Game for conducting cyber exercises

To the past CodeIB Profi We (Nikolai KazantsevSECURITM and Semyon Samokhvalov, an information security expert) made a game for conducting staff cyber exercises in information security services, which we want to share with you. Below is a description of the game, conclusions based on the results of the games played, and even more cats.

What is cyber learning?

In a broad sense, a cyber exercise is a rehearsal of how to respond to security incidents. There are different forms and methods of their implementation.

When preparing the event, we had the goal not only to conduct cyber exercises and improve the skills of responding to security incidents, but also to have fun 🥳, add game mechanics to the process, get the most out of both the game and its implementation. We were so carried away that a board game with its own mathematics and game strategies appeared.

Examples of risk cards

Examples of risk cards

You can use our game and materials to conduct cyber exercises in your company, at IS meetups, at meetings with colleagues in the IS workshop over a glass of foam.

From experience, having spent several such games, it turned out that the more informal the atmosphere, the more fun the game is (who would doubt it).

Why Conduct Cyber ​​Exercises?

Cyber ​​exercises, like any training, have many benefits, at least:

  • Checking the performance of incident response plans;

  • Improving the skills of responsible persons;

  • Identification of dark spots in training and infrastructure;

  • Formation of understanding of the consequences of incidents;

  • Cohesion of the response team;

  • Compliance with regulatory requirements and standards.

What requirements of regulators and standards are covered by cyber exercises

  1. Order of the FSTEC of Russia No. 31 dated March 14, 2014 “The composition of information security measures and their basic sets for the corresponding security class of an automated control system”:

    DNS.2 Training and testing of personnel actions in emergency situations

  2. Order of the FSTEC of Russia No. 239 dated December 25, 2017 “Composition of measures to ensure safety for a significant object of the corresponding category of significance”:

    DNS.2 Training and testing of personnel actions in emergency situations

  3. CIS Critical Security Controls v8 (The 18 CIS CSC):

    17.4 Establish and Maintain an Incident Response Process
    Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

  4. NIST Cybersecurity Framework:

    RS.CO-1: Personnel know their roles and procedures when performing response activities

  5. GOST R No. ISO / IEC 27001-2021 dated 01.01.2022 “Information technology. Security methods and means. Information security management systems. Requirements – Appendix A”:

    A.16.1.1 Responsibilities and procedures Information security control: Responsibilities and procedures for management shall be established to provide assurance that information security incidents will be responded to quickly, efficiently and appropriately.

  6. CIS Critical Security Controls v7.1 (SANS Top 20):

    CSC 19.1 Document Incident Response Procedures
    Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management.

  7. SWIFT Customer Security Controls Framework v2022:

    7.1 Cyber ​​Incident Response Planning

What is the game about

Several teams compete to see who can best respond to a set of security incidents (cases). All teams have the same legend (company) and the same incidents, but different protection systems and circumstances (risks). Each team creates a protection system itself, and the risks are distributed randomly.

Teams vote for each other’s answers, can spend points on risk countermeasures.

What are the meanings

The teams are reviewing the same incidents, so other teams understand the situation and it is interesting/useful to listen to the performances of other teams.

At the same time, due to different sets protective measures And risks each team has its own response to incidents, which allows you to get rid of the copy-paste of answers and look at incidents from a different angle.

And the opportunity to create a protection system (choose a set of protective measures) at the beginning of the game allows teams to prove themselves not only in response, but also in design.

Props

  • Voting sheets

  • Sheets of protection systems

  • Answer sheets

  • Risk cards

Handout for the game

Handout for the game

Detailed game rules

  • 3-5 teams of 3-7 people.

  • 1-12 rounds (cases, incidents).

  • The goal of the team is to score the maximum number of points.

  • All teams have the same legend, but different:

  • The task of the team in each round is to draw up and present an action plan for responding to the incident

  • At the end of the round:

    • Teams vote for each other’s performances (0-5 points)

    • Teams pass around 1 any risk card

Stage of the game to create a protection system

Stage of the game to create a protection system

Options for complicating and changing the game:

  • After a certain round, you can announce the upgrade of the protection system and replace the sheets of protective measures;

  • You can transfer multiple risk cards per round.

Game algorithm

  1. Preparation
    Teams come up with names for themselves and enter in Voting sheets

  2. Legend
    The facilitator voices the context of the organization, on the example of which the cases will be held

  3. Protection system design
    Teams choose sets of protective measures for Protection system sheet

  4. Distribution of circumstances
    The facilitator distributes to the teams Risk cards 3-5 per team

  5. Rounds (2-12 per game)

    1. The moderator reads the case (incident)

    2. The teams discuss and prepare the TOP-5 actions to respond to the incident for 5 minutes, write them down in Answer sheets.

    3. Application of risk cards
      Teams can cancel a risk card by implementing a countermeasure and spending points (shown on the card)
      If a team has a risk card associated with the removal of a protective measure – you need to cross out 1 protective measure from your protection system

    4. Report
      Each team takes turns reading their TOP-5 actions
      If protective equipment is used in actions, they must be among those acquired by the team (recorded on Protection system sheet). If actions are affected by risk cards, the team describes them.

    5. Vote
      Each team votes on the performances of the other teams by entering the results in Voting list

    6. Change of circumstances
      Teams in a circle pass 1 of any risk card to an adjacent team

  6. Summarizing
    The team with the most points wins. The votes of teams for each other are summed up and the points spent on the cancellation of risk cards are deducted

General algorithm of the game

General algorithm of the game

Case examples

  • The next day after the announcement of partial mobilization, you will find out that the administrator responsible for setting up information security tools, with the rights of a domain administrator, has written a letter of resignation, transferred it through relatives to the organization and has already left the country. Your actions?

  • A month after the IS administrator left abroad, while browsing the news feeds, you come across a post that contains information about your organization being hacked and that hackers posted an archive with data larger than 3 GB on the Internet, on sites of unfriendly countries . Your actions?

  • On Monday morning, you discovered that an attacker had gained access to your public terminal server on Windows 2008. All weekend the hacker used your server as a platform for illegal financial transactions (money transfers from stolen cards and online wallets). Right now, nothing is happening. Through this server, your employees get remote access to the company. Your actions?

conclusions

according to the results of the games:

  • A good solution was the ability to create your own defense system at the beginning of the game. Teams, in the process of choosing protective measures, created their own own context, the participants got acquainted and synchronized with each other before the start of the rounds. And in the event of a shortage of some kind of tools to handle the incident, there was no one to present it to, they themselves are to blame.

  • The availability of risk cards and protective measures created framework, kept teams from getting too fancy in their incident handling plans. For example, it was impossible to analyze DLP logs if it was not purchased at the design stage of the protection system, or if there was a risk to destroy the DLP base.

  • Control is important timingA. Otherwise, especially if you arrange discussions after the performances of each team, you will not be able to drive more than 4-5 rounds in 2 hours.

  • How more informally the situation – the more interesting the game. It turned out to be much more fun to play in a bar than in a conference room.

I want to play

All materials posted right here, in the game card, to our information security process management platform, there is free access with a Community subscription. We will also add new cases and risk cards there. Use if you decide to conduct gaming cyber-exercise yourself. One condition – not for commercial use.

And there will be ideas to improve the game – throw it in👍 We plan to play it more than once at IS conferences and meetups.

And what’s with the cats?
We played the first game at the Code IB Profi conference, which took place on Baikal in March 2023. The cat is the logo of the Code IB conference, and ice is an obligatory component of Baikal in March. And yes, it’s more fun to play.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *