field exercises where i learned a lot from members down in fort polk louisiana and out there at ntc um on how to be the opposition force and how to conduct uh those types of exercises so i have that background as well uh but what we're going to look at um is kind of the core elements of a game

so we've all played games since we were kids whether it was board games card games video games now games on your phone or tablet or computer or whatever we all have a lot of experience playing games but if you haven't really ever looked at kind of what makes a game fun or what does a game really need mark rose water who was a member of wizard of the coast wrote an article covering the 10 things that i thought was a very good article i'm a big magic the gathering player so uh in a dungeons and dragons player so it was right up my alley but the 10 things that he pulled out was number one

you have to have a goal or goals there has to be a reason that you want to play the game there has to be a way to win um you have to understand what that is up front otherwise you're just going through an endless world doing quests you're doing missions or doing an endless battle that doesn't really get you to anything so if you're not driving to a purpose then nobody really wants to play for play that game and they're not going to be excited about it the other core element that all games have are rules um without rules the game isn't fun there has to be a way to keep the players within the limits

and the bounds of what's capable in that game and the same applies to exercises which we're going to talk about here in a minute but um even when you get into you know things like combat there's rules of engagement it's not really to make it fun but it's to make it keep everybody within the limits and bounds of what's allowable by the law or what's allowable by your regulations so we're always working in these environments now today we have to do our business following a certain set of rules whether that's compliance based policy based government regulation or law so the way that we run the games is the same way your players have to have a way to

interact there has to be some sort of either dice or cards or characters or some component that drives your players to be immersed into that game to get some sort of build up to that story it's not just all revealed to them otherwise you're kind of missing some of the fun of exploring and learning and diving into the different areas the other most popular thing that you run into a lot is a catch-up feature so a lot of games you know if you have that player that just gets way ahead then you know it's not much fun oh they're automatically going to win but if you've ever played the game shoots and ladders it just takes

one faulty dice roll and they come crashing back and then everybody else is back in the game this is something that's often missed with exercises so uh in exercises you'll constantly just hit the players over and over and over again with injects and they just get beat down and there's no way for them to catch up because the designers and developers of the exercise really didn't build that in we'll talk about ways to do that here in a second inertia is really just kind of keeping the game pace um going um a lot of your video games are set um we'll put like distance between where you have to go on the quest um to get to the reward or to complete

the mission it's something that has to push you but it's not just automatically giving everything away games also include a lot of surprises they cover a lot of strategy options so it's ways for your players to think about how to beat it um also fun if you go through the or go through the game and it's no fun especially even starting out of the gate then nobody's gonna want to play um it's something that has to be focused on and incorporated throughout the whole life cycle of the game um flavor flavor is making your game and your exercise something different it's something that attracts um players to want to come and do it um and

it has to be something that's exciting and gets their attention which also feeds right into your hook the hook is the marketing of the game why do we want to play super mario brothers because we went over to johnny or janie's house who had super mario bros and they were playing it because it came with the system but it was a really cool game we sat down we watched it and then we fell in love with super mario and then all of the other super marios and everything else mario related we were automatically kind of had that hook where hey mario one was fun let's try mario 2. um we'll look at the elements of what's required for an

exercise but i'm going to go ahead and skip into how how we combine these but these are the main core elements that um the department of homeland security homeland security exercise and evaluation program eight sheep is gonna point out as the key elements that are required for all exercises you have to have a goal it's the same as a game you have to have objectives you have to have a scenario you have to have the master scenario events list the exercise evaluation criteria and remediation plan of action and milestones so when we combine all of the things from a game and an exercise development we end up with these 15 areas that once they're put together

you should be able to structure your exercise in a way that's not only a learning opportunity for all your players and a way to identify gaps in your policy practices and procedures because that's what exercises are testing they are not testing your players knowledge they are testing your documentation your tools your training and the policies and work instructions and things that are available to all of your members of your company to go and actually conduct the business should any of these events actually happen so if you're running an exercise and your players don't know something that either wasn't written down they weren't taught it or there's not some sort of practice of using that process

