BSides Buffalo 2024: From the table top, to Tabletop Exercises. Infosec games intro

right thanks for uh thanks for attending today we really appreciate it so uh I have the pleasure of uh introducing Zack licker from uh zodic security so he's the founder and CTO of zodic and he's going to talk to us today about uh uh some tabletop games and exercises uh and some uh really fun uh infos games so if you're interested in getting into information security and have a background of video or tabletop games this is the talk for you uh there are a number of Concepts you can take from your background to apply to the industry come roll some d20s you got those on um explore some back doors and breaches hack through some corporate fireballs

and Netrunner or communicate in secret via cryptomancer so let's give a warm welcome uh thank thank you everybody thanks for coming so normally a security Talk starts off with a disclaimer slide right that you know the opinions expressed here are just mine they're just my opinion yada yada let's get to the real disclaimers when we're talking about gaming so most importantly Xbox fan I had an Xbox since launch uh I have a gamertag from when Ghost Recon the first one came out on the first Xbox I've never owned a PlayStation your controller is too small why do you have an x button instead of an a button it makes no sense uh get out of here uh thank you uh this one's not

going to be is helpful uh I bought my last gaming PC fully assembled from Dell so them losing some gamer credit already but uh you know look it's all about disclosure and transparency uh I am a recovering League of Legends player uh I promise not to be toxic in this room uh I'm still on a chat restriction so uh that's why this is a verbal talk not a written one uh and uh like they mentioned in the intro uh we started up a business uh and so the last game that I've really put some time in on is Troll Patrol on iOS it is a great match three Puzzle Quest Style game with no inapp purchases

uh highly recommend it if you don't have a lot of time to play video games anymore um you might think like it'll never happen to you uh don't worry infos will not turn you away from the gaming world uh it's starting a business that will do it so uh please still get into the security industry uh you can still play your video games games uh so what we're going to do is we're going to talk about five things today and these are things that as somebody in the industry you're going to use on a daily basis or in any job that you take regardless of offensive defensive and if you're already a video game player uh or you

like playing board games or tabletop games you're already familiar with these and I'm going to walk you through them um the games that we're going to talk about today are League of Legends because obviously uh better than DOTA sorry better than Heroes of the Storm uh I will Dodge Tomatoes as they're thrown at me uh we're going to talk about a infos specific game called back doors and breaches uh which is an incident response simulator uh we're going to talk about defense in depth with the living card game Netrunner which is super fun one uh we're going to talk about two Factor authentication with steam and epic games and we're going to end uh hacking our way through The Shard

net in cryptomancer a hacking tabletop role playing game so if you've played DND d uh let's talk about information security in them so threat modeling uh we're going to talk about this through the lenge of one of the greatest games of all time SL worst games of all time/ uh addicting thing of all time uh they have this whole $500 skin Scandal it's really bad uh League of Legends if you haven't played it before probably it's way too late but what are we doing here so this is the mini map of the game it's pretty straightforward you start at one of the corners you're trying to get to the other Corner uh you're trying to

get through these nine towers that are between you and the other side and all you have to know to get to the other side is the 120 plus champions of the game all their abilities all their cooldowns the itemization the current metag game map strategy last hitting jungle pathing and of course you can't see anything so this is really why we're talking about League of Legends League of Legends is an in a game about information so before this is the overview of the entire map when you're actually playing the game you can only see what your team can see and very much like in information security you can only make decisions about what you know based off of the

information that you have and so I'm going to zoom in on a specific part of the map this bottom Lane at the bottom right and our goal as the blue team is we want to push our team's line forward and take out this first red tower now when we talk about um threat modeling and information security there are just a few words that I'm going to use so I just want to run through them if folks aren't familiar with them so threat is a potential danger a vulnerability is something that could allow that potential danger to happen and the risk is the likelihood of those things coming together to make you have a bad day and

so what is our threat in this scenario well we're playing a video game so we could be attacked by the other side of the team or the other side the team on the other side of the map uh we could piss off our own teammates and cause some Discord on the team if we make a mistake now the vulnerability what could actually go wrong well we are alone we're one of five players on the team there are five players on the other team and so since we can only see ourself on the map currently can't see any of the other opponents there could be zero people hiding and waiting for us there could be five people waiting for us we

just don't know the likelihood is what's our probability that this is going to happen and so since we lack the information that we're playing in this fog of War we have to assume that the likelihood is pretty high and so um what we're working through in threat modeling there are a ton of different threat modeling options out there when you get into the industry so there's things like The Kill chain which is more of an offensive way to talk about a specific intrusion there's stride which is an application security modeling tool developed by Microsoft initially there are data flow diagrams there are attack trees all these are valuable but Adam Shack uh who is came up with these four

questions if you're if you're doing some generic threat modeling if you're playing a game and you're like I want to be a little more formal in my reasoning you can just ask yourself what are we working on what can go wrong what are we doing and how did we know we did a good job and so Adam showstack if you just Google for showstack for questions uh it will not be about the Passover seder um these four will come up so let's return to our bottom Lane example here so what are we trying to do right we said we're trying to work forward and get through this Tower what can go wrong so we overextend we give up a kill lets the

other team rotate and take this Dragon our team gets really mad at us it's early in the game now we've got 25 minutes of angry strangers on the internet so what are we going to do to try to avoid that scenario obviously the answer is get good scrub that is clearly the answer we're going to try and be a little more formal and use some information so in League of Legends you can do a number of different things you can wait and see if somebody else shows up right because time is a valuable resource in the game so if you look at the mini map and all of a sudden there are three players on the other team up

at the top of the map now you know that at most there could only be two players on the other team you could put a ward down which is a little trinket that you can put out that it can see on your behalf uh you could send it another member of your team to get killed and then it won't be your fault if there's a mistake I highly recommend that one uh and then a very cool thing about video games is that they are easy to measure so when you're in the information security industry you're like did that work did that not work we don't know when you're playing a video game and League of Legends is one of

these games that has like a replay feature so you can actually watch your game back and see all right I was in this scenario I made this decision did I get lucky or did I make the right decision and so that's a super useful part it's why this fourth question of did we do a good job is super helpful um and so when we talk about this third question of what did we do again we work through these three terms that we use all the time in information security so when you have a risk you have three choices you can transfer it you can mitigate it or you can accept it and if you don't pick one of the first two

you've picked the third one by default and picking the third one by default is your worst case scenario so there are sometimes when risk acceptance is perfectly valid so in League of Legends you can look at the scoreboard anytime and see who's alive and who's dead so in this scenario there are four players dead on the other team so at best it could be a one-on-one scenario right so we took that all possible probability of there could be five people we used one additional piece of information and now we know at most it can be a one-on-one also we know that the one character that's still alive has died six times and only has two kills so they are bad

at the game we're much better than them we can take them oneon-one sometimes though it doesn't work and uh for anyone who played this game you can ping your teammates to like let them know things and this ping is supposed to mean hey somebody's missing up here pay attention culturally what it means when it's this many right over your dead body is uh you have made a mistake you are bad uninstall the game um in real information security we always just move on to the next one right we're blameless retrospective culture that's the type of Team you want to build when you're building one League of Legends does not have that methodology um and so let's

move on from League of Legends it is a silly place so incident response um the information security industry is split into offense defense governance risk and compliance and tooling and uh infrastructure in my opinion um instant response if you're working on the blue team the defensive side it's a huge part of your day um I think it's one of the cooler PVP games that you can legally play because it is one of the few times in your life that you are actively competing against another person um if there is a hostile person on your network it is not an AI it is not a rogue something it is somebody who has a goal they could be criminal they could

be a government Intruder they could just be doing it for fun whatever but you are playing a PVP game when you're playing incident response um it is a reason why some people get hooked on that part of the industry uh I did that job for four years um as a Frontline incident responder and then worked on a support role for 2 years uh I worked at Amazon and on the AWS side and my first day on call was heart bed my last week there was log for Jay so put me in your on call rotation I am a great good luck charm and so backl and breaches is a game a card game that's been designed to

help you run what's called a tabletop exercise so real incidents are a expensive B scary C risky and D can put your company out of business and a tabletop exercise lets you prce practice a real world scenario without having to worry about all those bad consequences um it's made by a company called Black Hills information security um this is a great company they also do a ton of great work for the community so if you're just getting started in the industry and you're interested um they run a lot of called like uh pay what you can trainings and so some if you can't pay anything they're available for free they have a great blog um I think they

