EP 137: How to Make Tabletop Exercises (TTX) Fun!
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
August 1, 2023
Traditional incident response exercises are often boring and awkward. That’s why we don’t do them, even though we should. Want a new way to get people excited about doing one? Let’s learn about a proven innovation with our guest Glen Sorensen. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K and L Gates. Visit them at cr-map.com and klgates.com.
Jake Bernstein: So Kip, what are we going to talk about today on episode 137 of the Cyber Risk Management podcast? Actually folks today is the first, Kip is out today. So we're going to be talking with a guest, Glen Sorensen, who just happens to be one of Kip's colleagues at Cyber Risk Opportunities. And we'll be speaking with Glen about the importance of tabletop exercises and more specifically... It's going to be one of those days. Still getting over a cold. One specific method of providing a unique tabletop experience. So Glen, welcome to the podcast. Please save me from my own voice. Thanks for being here. And this is your first time on the Cyber Risk Management Podcast, isn't it?
Glen Sorensen: Yeah, first time on this podcast and thanks. It's a pleasure to be here.
Jake Bernstein: Yeah, thank you.
Glen Sorensen: Always inaudible talk to you and see what kind of trouble we can cause.
Jake Bernstein: Let's cause some trouble. So first, why don't you just start by introducing yourself to the listeners. I've mentioned your name, but where'd you come from?
Glen Sorensen: Well, as you mentioned, I'm with Cyber Risk Opportunities and one of Kip's colleagues, but I'm the Virtual CISO and managing director there. So I help customers build security programs, elements of security programs, and sometimes that includes conducting tabletop exercises like we'll be talking about.
Jake Bernstein: Very good. So let's just jump right into it. I don't think we've really talked about a tabletop exercise in the past and why it's important for cyber risk management. So maybe just start off by giving us an overview of what... It sounds kind of weird. What is this tabletop exercise, what's it for, et cetera.
Glen Sorensen: Yeah, so it's an exercise that you can play without getting hands and tools with a bunch of different people and a wider audience. And what it does is lets you run through a scenario, an incident scenario or any other disaster recovery, anything like that, and makes you think through some of the things that you need to think about when these things happen. And it's really good about bringing up gaps and the things that you may know you don't know and things you don't know that you don't know.
Jake Bernstein: Those are always the scariest.
Glen Sorensen: Yeah, absolutely. So it brings a lot of visibility and awareness to all the things that can go into an incident of varying types.
Jake Bernstein: So before we dive into the kind of thing we're going to focus on here, maybe give a more concrete example of how a typical tabletop would go. I think that would be a good way to start.
Glen Sorensen: Yeah, so you have somebody that leads the tabletop exercise and they are controlling the incident from a little bit of an outsider perspective, from a God perspective, if you will. And you can have an incident of many types, like I said, but if you went with something like a ransomware attack, then you can step through the pieces of that, the elements that go with it and the actions that somebody is prepared to take. And I think the key here is, you hear the old adage that you don't rise to the occasion, you fall to the level of your training. And this is illustrative of that I think. So it becomes about awareness and about training.
Jake Bernstein: Got it. Okay. And is a tabletop exercise, you said hands, how'd you put it? Hands off software or. So it's not inaudible.
Glen Sorensen: Don't necessarily need hands and tools.
Jake Bernstein: Hands and tools. Yeah, we're not doing hands and tools and that means that people aren't... We're not playing with code, we're not playing with the firewalls or the network. This is a thought experiment. A mental exercise.
Glen Sorensen: Exactly, exactly.
Jake Bernstein: And since everyone knows I like to go off script, how does this differ from threat modeling? And I'm just like, "Is it really different? Is it kind of the same? Is threat modeling a component or maybe threat modeling arises from a good tabletop?"
Glen Sorensen: I think they can. I think there's some relationships between the two, but they're distinctly different too. I think they're alike in that they're thought exercises and you're thinking through about what might happen, but in a tabletop exercise you're focused on a specific incident and something that there are some pieces that are in place defined by the scenario that you're trying to think through. So I would say it's a little bit more scenario and element driven in that regard.
Jake Bernstein: Got it. And so when people sit down to do a tabletop exercise, it really is something that you do at a conference room table. And when I've done them, it can be a few people, it can be a lot of people and I think the best ones really get your blood pumping in a way. You can get into it, and if we dig into the concept where the phrase tabletop comes from, it really is a form of, well, it stems from war gaming back in the World War II type days of trying to figure out, okay, how do we simulate warfare and obviously you can't. It's not the same thing as doing live exercises at all. And so it came from that and that became a game. War games that evolved into a whole set of games. Then war games then evolved into role playing games and I think what we're talking about here is something called hack back gaming. So what is hack back and why? What's the idea here?
