Dungeons, Dragons, and Data Breaches

hey everyone talk again can you hear me you don't need that you want them to hear you without you having to pull it out you can't hear me at all can we uh we're just doing a mic check can you hear us what about if Jesse talks can you hear me at all okay fantastic all right so this is Jesse's first conference talk so uh be kind and welcoming awesome so our topic today is Dungeons and Dragons and data breaches and we're exploring the Synergy between uh security crisis response exercises and running a DND campaign uh thank you Pat GPT for the uh title so we're just gonna um cover off uh what you see on the slides just uh quick introductions we'll do a bit of an overview of what each of the activities are uh talk about the parallels between the two activities give you some key lessons and takeaways and if there's any questions required afterwards then you ask all right so my name is Jesse for those of you that don't know me and this is my first conference ever not even first speaking but I have a conference um I've been working in it as a consultant for three years and more importantly been playing Dungeons and Dragons for eight um and yeah no I'm excited to be here how about yourself hi everyone I'm George a lot of you know me already um I've been lucky enough to talk at uh b-sides before I um I I hijacked the last session at the last one which was lots of fun so um unfortunately I couldn't do that this time and I won't hold you up to get um your pizzas at lunch but uh I'm A Cloud solution architect at Microsoft in the security area so if you have any questions about that as well you can come and ask me at lunchtime nice so to start with who has played d ude wow decent amount of years good to hear so for those of you that don't know what d d is it's a tabletop role-playing game where they're broadly two roles so you'll have the dungeon master the DM who will craft the story and set the tone for the other players and the other players who play their characters think about their intentions their motivations and what drives them as characters and with the main objective of really embodying their character why would you play D D it's fun for one um and for two is a really great way to socialize and exercise your creativity skills uh d d is realistically at its core you can do what you want be who you want and that's really fun to do how about yourself um so I'm talking about the the last fun uh the security crisis response exercises uh you would run them so you can actually see if your planning is worthwhile it's all well and good to have a plan and then if you get compromise or have an incident your plan might be useless so it's probably a good idea to run the tabletop of that plan in a simulated environment so you can look for gaps and weaknesses so when it does happen you're able to you know hit the road running right so we're going to talk about the parallels between Dungeons and Dragons and the exercises now yep so the first part of Dungeons and Dragons is all about planning and development a lot of this comes from the DM side of things so the main thing that they have to do first up is plan their Adventure so what do they want to do and what do they what's the setting what challenges and threats do they want their players to face the second part is really crafting those challenges and quests around the adventure that they've set and then finally can I hear me okay and then finally um for the player side of things the planning and development is really focused on character creation and backstory you want to know that your character has a good strong core as a person and has the personality traits that you want to embody how about security crisis response how do you plan for that all right so hopefully you've got an incident response plan uh that might form the backbone of what you would actually follow in order to use that you would start off by creating a a story arc for what you want to put your staff or put your team through for your simulated exercise so you would plan and create some story arcs for that activity for the eighth story act you would look at developing some scenarios that would happen so you know like you might follow the tried and true path of you know compromise whether it starts off with business email compromise and then you know getting access to host pivoting through your system finding data or encrypting it and then once you've kind of planned out what you want to be able to test your ability to respond to You'll select people in your organization to actually run the exercise you may not be able to get everyone from your team to run the exercise because they probably have to do work still this is work but it's not responding to real alerts or activities that are occurring in your environment so you would you know select them and then you'll conduct a briefing for these people so they know what they're actually up for now interesting to hear second part going to cover is about conducting the activity so in Dungeons and Dragons the first thing you want to do is make sure that you've got appropriate equipment and resources you wouldn't want to go into battle and then forget you have a sword waiting somewhere else so realistically equipment and resource management is a really core part of playing Dungeons and Dragons beyond that it's all about exploration role-playing and combat so with exploration you'd be meeting new characters um exploring different areas and genuinely having fun with other characters with role playing it's all about being the character you wanted to be and in terms of combat there are times that your interactions don't go well and you've got to deal with it finally there with the conducting the activity there are dungeon master notes and player action collection so after a game usually the dungeon master will write notes on what happened talk to the players about what went wrong what went right in the game and then finally it would be all about the plot twists and unexpected events now in