have a podcast highly recommended um and so back doors and breaches um your goal is is like clue so if anybody played Clue the board game right you're trying to Fig out who done it where and with what in backos and breaches you're trying to figure out these four things of an incident and just like in in a real world scenario these are really the four things that help you understand what's happening in an incident so initial compromise how'd they get in pivot and escalate they got in somewhere but it's not a useful Point how did they get somewhere good and how did they get the Privileges to do it uh persistence how did they stick around right you

might have found them once but how do they come back and then C2 stands for commanded control um and so C2 and exfiltration means how did they control their assets on your network and how did they get the stuff that they stole out of your network and so you'll have a game master when you're playing backwards and breaches um they assemble this four card hand that comes in the deck uh one of the things I really like about this as a game tool as a training aid is they list all of the URLs they site their sources at the bottom of the card so if you're like oh wow that was a super useful procedure we didn't have we

don't have that in our real world how would we implement it um the sources are right on the card and you'll see that each one of these cards has a detection listed and since this is a game right we get in this sort of rock paper scissor scenario of if you're trying to figure this out if I used X procedure and succeeded at it the GM will reveal the card um your goal is to reveal within 10 Rounds what is this hand and if you do you win and if you lose you launch a retrospective as the defending team you get a hand of these procedure cards um and so these are procedures that you

have as a team to help secure your assets uh and so these are the counterpoints to those detection rules on the attacking cards um when you're at a company there are procedures that you use all the time and so they're things that you're familiar with you know how to do all your staff are trained it's not just one person who you know Jill's on vacation so we actually don't know how to do this uhoh um and so these get a bonus in the game get a plus three to your roll when you use an established procedure but you can still use a procedure um you roll a D20 and if you get a 10 or greater the procedure has

succeeded and if it maps to one of the controls that you figured or one of the four parts of the attacking hand the GM will reveal them um if you roll a natural one or a natural 20 um bad things can happen so when you're working on an incident uh weird stuff can come up uh somebody one of your incident responders can have a baby they can get sick they can get covid a lawyer could want a briefing the executives could want a briefing which is even worse um another incident could happen and so these injects are a way to throw some Randomness into the game and as a GM if you're running it for your

team one of the best ones that you can do is if there's one person who's dominating the conversation and you want to pull more people in you can just play and inject and say you have to go give the executives a briefing and that person has to sit out for a few rounds right to let the rest of the team practice and so injects are this great way of throwing a little bit of chaos into the process um tabletop exercises they take a little bit of planning right cuz you're you're playing pretend with your co-workers which is always fun uh but you're not doing your real job right because you're not actually stopping a real incident you're

not pushing tickets you're not updating systems if you got a small team time is a resource just like in League of Legends it's a resource in the real world so maybe you're not going to get to do this every week but if you're in an organization and you're not doing tabletops grabbing a copy of backr and breaches I think is like 10 bucks um there's an online version if you're a distributed team so you can play it over Zoom um take some time think about like how this could be useful for your team and you can help make this justification to your leadership uh the biggest one is that it helps you identify gaps before

you actually have the problem so if you realize oh we failed to detect persistence because they were in our Cloud environment and we don't actually have a cloud posture management tool and so we're not evaluating how many IM users are in our Cloud all right well we failed with some cards but like doesn't matter right but now you can go to leadership and say look we've done it an exercise we understand we have this problem we want to invest in the next 6 weeks and and figure out a way to close this Gap so it gives you a little bit of data to go to your leadership and justify making these Investments um it gives you a chance to try out new things

so if your team doesn't know that you rolled out a new endpoint tool or doesn't know that there's a new log source and you're like you're playing the GM and you know that the new tool should have revealed you know that there was uh C2 via TLS and you're like well now we got a tool we're cracking that stuff or we should be detecting malicious domains cuz we just bought X vendor it allows you as a manager just like oh my team's not familiar with the new thing that came out we're not aware of our new capabilities um and it also helps you train your new staff uh both from uh what does our team do how do we

operate but bringing them in and letting them make calls um my entrance to the information security world came cuz somebody replied to a Reddit direct message um I owe my entire career to the rnet Q3 hiring thread in 2013 thank you David albernaz if you're out there um and he brought me into a team that let me make mistakes uh and had this blameless culture helped me learn help me grow and so when you're building that culture as a team you want your juniors in there and tabletop is a great way for them to take the lead as an instant Commander right when you're commanding an incident you've all if you've all been on an