on a frequent basis that they were familiar enough to go back and redo or carry out that incident response program or carry out that incident action plan or communicate information wherever it needs to be so when we set our goals for exercises what we're really looking at is what do we want the players to learn um at the end of the day what are my learning objectives for each group generally it's going to be activating and initiating all of your incident response action plans uh process and procedures communication interaction with other organizations within your business um etc etc um your objectives i'm going to talk a little bit more about them here in a minute

on how to create smart ones i'll talk more about the scenario the master scenario events list then i'm going to talk about how to create kind of the key elements of it that's your list of badness so that is everything that has been planned as far as your injects to test your players it's what your players are going to see in your time-based order um for whatever time frame of an exercise that you're running whether that's a couple hours day multi-day etc good thing i don't put my video on my cats are wanting to visit anyway again rules exercises have rules just like games just like our day-to-day lives that must be followed they must be communicated to your

players if the player playing in an exercise isn't like normal business it's you have to go into the fantasy world um that you've created based on all of your given elements and you have to bring your players in and let them know how to work within that world they're not actually performing a lot of the functions unless you're doing a functional exercise and even then those functions are performed in a very controlled manner not the high stress high risk environment they might be done in a real world so it's just something that you need to work ahead of time in the game planning of your schedule to set um your training time for your players

let them understand how the game is going to work what they're going to see how they play the game and we'll talk about the golden rule here in a second um your interaction this is something that you really want to drive your game so if you have multiple business units and multiple different players you really want to push them to communicate amongst each other like they would do in a normal course of operation this is generally the number one lesson learned that you're always going to run into with any exercise you ever conduct they don't talk for some reason your players will hesitate from communicating between business units they'll hesitate from communicating within groups it's

something that has to be encouraged has to be forced almost based on the events that they're given the only way they're going to solve that problem like in a game you would have to go find that one mpc that had the answer and the exercise you have to go find that one business unit or member that might have that piece of information and it might require them calling multiple people uh but it drives that um improvement opportunity that later they're able to understand better which each other group does what they bring to the table what you know um area of fire that they're gonna cover whenever the the battle is being waged you get a

better understanding of who does what and who to talk to so that if an event really does happen i know i need to call this person to do this action or they need to know about this because they have all of these other downstream things that are going to happen if something really does go bad so the other thing that i learned recently is how to build in the ketchup feature into an exercise not something that i had ever really considered um but it's a very valuable part so generally in an exercise uh when you kick it off you're gonna have all of your players sitting around a conference room going okay well we're just waiting for all the bad

things to happen because we're no one on exercise bad things are gonna happen and then bad things start happening and they get beat down and get behind because those you know get wrapped around the actual one varying level of nitpicky details or um other things that you will experience which is always a lot of fun to try and work through but it's a way you have to build in something that can push them on uh past that so uh catch-up features that i've figured out for our exercises is giving them additional resources so in an exercise you only have the players that are at the table generally playing the game but everybody in your company who would be part of

that response is available or could be available given a real life event so that's something where you keep in mind that you have all of these resources that are available that aren't in the game you can simulate you know if they get stuck on well we need to go do forensics on this box where we need to send people to this site and you know we need to do this or that or whatever that's going to take up their time and change their focus off of that learning objective it's well we'll send team x-ray or whatever that we have over here on the side we'll send them to go do those functions and you guys get focused back

on this other event uh that's happened um and that will generally kick them into gear on focusing on what you're trying to get them to learn and not get wrapped around the axle on the little nitpicky stuff uh the inertia um generally in an exercise what i've found is that you'll have lots of players who are sitting around the table waiting to play they didn't get the inject or they're not involved in the inject that stuff where you don't really have to throw them like new injects but it's something where the pace of play needs to keep everybody going at the same kind of rate uh so a lot of times what i'll do with