Glen Sorensen: Well, I'm glad you asked. So there's been this push over the last several years for gamification of tabletop exercises and incident response tabletop exercises. And I love tabletop exercises of all varieties, but a traditional one has some problems in that it can often be perceived as boring. I don't ever find them that way, but some people do. And it's often thought of as something, maybe it's not worth my time. It's hard to herd all the cats together to get them to sit down at the same time and think through this. So you have some of those problems that go with it and you can often find that certain people will take over the conversation in a tabletop exercise and there's sometimes not enough structure. So you have to deliberately introduce some structure sometimes.
Jake Bernstein: Well, and let's pause for a second because, I mean, there's a significant problem if one person or one or two people take over and everyone else mentally checks out, right?
Glen Sorensen: Yep.
Jake Bernstein: That defeats the purpose of the tabletop because either one of two things will happen is one, those other people maybe don't have anything to do even in a real incident, and that's an interesting discovery that you might want to deal with. What's much more likely though is that those people aren't getting the benefit of the tabletop and what's going to happen in a real incident is they may not know what to do. And I think with tabletop it's a form of training. If you've been in the military, they really are all about training, train, train, train, then train some more because you're going to fall back on your training as soon as the situation is real.
Glen Sorensen: Exactly. And I mean I think that's where hack back comes in too and helps to alleviate some of the problems with some of the traditional approaches to tabletop exercises. So when it becomes a game and hack back gaming is the brand of the game here at this point. It's putting people in roles in a structured way, but in a game format. So it's meant to be fun, it's meant to let somebody take on a role that's maybe a little bit different than the one they play in their day-to-day job, day-to-day operations. So you have some opportunities here to get egos out, get the fear of doing things wrong out of the equation a little bit and playing somebody else or playing a different character. It gives you some more license just to have fun with it. And that seems to be more conducive to taking away some of the learnings too. So that's one of my favorite things about it.
Jake Bernstein: And now would you recommend... It's interesting because if you're giving people different roles, and by the way, I have participated in both normal tabletops and hack back tabletops and they are different. So would you recommend to clients and businesses that a mix is appropriate? I think one of the great things about the hack back version of a tabletop is that you do get to play a different role and that can be challenging, but I think that the value of seeing how others have to operate is very significant.
Glen Sorensen: Yeah, I'd agree. And I think there's definitely room for both approaches. There's definitely room for both approaches in the same organization. They do get it a little bit different things. With the gamified version, you get more of the team building some of the empathy. What you may not get as much of is immersion in your own environment and the tools and stuff, the controls that you might have, and I mean that depends a little bit. So I mean, it depends a little bit on your audience as to which approach might be more appropriate at any given time. I mean, that's the gamified side. The more traditional side is it allows you to go deeper with the people you've got, with the personalities you've got and with some of the uniqueness of your environment. So I think there's maybe a breadth versus depth element there that you can talk about. I would say that's a little bit fuzzy, but there are distinctions, there are differences and I think the audience and the goal makes a difference.
Jake Bernstein: Sure. It definitely would and with a traditional IR tabletop that incident response tabletop, people come in and they know it's a tabletop, right?
Glen Sorensen: Yep.
Jake Bernstein: And tabletops are different even from a fire drill in some ways because first of all a tabletop has to be scheduled. You're not ever going to just spring a tabletop on people. You can't. It just doesn't work that way. And I've seen the situation where people who don't get into the exercise not only aren't getting much out of it for themselves, but they really can bring down the experience for everyone else. And hack back I think is a way to avoid that same issue by help include...
Glen Sorensen: Everybody in it.
Jake Bernstein: Everybody.
Glen Sorensen: In a structured way.
Jake Bernstein: And I think too that when you're asked to play a different role, at least one that... And it can really depend. If you just want to have fun with something, you can have people play roles for which they are 1000% not qualified. You could have me be the firewall analyst and I'll be like, "Huh, I'll make stuff up." But it may not be... That's going to be a different kind of hack back experience than if you just do a bit of shuffling where people who should be able to flex between roles, you have them do that and that can get them out of comfort zones. As you said, it can get them out of an ego role. It sounds like a lot of fun. How has it played? How would this go?
Glen Sorensen: Yeah, so much like a traditional exercise, you have the incident master creating the scenario, and as it's built, there's always the case of, well, we know these things early on and then they get fuzzier as the exercise goes on because you don't necessarily know what direction that the people involved, the players will take it. So there's that initial start and then the incident master runs the thing, keeps it flowing. There's sometimes some thinking on your feet when you're in those shoes to keep moving on.
Jake Bernstein: Well, given that hack back gaming is clearly based upon D and D, being a dungeon master is not an easy task. You have to be very... It's a lot of improvisation, and for something like being an incident master, you have to know your stuff like cold.