airplane you've heard the pilot voice right that low monitor tone everything's fine you're 20,000 ft in the air and the ground is shaking that could be bad but this calm person comes over the line and says we're going to find some smooth air folks don't worry about it your job as an instant Commander is to remain calm you can do a lot of other stuff but your job is to remain calm this is another day at the farm everyone else it could be their first time in an incident they could be worried that the Russians are on the network the Chinese are behind every router and Anonymous is in our in our Network traffic it's just another

day at the office for you and this lets you feel that adrenaline clamp it down and sort of really understand what you bring to an incident as a commander is leadership um and it's a super fun way to practice um the next topic I want to talk about is defense in depth and so there's a model that you'll probably see in infos set called The Swiss Cheese model I'm seeing a couple of shaking heads yes I'm seeing a couple shaking heads no um so this is a model that got introduced at the University of Manchester in the 9s and it basically is a way of saying well if you have a layer no layer of protection or decision-

making is going to be perfect there's going to be ways Things fall through the cracks but if you have a second layer behind that and the holes don't line up directly well even if something gets through layer one it might get stopped at Layer Two And even if it gets through a hole at layer one and Layer Two cuz they happen to line up together you still have layer three behind you and so so in information security this is an application Security application uh version of this so we're building a web application and we're we want to make sure that it's not going to get hacked um this stuff comes from the oosp uh appsc cheat sheet uh if you're not

familiar with oosp it's a super great resource um they have ton of these so-called cheat sheets that as you're building apps building up rolling out products they can help you secure different things so highly recommend oosp and so the first thing they recommend is input sanitization right so this protects you from injection style vulnerabilities which are still plaguing web apps to this day uh look at any cve from the last week I don't know what they are but I'm sure there was an injection vulnerability in there um and let's say you use libraries that have injection Protections in them but for whatever reason they fail or a developer forgets to use them and uses an unsafe

method well if you build your product with the memory safe language um so memory safe languages handle memory management for you they help mitigate against buffer overflows um siza which is a government a US government agency focused on cyber security defense uh is recommending companies come up with a memory safe road map uh and so if you're working in a memory safe language yes they have input sanitization but they don't have the ability to buffer overflow you to get onto the device so let's say you forgot to do input standardization you're still using an old style C app it was running as an administrator on the product or is running as a basic user on your server

but at least your operating system is patched so that way they can't use a cve from 5 years ago to go from basic user to root level and so you stack these layers of Defense because you're never quite sure that every control will be perfect a zero day can always pop out and get you and so um again what we're going to do is we're going to talk about this through the realm of Netrunner so Netrunner it's super fun game it's called a living card game so if you've heard of games like magic right where you buy boosters and that the cards you want are there a living card game is the opposite of that you buy a set you're

guaranteed to have three of every copy and so you can just build decks super fun uh it was originally released by Fantasy Flight games uh they no longer print it but there is a community supported version from null signal games that you can still buy so you don't have to pay um you know inflated out of print prices uh it's super fun it is an asymmetric card game which is super fun right it's what we play for um we you play either as the runner uh a hacker trying to break into various large corporations there are three hacker factions that you can play the criminals the anarchs and the Shapers um there are four giant mega Corps that you can play

NBN which is your information controlly people gin Tei which are your cool uh biohackers uh that have traps uh hos broid which are cool Androids and then Wayland which is just the Wayland utani Corporation from aliens uh but they don't include the word utani so they can't be sued um in the game the Corp are trying to score agendas uh and the runners are also trying to score agendas but the hilarious thing is the runner does not get to bring any agendas to the game the only way that they can get agendas is by breaking into the corporation and stealing them from them uh and so the corporation has to set up their board like this so they have four different

ways that they can be attacked the discard pile their deck or their hand and then they have to deploy their agendas into these remote servers and leave them out for a certain number of turns right so if you leave something out it's worth more points but it gives more chance for the runner to score they protect these servers and their hand and their discard pile and their deck uh by ice and so ice if you if you've never read any of like um Neuromancer or anything like William Gibson cyber Punk era it sort of imagines before metaverse was a headset that you bought from a company called meta that used to be called Facebook the metaverse was just

this sort of concept of cyber security you're flying through as a person you're seeing 3D walls of uh firewalls shooting up in front of you and so William Gibson calls them ice and so you'll see that Tor in a lot of cyber Punk stuff um it's super cool highly recommend Neuromancer uh it's a book on paper or ebook or audio book depending on your preference you might be like wow this seems really derivative uh and that's because everything that you thinking of stole it from Netrunner or from uh Neuromancer in the first place um unlike in real life in Netrunner the runner's brain is directly connected to their computer so there's a second way for the

