Full Report
Have you heard of Backdoors & Breaches, or even have a deck of your own, and yet… still don’t know how to use it? We created an incident response card […] The post How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Incident Response Tabletop Exercise Enhancement via Gamification
## Overview
These practices focus on leveraging the "Backdoors & Breaches" incident response card game as a structured, engaging, and effective method for conducting tabletop exercises (TTX). The goal is to improve organizational readiness, clarity of procedures, and team response capability during simulated cyber incidents.
## Key Recommendations
### Immediate Actions
1. **Access the Game Materials:** Immediately locate and access either the physical "Backdoors & Breaches" card deck or utilize the provided free online open-source version to begin familiarization.
2. **Review Core Card Types:** Immediately review the purpose and function of the different card types: Red (Initial Compromise), Yellow (Pivot and Escalate), Brown (C2 and EXFIL), Purple (Persistence), and Green (Consultants/Inject Cards).
3. **Establish the Core Question:** Train response teams to consistently ask the concluding question after any scenario: "Is this a plausible attack?" to validate the exercise realism and procedural efficacy.
### Short-term Improvements (1-3 months)
1. **Conduct Initial Guided Exercises:** Run the game with a small core team, focusing initially on game setup, clear understanding of turn procedures, and the mechanics of rolling the D20 for success/failure.
2. **Map Procedures to Cards:** For every procedure attempted during the game (especially those requiring a dice roll), ensure the team clearly articulates the *established* (documented) procedure being used, versus general procedures.
3. **Differentiate Incident vs. Crisis:** Facilitate a specific discussion point early in the exercise timeline regarding the trigger criteria: "At what point does an incident become a crisis?" and assign team members responsible for that assessment.
### Long-term Strategy (3+ months)
1. **Integrate into Formal IR Program:** Formalize the use of Backdoors & Breaches as the recurring platform for Quarterly or Bi-Annual Incident Response Tabletop Exercises, replacing purely narrative TTXs.
2. **Develop Custom Scenarios:** Create or leverage custom "Attack Scenario" cards that directly map to the organization's most critical assets or most likely threat vectors based on threat intelligence.
3. **Mandate Consultant Card Use:** Regularly incorporate Gray Cards (Inject Cards) to simulate real-world unpredictability, testing cross-departmental communication and external vendor reliance.
## Implementation Guidance
### For Small Organizations
- **Focus on Procedure Clarity:** Use the game primarily to identify and clarify existing, undocumented standard operating procedures (SOPs). If a procedure is unclear, the team should document it immediately after the exercise.
- **Utilize Online Version:** Leverage the free online version to minimize initial procurement overhead, allowing setup within hours.
### For Medium Organizations
- **Cross-Functional Dry Runs:** Run drills involving IT operations, Security Operations Center (SOC), and Communications/PR teams, specifically using the Green Cards (Consultants) to simulate external communication needs.
- **Track Procedure Success Rates:** Monitor and log the success rate of dice rolls versus documented procedures. A consistently low success rate for a specific procedure (e.g., isolation) indicates a need for process revision or enhanced training.
### For Large Enterprises
- **Scale and Distribute:** Run multiple simultaneous games across different functional teams (e.g., one for the core IR team, one for cloud response, one for forensics).
- **Integrate Debugging & Caution:** Incorporate "Debug Cautionary Words" or similar scenarios to test the team’s ability to pivot when initial actions fail or yield unexpected results (simulating forensic dead ends or sensor misses).
## Configuration Examples
*(Note: The source material is a guide on *how to play* the game, not specific technical configurations. Implementation guidance relates to the configuration of the exercise itself.)*
* **Successful Procedure Configuration:** When a player attempts an action that relies on an established defensive procedure (e.g., "Block malicious IP at firewall"), the expectation should be that if the procedure is executed correctly (as per documentation), the positive outcome is more easily achieved or requires less significant 'luck' (lower D20 roll threshold).
* **Scenario Injection Guidance:** When introducing an **Attack Scenario Card** after a successful defensive roll, ensure the scenario directly challenges the preceding successful defense (e.g., If the team successfully blocked the initial email link, the next Attack Card might reveal C2 traffic originating from a previously whitelisted, but compromised, vendor portal).
## Compliance Alignment
The objective of using these tabletop exercises aligns with general security guidelines requiring regular incident simulation and readiness testing:
- **NIST SP 800-61 (Computer Security Incident Handling Guide):** Directly supports the preparation and lessons learned phases by providing a realistic environment for practice.
- **ISO/IEC 27001 (A.16.1.7):** Supports the requirement to test the effectiveness of the organization's incident management processes.
- **CIS Critical Security Controls (Control 20: Incident Response Testing):** Provides a practical, low-stakes method for continuously testing the IR plan.
## Common Pitfalls to Avoid
1. **Treating it as Purely Fun:** Avoid letting the engagement mechanics overshadow the objective. Every step must link back to validating or improving a real organizational procedure.
2. **Lack of Pre-Defined Procedures:** Running the game without having some established (even if informal) procedures beforehand defeats the purpose; the game is meant to *test* procedures, not invent them live.
3. **Ignoring Consultant Roles:** Failing to use the Green Cards (Consultants) improperly models a siloed incident response that fails to account for necessary external or specialist input during a real event.
4. **Stopping After Success:** Ensure the exercise continues to the point where the initial threat is contained, and the attacker's attempts at persistence, lateral movement (Yellow/Purple Cards), and exfiltration (Brown Cards) have been resolved based on the established IR timeline.
## Resources
- **Incident Response Card Game:** Backdoors & Breaches (Physical and Digital Versions available).
- **Online Play Version:** The free online, open-source game copy is recommended for initial familiarity.
- **Slides/Documentation:** Review the accompanying presentation slides for detailed rule breakdowns and setup instructions.
- **Community Discussion:** Join the BHIS Community Discord server for engagement and clarification on exercise facilitation.
- **Supplementary Reading:** Review related "PROMPT#" zines for additional security articles and insights.