exercise planning is i'll list out all of the injects that i have across the time spectrum that i'm using and then i'll time box all of them and then also figure out which groups will be affected and almost if i have to which players will be affected so i know that if i'm only affecting a group with a 10 minute inject and it's going to be another two hours for them or maybe that's the only inject that they're going to be uh involved with maybe i bring them in for just that one to two hour time frame let them play let them see everything and then say okay well you can be released and you know we'll

bring you back for the after actions but we think we got it from here go back to your normal day-to-day world uh surprise um you know it's easy to kind of you know build all of your injects around well we got this phishing email and it got clicked and the user got hacked and they were able to get admin and then they bounced here and you know you go through the same kind of yadda yadda it's easy to build it doesn't require a lot of thought you don't have to go analyze your policy and procedures and your working environment to figure out what the gaps are but it's not a lot of fun and it's not

exciting for your players if it's the same types of injects year after year after year exercise after exercise they're going to lose interest and they're going to stop playing so really looking for those areas of opportunity where maybe instead of this or fishing you go to fishing or you go to an insider threat or you go to a supply chain based compromise or you go to another avenue that hasn't been explored you vary it up and you give them you know a different way of looking at it maybe that's an entirely different response i know for some phishing is always handled by the it group or the cyber security group vishing may or may not be handled by

them might be handled by your physical security group has your physical security group even had a discussion about what fishing is and how that works maybe maybe not uh the strategy um so you can have your players they'll often get in either the the top level we want to talk about all of the high level response or they'll get into the detail weeds ones and zeros level as far as the response you really have to try and push them to have both so designing your players around those emergency operation control centers as well as having the technical physical responding incident response teams at that lower level you get both out of that and they're able to figure

out and build a strategy on how they're going to manage not only the incidents that they're having but also the incidents that might be coming later on in the exercise it gives them an opportunity to get a plan together this is a great opportunity to really test all of your emergency operation procedures and your incident response team procedures see what type of plan and strategy they can come up with and then after the exercise is over really sit down and talk about that i've talked about fun flavor and hook the exercise evaluation criteria the main difference between an exercise and a game is that you're wanting to make things better from an exercise a game you always want

to play it better but you always want to try and be that that top high score but you're really not critiquing yourself on a lot of games to be a better player or to learn more on how to play in exercises that's exactly what you're trying to do you're trying to find the improvement opportunities and your tools training techniques practices policies and procedures that will make you ready for when those actual events and bad days happen so that it's either not as impactful or hopefully you'll be able to prevent it and the ultimate goal out of your exercise is to come up with a comprehensive effective and implementable remediation plan of action milestones this is the list that you send to your

leadership and management and say hey if this event happened today this is what would hurt this is where we need to invest money to make it not hurt as much or to hopefully prevent it and that's where you take that remediation plan of action and milestones and you fit that in to your project life cycle you go get the money and the support and the time to go make those corrections and then you tie it back when it when those are closed out hopefully and you say hey we were able to implement this let's go exercise it again and see and show that how much better we are or we fixed this gap that could have hurt us that was a

direct result of us conducting this exercise so the next time you're trying to go out there and sell the next exercise you have that hook of we've made x amount of remediations from the previous exercises it's a easier way to gain support for your your training program resources um so when i first started uh designing and developing and supporting exercises there weren't a lot of great um resources that i could find until i found eight sheep so thankfully fema has dealt with pretty much every natural disaster a lot of physical disasters some cyber disasters and they have a whole exercise training program that can be adapted picked up and they have all of the resource

toolkits that you could ever possibly want to go and customize or tailor whatever you want to do to them guess what they're free because your tax dollars paid for them so congratulations but there are training courses that will go into a lot of depth on all of the varying levels and ways uh to develop exercises to evaluate them to conduct them to do that improvement planning the only thing they don't cover is how to make them fun and that's where i'm trying to adapt the tabletop gaming logic elements so we had talked about objectives this is just like your performance objectives you want to make them smart you want to make them specific covering the who's what's when where and why

you want to make them measurable so there needs to be a player did good category a player did okay a player did mediocre a player needs improvement whatever you have to have some way for each objective that you list what is that criteria what is your expected player action based on the policy and procedures and training um they have to be achievable um so if you've made the kobayashi maru scenario and your players are just gonna lose then probably not the best exercise and you want to go back and look at that one or you've given them the kitchen sink exercise where there's 100 objectives and there's no way that they're going to meet them in a

one-hour exercise really the the planners are responsible for making smart objectives that will engage the players will work within the exercise scenario and will deliver those uh learning objectives that you're really after um they have to be relevant um to the mission um an organization and they have to be time-bound so there should be specific uh criteria and going back to that time box of how long is this event going to last how long are we going to work on this specific objective what are we going to do as far as getting this information in front of the players giving them enough time to process it giving them enough time to act on it and then respond and close

so your scenario so this is just like your dungeons and dragons camping book um that gives you the world it sets the limits and bounds of the exercise it sets the ground truth for the exercise environment giving you all of your conditions of your systems what your network looks like what your environment looks like what resources you have at your uh that are available to you who is where what is the state of the world overall um you know if you're building the the super black sky end of days exercise that we've had run before you know what are the events that led us up to that what you know is the state of government

relations and geopolitical tensions and activity based or on our apts and adversaries you have to kind of come up with all of that because your world is what the game is going to play be played in it has to be plausible and relevant to the exercise so if there's an area element that will totally throw off your exercise like um in a lot of the electric exercises they will rule out any sort of emp solar flare that sort of stuff because it's just not plausible and it's not generally relevant to the exercise scenario we'll generally rule out a lot of nuclear stuff because it will throw off and totally skew the entire exercise we have exercises for those but

usually not relevant to the larger larger overall exercise construct so really look at those elements in your exercise what is going to matter to your players and what is going to make them kind of just switch gears and go in an entirely different direction than what you intended i've run into that a lot it's not fun it's generally hard to bring the players back to the table for the next exercise and it's also hard to fix the exercise that you're running then um you want to go through identifying threats and hazards um we'll talk about that here in a second but also weather conditions um weather conditions are very important um so if we're running um an exercise

and we're doing it you know when we're in the upper midwest and it's uh december then obviously you have to deal with snow which they're more built to deal with or the northeast or etcetera you get down on the south and we have a foot of snow on the ground we shut down and ever it's a bread and milk bread and egg emergency which i've yet to figure out how that fixes anything but we go get our bread and eggs and maybe a bottle of wine and a case of beer and we we go stay in our houses because we don't like snow but that then changes how your what resources you would have available to you in that exercise

who would be able to move you've now also increased how long it takes to get from point a to point b um because we stopped driving and we start driving 20 miles an hour that's just how it is the last element is your model modeling and simulation so if you're running that cyber range the technical elements um as part of the game if you're running uh the physical elements like the if you're trying to get a down patient out of a restricted environment or if you're trying to do the physical response to a fire alarm or fire drill or something like that or if you're running that mock interview for your leadership to go and test them on how they would

respond to media based questions take some time and really plan those out um they're great to incorporate to get you to that functional level of an exercise which is generally the ultimate goal because then you just have the actual muscle memory of responding to the events but they shouldn't be the focus they're nice to haves but what you're really trying to drive after is that communication interaction intergroup play um group lesson learn development environment so those when those elements get added if you're not careful it can skew the exercise um but just something to consider so the tabletop exercise 101 golden rule your observer controller which is the person that's sitting there with your groups generally you'll want to have

more than one but they are essentially your dungeon master from dungeons and dragons or the guide out of the escape room that will set the stage and provides the environment so they will um either help deliver or deliver the injects to the players saying here's the event that's happened here's what went boom here's the information that you have about it go um the players should then talk through and go through the actions that they would perform based on if that event was real obviously simulating a lot of events or actions that they would do but then they tell the oc what they're going to want to do so hey we want to get network logs

off of this system or we need to get a network map because we don't even know where that system is um or we you know want to go communicate to um the physical security team get them involved get them spun up we need to go spin up our incident response team and the oc will say cool make that call or here's the resolution to the network logs okay you re tell me what command you ran and they'll explain whatever command they're in they'll be like okay here's the information that you found or here's the packet capture that we've prepared as part of the inject the players don't answer or provide the resolution to what they're wanting to do

if they try and do that you then have superhero players who will try and win the game by basically going and around what you've developed i've run into that a lot it is not fun i've tried to explain this to the players that is not how these games work and that's really where if you find people that have that tabletop gaming experience they understand that you basically tell them hey we're going to run a company exercise it's dungeons and dragons for the corporate world and they're going to be cool i'm ready to play uh but anyway so golden rule always remember when we talked about um identifying threats and hazards um this is kind of my methodology for

how i go about it i try and figure out what the learning objective is that i'm after so these are a couple that i'm working on uh for grid x6 so coordinator response to a substation physical attack there are lots of ways that that can happen but what i'm after is if area x was attacked by some physical means what does that mean for us how do we coordinate between our business units on responding remediating that event how do we work with local law enforcement how do we work with local ems fire department etc how do we work with our local power companies who might have shared that site that's the learning objective that will

relay up to one of our overall exercise objectives but then i can go through the other means of how do i want to blow it up what physical attack do i want to do what is the difference between those what is the difference in our response and i can communicate with all of our other groups that i've incorporated into a planning team to have those levels of discussion talking through these scenarios um so ways to cause the impact uh you're looking at all of the means and methods either on a physical side an operational side natural disaster um so if god wants to get in the exercise and start you know throwing tomatoes down how does

that change things um you're looking for all the ways that that impact can happen you then have to go and do your gap assessment so what is the existing policies procedures practices tools technology etc that applies to that event what are we going to do with it how is it going to be communicated how is it going to be detected how is it going to be responded to do we have a policy for this do we have a practice for this some cases you don't i found lots of them where we just didn't have anything written down there's a lot of tribal knowledge that the players had just built up over time a lot of chair side training that

happens all the time but we never actually sit down and write this is how you do these functions um so that's where um you get into you know identifying your lessons learned even before the exercise starts and just because you don't have a policy or practice or procedure about something isn't always a bad thing that can be an opportunity when you go into the exercise and say all right we already know there's nothing that's going to tell them how to do this let's see what they do and how they respond to it and maybe we make that the starting grounds for how we write the policy after this but this is what i would go through as

far as attack mapping i would lay out all the learning objectives i would come up with all the impacts and this is my kind of starting ground for how to how i'm making my injects the other thing that i would do is this is an example of a drawing for an insider threat attack so it's either vendor-based or employee-based or supplier-based but generally you have some actual person who's wanting to do bad things or recruited people to do bad things or they just didn't know that they were asked to do bad things and did bad things anyway so as i'm laying out this attack map i'm laying out all of my events that will be the injects

so the little explosion things is where things start and then you see who all's involved with that response at the bottom you have whatever insider threat response team or method you have about going about it but generally these are the areas that are it's composed of and the data and what they're bringing to the table to help respond to that maybe you just turn over any sort of investigation like that to local law enforcement cool but what information do you have to give local law enforcement so that they can go and investigate and prosecute or potentially prosecute those individuals performing these functions just good discussion to have but what your players are going to be responding

to are all those events so as part of developing all of those events that i've laid out in that attack map i need to build in the breadcrumbs that point them to what i'm the learning goal that i'm after and i want them to go and exercise the insider threat response process that's the main goal we can have a lot of other things that are attached or associated with the exercise but at the end of the day that's what i'm after on them testing so in each one of those events we would build in breadcrumbs that pointed back to a person or a time or some little nugget of information that would say hey this wasn't just a