Corp to win which is uh they can just kill the runner so instead of scoring agendas uh they can put something out in a remote server and leave it there and that the runner goes for a run uh but it turns out it's a gigantic brain virus that's going to uh melt the runner's brain uh and so if you can Flatline the runner meaning force them to discard a card from their hand that they cannot you have one as the Corp both are equally valid uh one is cooler than the other um and so the game breaks down ice into these three different categories right this is where we get into a little bit of it's more of a game than real

life there are three types of ice barrier Sentry and code gate and there are three types of Breakers so the runner deck it doesn't have any agendas it's full of programs so they are they are building their cyber deck to play this game so they're looking for their programs they're looking for cool under underworld contacts they're dumpster diving to go and grab different documents to learn information from the Corp and they play this rock paper scissors game of the corpse ice is face down they don't know what they're going to go find and so they have to prepare their cyber deck and their economy to be able to succeed on a run if they run

into a barrier they need a fractor to break it if they run into a Sentry ice they need a killer and if they run into a code gate they need a decoder um I it's a super fun game I've got decks with me so if people want to come out and play a game I wore a red shirt so I'm easy to find not so that I will die on an a away mission in Star Trek it has checks on it it's not solid red I'm safe um but if you want to play a game I've got a copy of it super fun uh there are a ton of expansions there's people that play online um but super fun

game highly recommend it uh and unlike the real world you get to kill the hackers that are attacking your network if you're blue teamer uh which is kind of cool uh I want to talk about two Factor off uh if you take one thing away if you're not in the security industry and you you're interested in getting into it um this is a quote that a US senator said to a CEO two weeks ago um if you've heard of the change Healthcare breach um this was about 2third of the ability to service electronic prescriptions in the US were impacted by um the change Healthcare breach and they did not build for defense and depth they had a box on the

edge of their network with a password with no multiactor off that allowed a ransomware actor to get in and take down this entire Healthcare Company um multiactor off is becoming table Stakes if you're building an application if you're building a company if you're currently a Defender at a company and you don't have a multiactor strategy uh we'll talk after this but like it is it is becoming table Stakes um password Steelers reused passwords password sprays all these things are becoming super common from attackers uh and one thing that we're seeing is kids learning this through video games so if you have Steam epic games an Xbox account cuz you're cool a PlayStation account cuz you're have weird shaped hands I don't

know um all these accounts can have MFA on them put them on there uh if you have kids who are buying digital uh digital Goods like skins digital games uh make sure that they have MFA on their account this does not mean you need to buy them a cell phone so they can have MFA you can use your phone um because that's a whole lot of calfish uh but these digital app accounts are being stolen being resold bullying at school all that stuff to factor off if you've got a a gaming account super important um a couple of infos things so some MFA is better than no MFA not all types of multiactor authentication are are the

same right so some are you'll see some sites use like what they call Magic login so if you use um not Squarespace uh substack they don't really want you to log in with a password they want to give you an email address and then they're going to email you a link and they're saying well they have perm they have access to this email account so therefore we're letting them in is it technically multiactor authentication not really right cuz you just need to know your own email address and have the login there could be no password on there but the theory there is like well people care a lot more about their email account than their

substack account so if we let people put a password they're going to use a bad one password spraying yada yada are magic links great no but they're better than nothing uh SMS right so various banks will text you codes and ask you to never share them with anyone but please type them into this website um Sim swapping which is the ability for an attacker to steal your phone number is becoming very common it's built into a lot of common fishing kits uh and there's ability for um people will just sit outside cell phone stores in cars wait for a manager to pick up one of the tablets run into the store yank the tablet out of the

manager's hands and now they have a logged in tablet on the network they'll just bribe minimum wage employees at cell phone stores or call centers to say hey I totally own that phone number um it's reduced the value of SMS as a single fa a second Factor but it's still worth it um this is Zach's opinion but it's still better than nothing um if you can use an app so top which is like Google Authenticator Microsoft authenticator um typing in codes is sometimes annoying but it's better it's it's a stronger level and then u2f Universal second factor which are like UB keys or pass Keys uh are super valuable if you're at a company and you

