Skip to content
Chimera readability score 0.5102 out of 100, reading level.

written by Glen Sorenson || Guest Author
This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.
Learn More by Having Fun
Imagine herding your team of proverbial cats for what they expect to be another eye-rolling “preparedness exercise.” But instead of the standard fare, you introduce a tabletop exercise (TTX) that’s less about enduring another meeting and more about engaging in a collaborative challenge. It’s like suddenly finding yourselves as the key players in a thrilling plot to outsmart security incidents, bad actors, and other subglobal disasters.
Tabletop exercises have long been a staple of security and BCDR activities, designed to simulate real-world scenarios for team training and preparedness. These exercises typically unfold boringly — in a meeting-style setting where participants discuss sterile scenarios. With some will and some skill, these monotonous exercises can be made much more engaging and even… gasp fun.
People do learn effectively (and arguably better) when they’re having a good time.
Make It a Game
You can build engaging TTXs by adding elements of gamification. This doesn’t have to be an all-or-nothing prospect. The benefits of a fun tabletop exercise are manyfold: identifying gaps in plans, improving team cohesion, and enhancing decision-making skills, all while making the dreaded drill a source of laughter and inspiration. It becomes the perfect blend of necessity and engagement, turning a chore into an intriguing, strategy-driven quest.
But How?
How do we craft and run a fun and effective TTX experience?
Know Your Audience
Is your TTX for a group of highly technical IT and security folks or do you have a mix of IT and non-technical business leaders?
Understand Your Objective
Are you training your technical IR team or are you raising awareness with business leaders?
Play with Assumptions
Don’t be afraid to make assumptions about the scenario and challenge assumptions made by the team. Yes, your EDR can’t be bypassed. No, your web app is not invulnerable behind a WAF. Yes, people will click links and cough up credentials and MFA codes.
Keep It Believable
Don’t feel bound by reality. You can invent a fictitious company and environment. It should be grounded in reality, but it doesn’t have to be real.
When there’s more fiction involvedegos and attachments to outcomes often become less involved.
This is a good thing.
Give players a character with a role that may be different than their normal daily self. Have someone play the company CFO bent on numbers, a Communications Manager more focused on their book deal, or the crazy Linux guy that has to use Microsoft technology against his will. Seriously, exaggerate roles and have fun with it. In doing so, you can greatly broaden worldviews.
Don’t Lose Sight of Reality
Bring in some realistic elements. Do a little homework.
A good source of inspiration is MITRE ATT&CK Framework and MITRE’s Cyber Threat Intelligence, which has a great deal of information about real-world campaigns, threat actors, and tooling. You should know the chain of events behind the scenes, but you don’t have to reveal every technical action.
Adapt and Be Flexible
You can shoot yourself in the foot if you plan too rigidly and the participants/players take it a direction you didn’t think of. Always do.
Randomize
Roll dice. When someone wants to take an action, determine how difficult the task is (a simple high, medium, or low will suffice) and make them roll dice to determine success or failure based on that difficulty. How many times in a real investigation have you wanted to examine logs for something specific, only to find you weren’t logging what you thought you were? Or the flip side, by some sheer miracle, an employee recognized unusual behavior, shut down their computer, and called the help desk?
Different IR roles (and characters if you’re using them) may have different strengths and weaknesses. Your legal counsel is probably not going to sift through logs and your crazy Linux guy may not be the best person to craft messages to customers. Modify dice rolls appropriately.
Bring pizza. Have fun. Learn. Grow!
For help structuring a gamified incident response, check out:
HackBack Gaming: hackbackgaming.com
Backdoors & Breaches: backdoorsandbreaches.com
Explore the Infosec Survival Guide and more… for FREE!
Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.
You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/

Facts Only

Glen Sorenson is a guest author
Tabletop exercises are used for security and BCDR activities
TTX typically unfold in a meeting-style setting discussing sterile scenarios
The article suggests making TTX more engaging through gamification
Participants can play characters with roles different from their daily selves
Realistic elements should be introduced through research
Sources of inspiration include MITRE ATT&CK Framework and Cyber Threat Intelligence
Adaptability is recommended during the exercise

Executive Summary

In this article, Glen Sorenson provides guidance on conducting effective and engaging Tabletop Exercises (TTX) for incident response training. The author emphasizes the importance of gamification to make TTX more engaging, leading to improved team cohesion, decision-making skills, and identification of gaps in plans. The exercise involves creating fictitious scenarios grounded in reality but not necessarily based on real events. Participants are encouraged to assume roles different from their daily selves, which can broaden worldviews. Realistic elements should be introduced through research and the use of tools like MITRE ATT&CK Framework and Cyber Threat Intelligence for scenario inspiration. The article concludes with suggestions to adapt and remain flexible during the exercise.

Full Take

By using gamification in Tabletop Exercises, organizations can create a more engaging learning experience that encourages collaboration, fosters critical thinking, and improves team cohesion. The exercise simulates real-world scenarios for training purposes, with participants assuming roles and making decisions based on the given scenario. While the article suggests fictitious scenarios, it is essential to ensure they are grounded in reality to maintain relevance and effectiveness. This approach can help broaden worldviews by encouraging participants to consider situations from perspectives different from their own daily roles. However, it is crucial to balance fiction with realism to avoid creating an unrealistic or unrelatable learning environment.
Patterns detected: ARC-0024 Ambiguity (the article suggests both fictitious and real scenarios), ARC-0108 Exaggeration (emphasizing the "thrilling plot" aspect of TTX).

How to Lead Effective Tabletops — Arc Codex