random event this was caused by this or caused during this time okay well how do we know that was or what happened or who did something then well let me see what other data i have maybe the physical security team has some badge records maybe we got some camera logs maybe we got some system data maybe we got you know a check-in sheet or whatever a visitor sign-in sheet um there or process to check people in or maybe we have a time card you know of who was on shift at that time that's where you start you know building your game and you give the players more than just here's a bad thing that happened go fix it

it's let's see let's choose my own adventure and see which page they turn to next and figure out how to make how to make that a little bit more exciting the other thing that i'm looking at is how do we put points to this so people like winning things they like knowing that they did good taking it out of the you know correction needs improvement whatever let me give you some points for it um let me give you some gold stars or some sort of scoring mechanism that makes you feel like you did good because our players and players generally in every exercise that i've seen will do some pretty awesome stuff you know just kind of out of the box

like crazy activities that you never would expect them to do but they did let's give them a chance to win and let's make their action meaningful because a lot of times what you'll see is exercises have been been designed around nothing but badness and the planners have spent a lot of time developing badness but when a player comes in and does something good they don't want to change the badness because they might have another learning objective or they might have something tied to it or maybe they just want to throw more badness at them if a player wins or you know puts in a defense there that should prevent that function you have to be able to quickly

change that exercise direction otherwise your players are going to say well i just shut down all the firewalls and you know it doesn't matter we we would never be attacked now but oh we got the super malware lots of things i've run into over doing this for 10 years um so anyway so you have the main quest this is just like your table top games um the events that will lead and drive that part of the scenario through and then all of the side quests that your players can go and do additional skills and get additional information or do it something interesting like your leadership communications if you're doing that mock interview if you're doing if you're wanting to see

what information you know if your company has been attacked what information is being collected and disseminated to your employees the public government local law enforcement federal law enforcement whatever the case may be what is what are we doing out of that side quest what are the specific points that we want them to focus on or learn from and then how are we going to evaluate that so what's our point structure it doesn't really matter which method you use as far as scoring them as long as it's consistent game to game or exercise to exercise they understand and you have to let them know what's good and what's not so good so building your planning team a very

core element of any exercise i've ever run is i can't do this alone i have learned more planning exercises about my company's operations than anything else i've ever done in my career you learn where all the holes are you learn how everything's going to work when bad things happen but you generally have a lot of experts across your organization that have a lot of skills and experience with and thought through a lot of these things already on their own um that are good to go and bring and get them together for a couple months uh ahead of time because exercises take a lot of planning time um the rule of thumb that i had was for

every 10 injects is a month if you were going every five or five or more business units you need three to four months um the larger the exercise gets the more people that are playing the more events that you're trying to run the more planning time that you're gonna need to put it all together and find that thread that'll weave the story so these are a lot of the groups that i'll generally reach out to hr and finance not always everybody's first thought but they have a lot of information and engagement when bad things happen if people unfortunately were would ever be killed or injured at your company hr is very much involved with that

so they get to make a lot of uh notification process death notifications that's their area when employees get mad that they're not going to get paid that's hr and finance but really hr so they're very involved covid covet i'm sure your hr group was heavily involved with communicating and trying to uncluster that but anyway look around your company figure out which groups are there try and get them all tested because bad days happen in some way shape or form if the group is going to be involved in that response they should plan an exercise another thing that i have is the patient zero method so a lot of exercises will start with everybody sitting in a conference room

like i said that's really boring and you feel the urge to rush through throwing a sink at them or punching them you know giving them that hell maker they make her up uppercut um to get all of the bad things going that's generally not how events day to day would go so my my go-to is let me start with that one call to the help desk let me start with that one call to the physical security response line let me start with one player and say this is the bad thing that happened here's the information that you have you need to go and activate your response plan or you don't even tell them but just here's the

bad thing that's happened go and then they have to go through their activation communication notification process to get all the other players engaged it's really interesting when you get to lunch and you look around the table who's not there and they were never called they were never told it wasn't because they probably weren't written into the procedure it's because it generally probably gets overlooked or they didn't go line by line through a checklist or procedure or have some sort of automated notification process lots of things but it's happened a lot in the exercises where i've run this method somebody's not there and then they're really mad that they're not there but you pull them in after lunch and