don't have an MFA strategy um go play some video games cuz tomorrow is Sunday then when you go to work on Monday um have this discussion with your leadership it's something you can really focus on um the last thing that we're going to talk about is cryptography and so because this is 2024 this is another disclaimer slide we are talking about cryptography not money in crypto uh my co-founder is a cryptographer he'd be mad if I didn't include this disclosure slide a cryptographic system gives you a couple of different properties uh it can allow for secret Communications and it can allow for verified Communications so in security we talk about Alice Bob and Eve Alice and Bob want to talk Eve is evil

and wants to talk uh don't ask what happened to C and D they did not complete their TPS reports and they were fired um Alice wants to send Bob a message and they agree on a secret passphrase ahead of time and so they send the message eve even if she possesses the message can't read it and so this is powered through a symmetric uh symmetric cryptography system meaning that there's a single secret key that's used for both encryption and and decryption the issue we get to in this scenario is is how can Alice and Bob exchange their secret passphrase ahead of time um and so the industry has come up with this concept of asymmetric

cryptography uh where you have a pair of keys a public and a private key when Alice wants to send Bob a message she uses his public key to encrypt a message and since Bob is the only one who possesses the secret key um he can the message when he reads it and it also allows us to perform verification using the inverse of that system so if Bob wants to make sure that Alice is the one sending him a message again Alice has her secret key Bob has her public key Alice can sign a message now in this case the message is not encrypted right it's still sent in plain text so Eve could steal it but she can't change the

content of the message now this is useful it's the basis of a ton of stuff in in cyber security I ran through it really fast I'm not going to ask you to explain public and private keys but it's a thing that you want to build in and so I think it's much more fun to learn it using magic and so cryptomancer is a tabletop role playing game it's available on drive-thru RPG um and it is a DND style world that adds cryptography information Warfare and Internet Security to the fantasy world and I think we can all agree that Shard Nets are better than the Internet true names are better than private Keys magic phrases are cooler than pre-shared keys

and that orc Wizards are scarier than than Eve uh I am much more worried about fenor Nexus Walker stealing my one true name and corrupting my message to my party than Eve stealing a private key um the super cool thing about this game is it's going to introduce these Concepts to you in a way that you can remember where you're not teaching cryptography to your friends you're not talking about computer hacking with your friends who don't want to talk with you about it you're just in a cool D and style world that happens to have this thing called The Shard net where instead of having to go from random City to random City and dealing with an

encounter along the way um you can just send messages back and forth you can use rituals to create a private Shard net that is encrypted with your one true name that allows your party to communicate but there's a focus in the game on hacking and Espionage where you're running networks of Agents you're conducting dead drops that they are signing messages back and forth as the DM you're trying to break all these different things so that you can cheat your way and the party is looking for ways that they can actively exploit the systems that you're building um so if you have a d and group that you want to talk about hacking and they don't want

to um it's super fun way to introduce it uh it is a um it's available on drive-thru RPG uh super fun game H and I hope that you've enjoyed today we've talked about a bunch of different security Concepts uh I would be remiss if I didn't mention Buffalo open coffee Club Pat is laughing at me um this is a group I run in Buffalo it's a free event every Tuesday 7:30 to 9: in senica 1 uh it is for folks building businesses in Buffalo so if you're interested in starting a business if you run a business if you're stuck uh we do a process called gives and asks which allows you to throw an ask out to the

group if that asks everything from you know does anybody know a landscaping company that can make my storefront look nice to does anybody know a lawyer that does digital intellectual property work Buffalo is a town where if the person isn't in the room they know somebody who can help you and a warm intro is always better than a cold one um so please join us the all the information is at 716 coffee. Club um where there are Le every Tuesday 7:30 to 9:00 uh my name's been Zack lick thank you for coming we got some time for questions uh and Zack z.o if you have any questions uh and I've got a Netrunner with me if anyone

wants to play a game thank you for your

time all right any questions in the craft

yes my question is I'm mov it further in my career and I see a lot of value in these games and I try to get tabletops to run I try to bring people in these concepts of course like you said you know trying to convince your management that spending time playing a game instead of doing your job isn't worthwhile do you have any ways of tracking some level of metric or putting some sort of dollars and cents behind it where you can get that buy in from those yeah so uh so the question for folks who might not have heard is how do you justify you have metrics that you can use to convince your boss that

