A group of executives sit around a table. In front of them is a map, six heroic figures standing in a model of a data center, surrounded on all sides by small, crouching creatures in hoodies. At one end of the table, the DM is speaking dramatically. "You have retreated to the server room as the DDoS continues. The hackers have been repelled several times, but you're all injured and low on resources. This is starting to feel very much like a last stand, and the CEO is waiting for an update. What do you do?"
The players discuss for a while, before the CISO takes a deep breath and looks up at the DM. Obviously the decision she's about to take is weighing on her, this is a last resort, and there will be collateral damage. Still, her voice is strong and confident as she intones: "I cast empowered firewall."
Today, we’re going to look at tabletop exercises, or scenarios, and how they’re used to prepare for the worst in security.
Sadly (or fortunately) that's not how tabletop exercises are really run, although there are some varieties that skirt very close to the edge of being full on games (and indeed, some that not only skirt the edge but eagerly leap over it head first). While the reality may be less full of evil gremlin-summoning cybercriminals and magic-wielding security teams, there's a strong overlap in the goals of a good scenario and a good role playing campaign.
Tabletop exercises are ways of testing out plans and preparations without taking the rather more drastic step of burning down your own data center. It's important to know how the business would function after a crisis like that, and to prepare for it, but taking the actual step of burning down your data center may be seen as a bit too far for an exercise. Instead, these crisis events are gamed out, whether it's to discover lines of communication, to test incident response plans (whether business continuity or disaster recovery), or just to train employees and build awareness of the importance of security.
These exercises also have a long and noble history outside of modern IT and cyber security uses, going back at least two hundred years to Reisswitz's "Kriefsspiel" in 1824, developed by him and his father and described by General Karl von Mueffling as "not a game at all! It's training for war. I shall recommend it enthusiastically to the whole army." It's an approach used by global militaries to prepare their forces for engagements, with NATO having kicked off a Wargaming Initiative in 2022 in Paris. Even emergency services, with the NHS regularly running simulations involving dozens of actors and full makeup teams to effectively simulate injuries.
Given that there's centuries (even if only two) of evidence of tabletop exercises, gamified scenarios, helping prepare for crises, disasters, military engagements, and similar, along with the cost of such exercises being extremely low compared to being unprepared when a scenario hits, you might fall into the trap of thinking that they are used everywhere today. Sadly, that isn't the case.
For a whole slew of reasons, while those who do make good use of tabletop exercises swear by the value they bring, many organisations just don't use them. It might be ostrich syndrome, as these scenarios can be exceptionally good at pulling out all sorts of failings that people don’t want to acknowledge. It could be reluctance to get involved with something seen as 'play' or 'childish'. Maybe it’s having experienced poorly run scenarios consisting of an overly-engineered PowerPoint presentation with no interaction and a lot of marketing FUD. For whatever reason, some organisations are reluctant to seek them out and use this valuable tool.
This is, fortunately, changing, with events like the annual Play Secure conference bringing together experts in learning, simulations, gamification, and games. Furthermore, a number of companies offer standard and bespoke exercises to their product catalogs. Full disclosure, as you might expect my own family company, Bores has been running these with great results for years.
The idea of using tabletop scenarios as a place to test or stress-test plans and prepare for disasters, building up tolerances for stress and panic in those involved (run well they are intense experiences), and provide a place to get things wrong safely is spreading.
There's a whole slew of options when you're running a tabletop exercise, depending what you want out of it. As a marketing and awareness exercise for a particular threat or event then a highly structured format involving detailed inputs, limited (or even no) choices, almost as a replay of real events can be highly effective - less engaging, but scalable at low effort in a way more involved scenarios are not. At the other end of the spectrum we end up with the much more open scenarios, almost completely unscripted and requiring a skilled moderator to run, responding in realtime to participant's decisions, creating new injects on the fly.
As a general rule the more scripted the tabletop exercise the easier it is to run at scale, the more effort it takes for the initial creation, and the less knowledge it requires from a moderator to run. A company could easily put out a pre-prepared internal scenario in the style of a choose your own adventure book with limited choices, and leave teams to run their own sessions.
The less scripted the session, the harder to run at scale (possible, but requires more resources and effort), and the more knowledge and expertise required of the moderator. The ideal here is someone with experience of the sort of incident being simulated, along with experience of running game sessions (yes, I do put thirty years of running tabletop RPG sessions on my CV when I'm pitching these exercises). What unscripted sessions do provide is the chance to test specific plans, or even build them based on actions and choices during the exercise.
Alongside this, you need to consider the type of incident that you want to test out. A business continuity tabletop exercise will aim to uncover how an organisation can keep operating at an acceptable level when critical systems fail.
Incident response will look to security incidents, in most cases, but can cover anything from bad press to a shipwrecked CEO.
Business continuity scenarios are aimed at how the business responds to a crisis or critical failure, and keeps some level of function going throughout. It’s a great way to work out what’s genuinely critical, and what level of service is required to be a viable business.
Disaster recovery often naturally flows from business continuity, uncovering how an organisation moves from business continuity plans back to normal operations (or how to restore from backup). Crisis management can be almost anything, including all the above.
I'd love to say the best way to run one is to engage a professional (and it is true, if you have budget and can find a professional then you should). However, if you're just looking to test out the idea, or looking for a new take for family game night, then you can easily run a tabletop session yourself with limited effort. You will be relying on your own expertise, so pick a scenario you have some experience of for best results (and an environment you're familiar with - when building these scenarios I'll usually involve an intense discovery phase to understand the organisation well enough).
The simplest way once you have a scenario is then to decide what the 'truth' is. This is what's actually happened behind the scenes. Who's the attacker, or what's really gone wrong. This doesn't need to be incredibly detailed, depending on your improv skills and confidence, but a golden rule is not to alter it during the exercise - a little inconsistency can destroy engagement and remove any learning potential.
Once you have that 'truth', spend some time thinking about how the participants will see it. They're not going to have the full information from the get-go - even in a scenario as simple as a data center burning down the first thing the organisation is likely to see is services failing. Whatever you brainstorm here will form your first injects - which could be as simple as saying to the group 'this is what you see' or, for a more powerful effect, social media messages from customers, ransomware notices, news headlines, and similar (you can grab some free templates to create a few of these here).
Once you've done that, the hardest thing is scheduling a time to get your participants together. That one I can't help with.
Finally you'll have everything you need: the scenario, injects, your participants, and ideally someone to take detailed notes of what happens.
After that, it's about narrative and storytelling. Open up with the initial injects, and then hand over to your participants to decide what happens next. When they take an action, respond with more information depending on what they've done, maybe with more injects, and iterate until the scenario is complete.
Completion can be hard to define, so realistically you want to run until the scenario is stable - meaning any further actions will make no immediate difference (once the decision is made to rebuild a data center for example, there's limited value in playing through the months of construction that would be involved). Take the notes, pull out anything important, and start preparing for the next tabletop exercise.
If you’re convinced to give one a try and need a little advice, or if you want someone to come in and run a series of exercises, you can reach me on Twitter or LinkedIn.