any good d d campaign you'll have a lot of plot twists you wouldn't want to play a game that's entirely predictable because that wouldn't be any fun for you and with those plot twists an unexpected events you really need to know how you're going to react or at least try to embody your character when you're reacting in that way yeah so like you're um crazy evil pyromancer I forget Pyromania pyromaniac would respond to unexpected and crazy uh yeah um so when you're doing the security crisis response exercise first of all you need to make sure you've got the resources to actually conduct the activity appropriately right so if it's completely tabletop those resources might be just time and pizza if you've got enough you know resources available maybe you'll be able to duplicate a portion of your environment that you want to actually see if you can defend it um and you know stand all that up so uh understanding what's available to you is important once you have all of you know everything set up then you'd want to actually conduct the activity so you'd still have someone leading the activity it's like the equivalent of the dungeon master in a DND campaign uh where you would you know push that simulation hello person or maybe a couple of people should be observing the way that the response is conducted and collecting data you know so write notes it's not enough just to kind of go I'll remember that that's my style and it's horrible because I forget everything so write notes around how the activity is going pain points where your processes and procedures fail and you know even if it's like something simple like uh we couldn't get in with domain creds but we were able to get local access but we couldn't get the local admin password for whatever reason you know so write detailed notes so you've got ways that you can address them later and you know just like Jesse said with the DND campaign uh the person running the crisis response exercise should inject unexpected things because you know like you can settle into a rhythm and really enjoy what you're doing but if you don't have a little bit of stress in your simulation then it's probably not going to replicate what could happen I don't think ever be able to get like the the real stress of an incident unless you've got like a real status leading the exercise and if you did maybe that's good training but probably you'd need to take the last slide from Guile's presentation just in case um but you know uh have those injects just to mix it up a little bit and make sure that the exercise is worthwhile oh awesome and then after we've conducted the exercises all about wrapping up in the lessons learned so with dandy like I talked about there's the debriefing at the end of the game where the players will talk to the DM and we'll figure out what went wrong what went right um and Improvement points for next time um secondly would be about the campaign summary and recap so right at the end of The Campaign there'll be a recap of every single game leading up to the end and in that time people have opportunities to ask questions to the DM and have provide feedback to them as well considering they're running the exercise for the third point is about adjusting the NPC encounters and story depending on the players so in DND you really want to make sure that your NPC encounters are balanced if you're going to combat them because otherwise you'll kill your whole party quite frankly and you don't want to end the game abruptly by accident so you want to adjust downwards to difficulty if they're too hard or upwards if the players are having two easier of a time trying to get through finally it's all about the continuing campaign and story lines so with some DND campaigns Beyond The Campaign you might have one shots or further campaigns that spin off from them and these typically involve players that have previously been created going on and doing different things in their story so yeah a nice Continuing Story how about yourself before that so your longest campaign's eight years three years three years so for those that three-year campaign is that one campaign or is uh one campaign for that whole time so where all the NPCs and encounters like scrub level or to start yeah so I definitely started from level one went all the way up to level 20. so at the start absolutely because you only have about 10 hit points um so they hit you you're dead it's it's not a fun combat experience when you're that week towards the end of the campaign we're fighting Gods because we're all that powerful so you really you have to scale according to the level of your players that sounds awesome I want to play some DND in my gods with uh with with the crisis response exercise I think like you normally assume like you're not going to be targeted by a script Kitty at that level one right um you would want to try and plan straight away uh for an adversary with a little bit of skill um because if you can defend against that then hopefully you can defend against the script Kitty or the controls that you put in place should mitigate it completely but anyway so once you've conducted that exercise uh you'll do your evaluation and your analysis uh including taking uh into account the notes that you've written down uh feedback from the people conducting the activity you'd probably write a report of some kind uh if you're consuming company resources to run one of these things you probably need to feed that report up the chain and it's probably a good thing for a board to have to understand the capability especially especially if you're asking for more money to fix um or you know get more stuff which I'm sure most teams always want um if you can you should have a list of improvements whether it's process procedure technology training like that there could be a lot of things that fall out from that so hopefully you can create a plan or implement the improvements and then have a series of follow-up exercises whether it's you know an ongoing periodical security crisis response exercise or maybe