you're saying hey you know we never called cyber security about this thing why in that in that exercise pause hot wash where you're just talking with the players about what's happened always a good lesson learned opportunity there the other area that i've run into is how do you know what your players are good at so we can get a lot of people into a room but i don't know what they do i don't know what their day-to-day job is i don't know what their skills abilities um and resources are um so what i'm working on um to try and cover that is character sheet so in tabletop land all your characters who are participating in your party

come into it with a sheet telling you what they what their job is what their class is what their background is what their alignment is which is always some interesting ones i plan to keep the alignment one on the individual person a character sheet but i'm going to model that after what dnd uses and what i'm going to look at is having the discussion with management and the people that they're supervising what is their college background what courses did they actually take what training certifications have they done what you know for the people that haven't gone to college what has your 10 years of experience been what has been your experience outside of it so you might be super

awesome at writing reports and communicating and looking at things from a non-technical ones and zeros perspective all the time but you've picked that up along the way because you're just awesome i'm not really good at adapting all that that's why i went straight ones and zeros but you have skills and feats and features that makes you a unique snowflake to that response team otherwise you wouldn't be there how do we capture that and communicate that so when you come into the incident response exercise here's what i'm good at i'm really good at forensics i'm really good at instant response i'm really good at investigating you know packets but hey i'm also really good at incident management i can go run an

emergency operation center because i've completed all of these courses how do we break that out and understand what our abilities and skills really are so that's everything in a nutshell um i can talk about this stuff for days exercise planning and running exercises is one of my favorite things to do i've learned a lot i hope you learn a lot and take the opportunity to step up and say hey i'll build out the next exercise or while we're on the next exercise for the group or company or whatever you will learn so much from conducting an exercise and getting that internal network of people who know how bad things really happen and what the response really will be

if you've been fortunate enough to avoid that and the unfortunate thing is we look at exercises you know it is fun to play but it is a bad day if it's actually happens whether on the physical side or the cyber side really bad things will happen it's never fun but we have to train like we fight we fight like we train and unfortunately until bad people want to stop doing bad things we have to be ready to do defend and respond to those um so hopefully at some point we will be done fighting cyber wars and we will not we will choose not to play but that's all i have thank you for your time and i will

accept any questions i was making a joke about the the haymaker comment i said i'm sure you're not advocating for throwing uh literal haymakers at uh co-workers only metaphorical ones oh yes yeah so that it's part of the joy of running exercises it's a big stress reliever so it's like you know oh my company made me mad how would i destroy it yeah yeah no i've had those conversations like man imagine if you know i remember when we were pen testers like you'd run into those companies that are just not gonna take security seriously or fund it until they have a breach so we used to joke about uh breaches of service you know how could we just hurry up and and make

the failure happen so they can just uh get on with uh taking this seriously but uh yeah it's very eye-opening when you can show them um you know actual images or images of it happening in other places give them relevant data and threaten intelligence to say the likelihood of this event happening here is really high if it did here's what would happen here's what it would cost the company to not only respond but to recover and as well as our loss of revenue and operations when they start seeing like you know multi-million dollar dollar signs it generally catches some attention yeah hopefully hopefully so we we do have some questions coming in i think i think

the first thing that came in was was just more of a comment uh you know somebody uh uh liked your approach here they said exercise and evaluation could absolutely be distilled into some kind of a high score that uh players in the org can use as a visualization of how they perform that's a great idea and um let's see as an mtg and d d player have you considered making the leap into the warhammer universe why or why not that's literally your first question i've done i played warhammer as well um when i was in the army um but painting an army and uh yeah it was very time consuming um and i already had my cardboard

addiction okay okay so uh the the level of effort painting figurines was a factor yeah which i paint d d mini so it's weird

