When I talk about tabletop exercises, most people will immediately think of some type of role-playing game like Dungeons & Dragons. Others who have experienced them before will immediately think of long, stuffy meetings where you work through a potential disaster and walk through how to react to it. But when I add the word gamified before it, people perk up. In today’s blog post, I’d like to walk you through what a gamified tabletop exercise (TTX) is, and how it can help your organization prepare for disaster in a more realistic way.
What Is A Tabletop Exercise
A standard tabletop exercise is something used by organizations to test their disaster recovery (DR) or business continuity plan (BCP). The idea is that you already have a plan for dealing with a problem, say a ransomware outbreak on your network, and you run a simulation to ensure that the plan is complete and understood by everyone who needs to be involved.
This is a very good thing, and there are usually some rules around how these are run. For example, you normally have a scribe or someone to take notes, a person who is running the exercise and keeps people on track, as well as participants from all affected departments. Sometimes you have a gallery of people who are there to observe, but not participate.
When these are run well, they can be invaluable. Unfortunately more often than not these end with a long list of takeaway items that nobody ever gets around to completing, or worse, they are declared a success because no issues were found. The dirty secret about that is that no issues were found because the participants took what I like to call “the happy path”.
What Is “The Happy Path”
“The happy path” is what I like to call a perfect scenario:
- Ransomware hits, but it gets thwarted by our anti-virus.
- We have separate VLANs in our environment, so the attacker isn’t going to be able to get to any main system.
- Our connection to the Internet was just caused by a loose network cable in the networking closet, so plugging it in fixed everything.
How realistic are these? Not completely out of the question, and some of these are great approaches, but they do nothing to actually test the rest of the plan. The worst thing about these types of outcomes is that the teams feel that tabletop exercises are a waste of time and are thus not done. When we went to school we had fire drills to ensure everyone knew how to exit the school safely. Pro athletes train and practice regularly to ensure they operate at peak levels during their games. Why wouldn’t we want to practice ensuring any damage done by some type of disaster is minimized by having a solid DR/BCP that can be executed against?
Disasters happen, and how you react to them when they do can have a serious impact on your business - for better or worse.
Enter Gamified Tabletop Exercises
A gamified tabletop exercise (TTX) is a standard tabletop but with some game elements added to it. In our definition, this includes the game element of chance being added. The concept is that whenever someone makes a choice, a die is rolled. The gamified TTXs that EliteSec run use a six-sided and a twenty-sided die for decision making. Depending on the decision made by a player and the choices available, one of those two die are chosen by the person running the exercise and it is used to determine if the choice was successful, unsuccessful, or something in between. The point is that not all choices are guaranteed to work, and sometimes there is a consequence of making a decision.
In making the outcomes random, you get a much more dynamic simulation - something much closer to reality. This is a great way to ensure aspects you may not have considered before are now brought to the forefront, allowing you to fill in any gaps. It also allows for “replay-ability” of your tabletops since you will likely get different results each time you go through it. I’ve also found that the players are a lot more engaged as they have to think on their feet.
Running Your Own Gamified Tabletop Exercise
A successful gamified tabletop exercise is a lot more than just rolling dice and having a good time - it takes experience, planning, and the ability to think on your feet when you are running one of these. Whomever is running the exercise plays the role similar to the “Dungeon Master” in a classic game of Dungeons & Dragons, meaning you have to be firm but fair. Planning ahead for potential choices people may make is a must. If you already have a DR/BCP to go off of, this is a bit easier since you will know the choices that people will make. However if the choice doesn’t go as planned…
Tools such as mind map software are great ways to plan out these scenarios. You always start with a known incident, and you branch out from there. Finding alternatives are helpful as well. Some people like to work backwards, i.e. they may have an initial incident that starts the exercise, but you already know the end result and thus you work backwards. I did this when I ran a workshop at True North 2019, where the scenario was a ransomware outbreak but it was meant as a cover for some industrial espionage that was being performed against the company.
If you are interested in having a gamified tabletop exercise for your own organization, EliteSec can help. We can work with you to come up with a scenario and help you run through it with your team. Even if you don’t have a DR or BCP written out, these types of exercises are a great way to get started in writing one. Contact us today so we can help prepare you for the unexpected.
– John