spending some time on a tabletop is worth it and right um so when you're dealing with senior leadership they don't care about tech they don't care about how cool it is they care about risk and they care about dollars and cents um this number is from last dbir the Verizon dbir is a great sort of Industry level document uh you can just read it as PDF you don't have to give them your email address the form is very confusing but you can let you can read the PDF for free don't give them your email address um the the average downtime from a ransomware incident was 21 days and so that's if you do everything right and so if you're

talking to senior leadership they probably know how much revenue they make per day so multiply that by 21 and that's what it PO on average could cost them in a response and so you're like look we can game out this strategy and see how we could handle do we have the ability to roll from our backups do we have the ability to detect a hostile an anomalous behavior on our Network this costs us time it doesn't cost us money and so it's really speaking to them in the language that they understand um for folks who don't know at Buff State um the the term brainstorming was invented in Buffalo which I think is super cool

um and there's a tool that they use in that called the polarity model um I have a blog post coming out on this in a couple weeks but it's a way of mapping your line of thinking where you're only thinking of the positives of why we should do this the person you're speaking to doesn't know about the positives they only know about the negatives and so a polarity model helps you think about preparing your communication strategy of in a way that reflects how the other person's going to hear it not how you're trying to say it um so really speak to those senior leaders in the in the manner that they're used to which is risk and money uh because that

that's how you're going to justify even though it's super fun and cool um and then maybe they can come play yes so I just want to inject one thing so um if people know me it's very much intended some and so I've had some of these um challenges as well um and so when we talk about inant response we tend to focus on the technical pieces of an incident um and you know the response and the recovery of that but there's another part right and that is the Senior Management and so when you find yourself in an incident um there is a team of people that's involved um and that team includes things like uh senior Executives

Communications HR um and others um and when you do an incident response when you do a tabletop there's really two flavors right there's the technical piece testing people's ability to do the detection and the response and the recovery work yes but then there's the management side of it so how does the how does the company uh manage this incident um at a higher level um and so bringing those folks to the table and exposing them to these Concepts and having them go through training is invaluable because when you think about when it hits the fan and it will hit the fan the first thing to Skyrocket are emotions yeah and so having people that through this who understand that there

is a path through it and they understand what their roles and responsibilities are helps to Tamp down that those emotions and keep keep keep people focused on task MH yeah that that pilot voice is key if you if you've never watched anything about Chuck yger breaking the sound barrier every pilot you've ever heard is doing a Chuck gagger impression right this guy is going faster and faster and faster the X1 is shaking and he is cool on the radio he's not yelling he's not screaming he's not worried he is in control of that vehicle and he that Cal from the pilot it it radiates radiates Cal uh and so that practice is is key okay yeah a question for you what

boxes or kind of like base level information did you need to have where you felt comfortable of going from an employee to starting your own business um so part of it was um the community that I was a part of so coffee Club has been you know a great resarch seeing other people build businesses uh we're working with an amazing group called cooperation Buffalo um we're an employee owned cooperative and so they help those types of businesses get off the ground um at UB um there's a thing called if you're at UB um there's a place called The collab Hadar borin and her crew run it um an amazing just sort of running through tools like the

business model canvas uh which is a tool that you sort of use to say like does this business idea make sense uh having an amazing co-founder um Kimberly price who's my co-founder here from Seattle she's actually speaking at the exact same time which is sort of annoying but um having somebody like that who I've worked with before right when you start a business with someone you're you're business married together so like can you work with the person um and really just giving it a go uh and then also private Equity Firm buying the company that you're working at and not wanting to work for a private Equity Firm so deciding to quit your job was also

helpful um Family Support irrational belief that it could probably work um but happy to talk to talk later as well find that Community find those mentors are you based out a buo yeah um so launch New York uh is another great uh organization that's it serves the six Western New York counties uh and they have what are called entrepreneurs and residents so for you they are free uh they are paid which is great uh and they sort of help you develop a business uh and then the small business administration through the score program they have PE so the RN score used to stand for retirees but it does not anymore they very serious about that um but there are people who are

retired who used to work in business but still want to help uh and they provide free mentoring Services as well um so score SBA Niagara something it'll pop up um but happy to chat after as well cool thank you so much for your time uh if you want to play game of Netrunner I got some cards I'll be around the rest of the day thanks for coming to besides Buffalo [Applause]