Glen Sorensen: Yep, absolutely. So with somebody in charge of that and doing well at keeping the incident moving, then you get into the players and their characters and depending on the personality, some people are more comfortable going well outside of their normal day-to-day self and some are less, but there's some room to play with that. So that's where some of the empathy comes out for people in other roles, and you train that a little bit, let that awareness happen throughout the game.
I think another key element in the characters is, like every person there are strengths and weaknesses to the characters. So when you start breaking out the dice rolling, when an action is taking place, you bring out the dice and those strengths and weaknesses then can modify the dice roll to be successful or not depending. And it's also just another element that you can play with and have a little bit of fun with. If you have a straight laced character and somebody that's a joker, you can play those two off of each other a little bit and just have fun with it.
Jake Bernstein: So this really is just to put a bow on it, this really is D and D for incident response.
Glen Sorensen: Yeah.
Jake Bernstein: That was the idea behind it. And I think it's brilliant because it really does add a completely different... It's a different take on incident response tabletops in a way that I think is particularly good. I mean obviously people who are familiar with gaming like this would enjoy it almost automatically. It's going to seem fun. But even for those who have never done it before it's a good and valuable experience for the same reason that generals decided to start doing war gaming.
Glen Sorensen: Exactly.
Jake Bernstein: And I think it's important to point out just because we have characters and roles, strengths and weaknesses and dice rolling, it's not a joke. This is meant to be... It's quite serious, and I think that's important for people to understand. But a tabletop is the same way and can have the same issues. In fact, I've been in tabletops where someone was like, "Well that's not realistic. This is silly" and it's not that it's an invalid criticism of a tabletop scenario, but it definitely is counterproductive to the purpose of the tabletop exercise. And I think with something like hack back, that objection goes away because you already know that it's meant to be a game and it's already a little different, which I think is actually can be quite helpful because I don't know about you, but I have definitely seen people who just don't want to engage in a typical tabletop exercise because it's "not real." And it's like, "Well of course it's not real. It's a tabletop exercise."
Glen Sorensen: And what I always say in a traditional tabletop exercise is don't fight the scenario. And you have to impress that upon people that are insistent on fighting the scenario. And sometimes...
Jake Bernstein: And there are people who just will fight the scenario at every single step.
Glen Sorensen: Yep, and sometimes the person running that exercise sometimes has to remove that player via something that happens in the scenario because it gets quite counterproductive. And I mean that that's a problem for obvious reasons, but knowing going in it's a game and knowing from, I guess just from practical experience in real incidents, there are things that you think of that people will tell you are impossible. And come to find out it's not impossible at all. It happened. It just happens in ways that were totally unexpected. So not seeing the way that they can happen doesn't mean it's impossible.
Jake Bernstein: Well, and isn't that, I mean if we just take a step back for a second, isn't that the nature in some ways of a successful attack? It's almost by definition something unexpected has happened because if everything was going exactly as you expected it to, then your firewalls and your EDR mechanisms and all that stuff perfectly worked, but it didn't. And that should be enough. That explanation right there, that last minute of discussion should be enough to get most people to accept, to suspend their disbelief as we say, because you don't know. If you knew everything that was going to happen and if you had perfect information then I mean you'd be the world's greatest security expert because nothing would ever get past you but that's not possible.
Glen Sorensen: No, and I mean that's why we have defense in depth. That's why we have layered controls. I mean, you have to assume that controls can be circumvented or bypassed, and that's exactly what happens in this scenario. I mean, controls get bypassed and you're just assuming that those controls are getting bypassed.
Jake Bernstein: Okay, so you mentioned character roles, strength and weaknesses. Okay, so a lot more people have been exposed to tabletop gaming, board gaming, all of that stuff is considered tabletop gaming. So is there a turn order? Do people go in rounds?
Glen Sorensen: Yeah, absolutely.
Jake Bernstein: What's the mechanism of it?
Glen Sorensen: So each character roles initiative, and then that determines the turn order and that's the order that each player goes within each round. And typically in hack back, there are three rounds, but there's room to move that either direction and each player, each character gets to act in that round. And I think this is important because it prevents one person from doing all of the things and being so critical to them. inaudible.
Jake Bernstein: It's not unrealistic at all.
Glen Sorensen: It's not unrealistic at all.
Jake Bernstein: I mean, people might be thinking, "Oh, this is unrealistic, you're just gaming." It's like, "No, actually that's pretty close to how it would happen in real life."
Glen Sorensen: As somebody who has managed a real incident, when you're in the midst of it, even as a focal point or even as the subject matter expert, you only have time to do so many things. So you need other people involved to do these other things too. I mean, even if you're the technical security expert doing forensics work in that and have deep understanding of the systems, you can do one thing at a time for the most part. You need somebody like Jake giving legal advice. You need somebody that can help with a communications plan and communicating what's going on.
