Advanced Cubicles and Compromises

Instructor: Ean Meyer

Equipment Required:

Laptop not required, but may be helpful for character creation. Attendees should complete their character worksheet prior to the workshop.

Length: 2 hours

Abstract

What makes a great tabletop exercise? Many organizations run a tabletop exercise to check a box for compliance standards, but don’t maximize the value of the time spent. Often they don’t engage the audience or force them to think enough about the problem to find areas of improvement. Further, they assume their decisions will always work during the exercise. In this workshop, we will not only discuss how to build a tabletop exercise that addresses real risk for an organization, but how to make it fun and engaging for teams at all levels of an organization. The workshop will introduce attendees to the Cubicles and Compromises format as well as add new advanced elements. The workshop will have components to be completed prior to meeting including rolling your “Company Character Sheet” which will force players to make decisions on where to dedicate resources prior to play. These decisions will impact the company’s ability to protect itself from injects during the exercise. The exercise itself will pit players against a breach that impacts their fictional company. Each player will use their company character sheet where they have chosen Technical, Administrative, and Physical controls to modify rolls that align attributes with the NIST CSF. The injects and the outcome of their rolls will determine how the organization handles/survives the breach. This format allows players to think through challenges and respond in a group setting without sharing their companies incident response plan. At the end of the exercise, the facilitator will go back through the injects and decision points to reveal the paths not taken and how they would have impacted responses. For the final portion of the workshop, we will break down the elements of the exercise to show why they are vital to engaging specific roles in the organization (IT, Finance, Executives, Analysts, etc.) and why non-technical elements of the incident response plan like time management, communications, must be included to successfully test a plan.

Preparation

Before the event registered workshop attendees will receive a link to a Player Guide and Company Character Sheet. The guide will show players how to roll attributes for the company and additional rules for modifiers, budget as hit points, etc. The guide will remain light being no more than 5-10 pages with a number of graphics, etc. The guide will give the players options for adding resources based on company budget as well as aligning those resources with the NIST Cyber Security Framework. Injects will be chosen where certain choices will be helpful or detrimental based on the player’s placement of resources within the company. Players should roll their characters before the workshop, however, they will be able to complete this during the introduction if they join as a walk-in or choose a pre-generated sheet.

AC&C-Players_Guide_v1_(2)

AC&C_-_Company_Creation_Worksheet_(2)

Ean’s Bio

Ean Meyer is an Associate Director of Security Assurance and Penetration Testing for a $3.5B resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation of IT engineers about information security and risk management as a Course Director in the IT program. He is also the President of BSides Orlando. BSides Orlando is part of the BSides Framework of global information security conferences each focused locally in different cities to encourage community engagement and develop information security professionals.

Ean’s passion revolves around creating bridges between technical experts, business leaders, and consumers that help build better security by understanding real risks instead of just security vulnerabilities.

Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist on many conference panels including ISC2 Congress. He also runs workshops such as Advanced Cubicles & Compromises which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.

Ean has a BS in Information Security and an AS in Computer Network Systems as well as a CISSP certification. Ean can also be found occasionally guest blogging for Tripwire’s: State of Security Blog. You can find him at https://www.eanmeyer.com or on Twitter @eanmeyer