all right um any suggestions for designing exercises for smbs smaller companies yeah so really your scale i mean you can still do cool stuff um you know when you have fewer people available you generally have them for less time um so if you can scale it back and do probably more exercises versus one long exercise and just kind of carry the game along through multiple campaigns like you would in a tabletop type of game so you're not running through a full dungeon every time you sit down to play a d d session it's generally week to week or month to month or whatever you can get in hey let me get an hour let's talk about this

next phase um or i would like to get some time and talk about this one event and then get build the complexity over time or run more smaller exercises and then you can if you can get the time run the one big one with all of the pieces put together and all your lesson learned already kind of figured out from the smaller ones that's how i would try and do it all right and sorry there's lots of companies out there that will come in and help and build you an exercise based on whatever you want to do lots of good security companies [Music] i won't nominate them but if you if you talk to any of your security

providers they generally have this also if you have an incident response retainer um a lot of times they'll use uh that retainer if you didn't have an actual incident to come in and do an exercise for you nice yeah definitely back back when i used to uh train folks and when i talk about this you know i i liken it to a sport you know you're only going to be good you know as good as your practice you know and if you practice once a year well imagine it's a sport and you practice once a year what are you really expecting to happen yeah when you when you practice that infrequently um right let's see how do you really get buy-in

from all parties involved it takes a lot of time um generally you want to look and start from the top you want to go get you that senior leader sponsor um whether it's the director leader of your physical security team or your ciso or your chief operating officer you you wanna go get you an executive that's gonna support um your efforts to go and recruit others um so getting their letterhead um or a message from them communicating out to their directs or whatever and trickling that down is a great way and then just building up exercise participation over time so the first exercise i ran i think i had 30 people it was two business units it lasted

about six hours but it was done really well and they were then you know very supportive and helped communicate that to other business units also bringing in those groups that aren't playing and letting them observe what the exercise was um that's how a lot of your national level exercises have grown over time is they let you know the smaller companies or the the companies that were like well do we really want to invest time to develop this well come watch or let's let's walk you through the lessons learned here's everything that resulted out of it and they get excited about it and then they want to come and play the next one so it's really just what is that piece

that gets them excited about it though like like is it uh how important is it for it to be fun and entertaining versus just uh i don't know i guess uh very tightly run and effective yeah so i mean if you go sit in a room for four hours and you're just having a dry conversation i mean it's not very exciting right um but if you're having a call you're getting calls from you know your ceo simulated so i've i'd do a lot of like character voices um a lot of different character attitudes um try and vary that up um to give them a little bit of a different experience but i've played literally like a dm like

you're doing different voices that's great um so i mean if you can make it exciting then they're excited to talk about it and then they're excited to talk about what they learned um it's just well we went in there we went through the policy everything on the policy stays the same all right we're we might not do the next one i mean they're not going to be excited they're not going to want to learn anything and they're going to be disgruntled about you know the training program so i think it's a little bit of both um you really gotta figure out those learning objectives spend a lot of time focusing on how are we gonna do things

better what do we want them to do what what do we think our risks are i mean if you're going i mean we've gone through every risk matrix assessment process under the sun but i can go take all of that risk and build it into an exercise and show you what would actually happen if it happened today cool there's a podcast i used to listen to i think he quit doing it but uh purple squad security used to do this podcast where he'd invite i don't know if you've heard of it but he'd invite other podcast hosts onto his show and whenever they came on his show they would do a tabletop you know like a quick uh 30 40 minute

table top and they were they were hysterically funny like yeah you know you're doing a good job when when somebody can listen to a recording of it for it purely for entertainment purposes yeah i've listened to a couple of those and they are really funny just on the the crazy responses in a lot of cases all right um yeah i mean we've got a few other comments um i don't think we have any more questions though so i think that and then timing is perfect here i think that about wraps it for us um i appreciate the time and i'm glad everybody came and i'll be in the discord for a little bit if anybody wants to chat

yeah definitely uh check out some of the some of the discussion that was going on there during your talk cool deal thank you