There's a new, fun way to run a realistic incident response tabletop exercise, and it's called Backdoors and Breaches. Inspired by Dungeons and Dragons (B&B instead of D&D), the game includes a pack of custom playing cards and a 20-sided die. Five to six people can play it in as little as 15 to 20 minutes.
The card deck comes from the folks at pentesting firm Black Hills, who sent us a review deck and walked us through how to play. It's a simple concept, easy to play, and looks like a fun way to run a tabletop exercise.
How the game works
The deck consists of different-colored cards. One person volunteers to be the Incident Master (IM) (think Dungeon Master) and randomly selects one each of four different types of attack cards: Initial Compromise, C2 and Exfil, Persistence, and Pivot and Escalate. Together, these four cards, played close to the IM's chest, represent one of 3,840 possible incident scenarios. The cards all represent realistic threats to enterprise organizations, like "Social Engineering," "Web Server Compromise" and "Credential Stuffing."
The rest of the group, who are playing defenders, draw four Procedure cards and lay them face up on the table. These represent specific written procedures available to your role-playing defensive team, such as "Server Analysis," "Crisis Management" and "Endpoint Analysis." While defenders can use everything they know in real life to analyze the scenario and play the game, the success of any proposed response depends on the roll of the 20-sided die. Like in real life, written procedures make any incident response more likely to be successful.
The IM then spends a moment to think of a story that fits the cards they've drawn. A little narrative goes a long way here: How did the incident response team find out something was wrong? It can be vague or even a red herring, and as elaborate or bare bones as you like. Encouraging creative thinking of how an incident might began helps defenders think like attackers, always a plus.
The defenders then propose a next step. Investigate a possibly compromised end point? Review web server logs? The defenders roll the die to see if their proposed plan is successful. A roll of 1 to 10 fails, and 11 to 20 succeeds. If they use one of the written procedures, they get a +3 modifier. (The not-so-hidden message here: Does your enterprise have written procedures for incident response?)
The card deck also includes wild cards, called Inject cards, that defenders draw if they roll a 1 or natural (not modified) 20, or if they fail at three actions in a row. Inject cards can be both positive and negative (think Monopoly's chance or community chest cards), including new information like "Data uploaded to Pastebin," "Bobby the intern kills the system you are reviewing," and the deus ex machina card, "Ha ha! Just kidding. It was a pentest."
The rules are still in flux as players experiment with the deck, and IMs can create custom rules for specific enterprises at their discretion. Jason Blanchard, content and community director at Black Hills, gives the example of one player who is an SIEM expert, and so when that person plays, they get a +5 modifier on any game play that involves SIEM analysis.
Game play can proceed to a conclusion in as little as 20 minutes and ends when the defenders have taken successful action to reveal all four incident cards in ten turns or fewer. The current rules can be found here.
Role play security incidents in minutes
Unlike some tabletop exercises that can take months to prepare and last for days, Backdoors and Breaches makes it simple to role-play thousands of possible security incidents, and to do so even as a weekly exercise. The game can be played just by blue teamers but could also involve a member of the legal team, management, or a member of the public relations team. The ideal game involves no more than six players to ensure that everyone is engaged and participating. "This game can be played every Thursday at lunch," Blanchard tells CSO.
If the upside of the B&B card deck is the ability to instantly create thousands of scenarios from generic attack methods, the downside is that it lacks cards for specific industries, or company-specific issues. Black Hills plans for expansion decks in 2020, including one for industrial control system (ICS) security and another for web application security.
The B&B deck launched at DerbyCon 2019, and Blanchard says they plan to give away free decks at every infosec conference they attend in 2020. The decks are also available on Amazon for $10 plus shipping, which, he says, just covers their costs.
While obviously designed as a marketing tool for their pentesting business, the B&B deck will be useful to many enterprises, as well as schools and universities, who Blanchard says have shown great interest in the card deck.
If companies become more secure as a result of using their card deck? Blanchard says their pentesters would be happy with that. "We want to pentest companies that make us really have to work for it," he says.