In part one of our discussion on incident response tabletop exercises, we outlined the value of using gaming for identifying and shoring up weaknesses in a company’s cybersecurity infrastructure. In this second part, we’ll run through an actual incident response tabletop exercise, demonstrating how to use a cost-effective and fun activity for your team to test their ability to react to a cyber incident.
Follow along as Justin Hall, Senior Manager of Research at Tenable, and CBTS security consultants John Bruggeman and Ryan Hamrick play Backdoors & Breaches, a game from Black Hills Information Security.
Setting the table
Backdoors & Breaches simulates a real-life cyber incident using playing cards. The objective is for the players to use procedure cards (which represent real-life procedures such as ‘Call a Consultant’) to reveal hidden attack cards (which represent cyber incidents such as ‘Phishing’). The kicker is that only the correct procedure cards reveal certain attack cards, meaning the players must use logic and skill to uncover them. If the players cannot reveal all the attack cards before ten turns expire, they lose the game.
The players were divided into an incident master, Justin (who ran the game), and defenders, Ryan and John (who had to uncover all the attack cards within ten turns).
Read the info sheet: Endpoint Detection and Response (EDR)
The game begins
Justin began the incident response tabletop exercise by outlining the scenario. When the players came in for work at their fictional company, Hamrick Real Estate, IT admins told them alerts from the company’s firewall had indicated a server in the data center was showing an incredible amount of traffic from a suspicious Harry Potter WordPress fan site.
Luckily, defenders John and Ryan had six cards representing written procedures already prepared by Hamrick Real Estate. They were:
- Security Information and Event Management (SIEM) log analysis.
- Memory Analysis.
- User and Entity Behavior Analytics (UEBA).
- Crisis Management.
- Call a Consultant.
- Physical Security Review.
Using these cards would have a higher chance of success, as these procedures were already part of Hamrick Real Estate’s ability to respond to a cyber incident. A further seven procedure cards represented additional actions that would be new to the fictional company. They might still be essential, but their effectiveness would be reduced.
A complex investigation
As John was the one to receive the call from IT admins, his first step was to use a SIEM log analysis to search for outbound traffic to a particular IP address. He knew the IP address was a WordPress site, so he wanted to know who in the company’s environment spoke to that machine. Unfortunately, the SIEM log analysis didn’t come up with anything, as the logs were accidentally deleted.
The players caught a break with a ‘Firewall Log Review’ card, which revealed the first attack card: ‘HTTP as Exfil’. They learned traffic originated from the internal server to the Harry Potter fan site. The odd thing they found was that the firewall logged the user agent string, which saw that the IP address was correct, but the user agent string was suspicious.
The plot thickens
The players ran into a string of failures as they attempted to run:
- Memory Analysis.
- Network Threat Hunting.
- Endpoint Security Protection Analysis.
Three failures meant Justin introduced a new wrinkle into the game: The attackers had gained access to the company’s endpoint protection suite, meaning cards associated with endpoint protection were offline for the rest of the game.
Homing in on the suspicious user agent string, the players hypothesized someone must have physically accessed the server. They did a ‘Physical Security Review’, revealing an attack card that confirmed their hypothesis: Someone got into the company’s data center and accessed the data on a physical machine. Two attack cards down, two to go.
Running out of time
On roll 9/10, John and Ryan decided to ‘Call a Consultant’. Luckily, they were able to reach an expert who helped them uncover another attack card: ‘Access Token Manipulation’. The attackers stole server access tokens, which allowed them to steal credentials and authenticate to the server.
With a final roll left and one attack card remaining, John and Ryan had just one chance to solve the game. They decided to run another SIEM log analysis. Unfortunately, they were unsuccessful, and our players lost the game.
Justin revealed the attacker broke into the data center, rebooted the server machine, acquired access tokens, took the data on the server machine, and shipped it all off to the fake Harry Potter fan site. While the game resulted in a loss, our players still gained valuable insight into how to respond to a cyber threat in a practical setting that they could implement into their own work environments.
Also read: Lax data security compliance puts your business reputation at risk
Plan your own incident response tabletop exercise
Every organization should organize its own version of an incident response tabletop exercise. For instructions on how to play, check out a printable version of Backdoors & Breaches here and play the game online here.
If you need guidance on running a successful incident response tabletop exercise or implementing your findings, reach out to our cybersecurity experts at CBTS.