it's like smaller parts of it that you recognized you were quite weak in so you know it's just like a part of iterative learning for your environment so that you can continue to uh to grow as a team but you know time people like it's it's still it's like a nice thing it feels a little bit like a fantasy uh like the DND sometimes in some orgs but yeah all right now we're moving on to the lessons and takeaways all right so for our key lessons the first lesson is collaboration and diversity of strengths so in a DND campaign if you had the same character over and over again it would be boring really quickly and to the weaker areas of your party wouldn't be addressed and it would be similar in a security crisis response you wouldn't want someone you wouldn't want a whole team of non-technical Specialists participating in this response you need balance between the different different areas of the business different perspectives different levels of education so that they're all on the same page so for lesson two it's all about adaptability so adaptability is absolutely essential in DND and in security crisis response if yeah like my pyromaniac if you can't adjust you will have a lot of difficulties in the long run in a DND campaign you never know what's going to be thrown at you neither would you at a security Christ's response the third lesson is about clear communication and clear communication really is key in DND you need to know that everyone's on the same page about what's going on you need to plan properly for your combat encounters and you really want to make sure that the direction that you're going in as a party is agreed upon by everyone involved and with the security crisis response communication is absolutely key you need to make sure everyone knows what they're doing for one and knows what the outcome is whether it be good or bad and talks about it from there like an onion because you've got communication between the people in the exercise and then communicating outside of the exercise with the organization so there's multiple layers of communication I think like for all of us is just like a core skill that we need to have Lesson Four empathy enhances understanding so we all have really bad days we make dumb decisions we respond poorly when we're stressed everything is infinitely worse and if you have no empathy for your teammates then I was about to say something not appropriate for YouTube what's the rating on the stream anyway so um you understand like you've all been stepped on by a dick before right like there's no room for that especially if you're in a stressful situation you're supposed to be in a team so empathy is key right because we're all teammates and the last one is continuous learning leads to growth the security crisis response exercise is primarily a learning activity right so learn from it take it seriously have fun with it but like I said take notes test your processes uh and and understand where you need to improve good stuff now we're on to the takeaways yep so first takeaway uh strategy and adaptation matter so uh hopefully uh build into the strategy for your organization uh that these activities are important and you might have um key parts of the strategy that you can test through your response exercise um it might be that you're implementing uh some compliance Frameworks or whatnot and you want to test whether or not you're actually meeting them through that exercise so that adaptation is also whether or not you can adapt what you're doing to meet these secondary considerations resilience is a Common Thread between everywhere like it's not just in security I think but especially in security and a three-year campaign you'd need to be quite resilient I imagine just to uh to get through it yep yeah all right the takeaway is the power of teamwork so in incident response months you need to be working as a team you need to be working well as a team as well and you need to know where your teammates strengths and weaknesses lie to appropriately respond to an incident in the future in DND it's similar but obviously not the same but uh Indian D the power of teamwork is important for mostly combat encounters to make sure that someone's not just going to flake on you walk away mid combat and make sure that everyone really wants to be there and doing things together the final takeaway is Imagination fuels Innovation that's the most important part of DnD and I imagine that imagining what your attackers are going to do is probably a really important part of security crisis response as well yep all right thank you for your time do you have any questions thanks yes absolutely do you have any interesting novel um exercises not really [Laughter] I mean like being being serious about it um you're if they're your biggest risks unfortunately you probably need to spend time trying to mitigate them right because that's that's where your business is likely to be impacted uh but I suppose you could you know get a D20 and come up with a interesting scenario like watch swordfish and pretend [Laughter] Ed to ask in your opinion [Music] I I know I know there's a wrong answer and unbelievable controversial here I really enjoy fighting the majority of my the majority of my games that I've played have been 5e I've only played one Pathfinder it was really enjoyable I will do it again but my experience has been predominantly in 5e area obviously like you're saying pathfind definitely is the better system but I enjoy 5e better shh yep I know right funnily enough yeah I am um honestly we've been playing for yeah the whole eight years together it's the same table but that one game has been three years honestly sometimes there have been people that haven't shown up it's hard to get everyone there every single time I managed to get there every time by one session which is yeah in and of itself but it's it's more about making sure that the most most people are there more to the point go team yeah yes awesome uh ask us questions at lunch if you're curious thank you thank you