Jake Bernstein: And let's be honest, you might have ownership or leadership freaking out in the background yelling things that are may or may not be helpful.
Glen Sorensen: Yep, yep, exactly. So I mean, there's somebody that's got to be managing that communication with executive leadership. And there's so many different ways that can play out in any organization. And I think that's what's cool about having characters in these games too, because you have all those things going on but you might get somebody that experiences this a little bit differently than they would in their normal role. So they might feel the pressure of executive leadership breathing down their neck, wanting answers, wanting to know what's going on and when they'll be back up. And that's something that they may or may not get in their day-to-day too.
Jake Bernstein: So mechanically speaking, typical best practice is to do at least one tabletop per year, right?
Glen Sorensen: Yep.
Jake Bernstein: And let's just say that you were going to choose to do a hack back each year. Would you recommend that people sometimes play themselves, so to speak, and then other times get assigned a character? And is there a benefit to that or would you see that as defeating the purpose? I mean, there's no right answer here. I'm just curious.
Glen Sorensen: I think again, it depends on the organization, the audience, the people involved, some of the goals you're trying to get at. But generally, yes, I think there is value in both playing yourself in a more traditional exercise and in a gamified version because you get those empathy elements, those differing experiences I guess. And then, you get the team building out of the gamified experiences in a way that you don't always get in a normal run-of-the-mill tabletop exercise.
Jake Bernstein: Yeah, absolutely. And one of the things you've mentioned here is that doing a hack back tabletop helps to illustrate the bigger picture of an IR scenario, which I completely agree with, but maybe explain why do you think that is? What does that mean?
Glen Sorensen: Well, with any individual, you have a different personality than the next individual and you'll get people that are very competitive or that very much don't want to look bad in front of others that feel that need to be perceived as the expert all the time. And the competitive nature just sometimes means you can't be wrong or you can't make a mistake. And I think this lets you detach a little bit and have some of that fear and some of that attachment go away a little bit and it opens up the experience a little bit more and lets you maybe open up to the scenario and the other people in a way that doesn't always happen. And I mean, I can speak to that a little bit personally. I have to fight that, we have to win this, I have to fight that urge in myself sometimes. So it's really good about letting the learning flow in a little bit different way.
Jake Bernstein: Got yah. And so let's talk a little bit about after the tabletop, because I think the tabletop is... Well, actually let me ask you, how long is a typical tabletop exercise? How long is a typical hack back exercise? What are we talking about? Are we talking an hour or two or is it a full day? What do you see?
Glen Sorensen: Usually the two to four hour range, and I think it depends a little bit on the number of people involved. The more people you have in the room, the more players either in a regular tabletop or playing the game, the more players you have, the longer it takes. There's more discussion that happens, there's more turns that happen in the game, so then that puts that up on the upper end. But I think people reach a saturation and exhaustion point when they get beyond that, and I feel like your learning and absorption an all of it kind of decreases with the exception that if a game is really fun and people are really into it and having a good time and really want to continue, then there's room for that to go longer or be designed to go longer.
Jake Bernstein: So two to four hours-ish is what we're looking at here. But I consider the postmortem to be almost as important as the exercise itself. So when you're doing a after incident or after a tabletop review session, what are you really talking about and what should people focus on to make sure they're getting the most out of their tabletops? Whether it's a real tabletop, I shouldn't say that. Whether it's a traditional tabletop or a hack back tabletop, what is the way to get the most out of it at the end?
Glen Sorensen: Yeah, I mean you've always got to have that debrief and they can be a little bit different, but depending on the traditional or hack back version, but you're really wanting to capture the high points of the things that were learned by each of the individuals involved. So you want everybody to contribute there too. And you'll find that there are things that you didn't know you didn't know, and that's kind of what we touched upon earlier. And it's those things that really open eyes, I think, into some of the gaps in the program, some of the, maybe the gaps in the incident response plan that you've developed. Some of the things that you maybe didn't think about that need to be elements of your planning in the future. And I think the maybe little bit differing version or how it might differ in the hack back version is that's more of the incident master than saying, "Here's how I saw this whole scenario playing out, here's the things that you got and here's how success in the game was measured."
In hack back, we do it with a company health that declines as bad things happen and good things to counteract that have not happened or not been successful with dice rolling. But then the things that the incident master wants you to pick out in that and wants you to take away from what was going on behind the scenes. So when I do it, I want these five things per round maybe are what I want the players to pick up and do. And if they get two of them and not the other three, I want them to know what the other three are. And then there's room for discussion on that too because maybe there's more that I haven't even thought of as incident master in this.
Jake Bernstein: Almost always happens.
Glen Sorensen: Then that broadens the discussion and more learning happens.
Jake Bernstein: Yeah, and that's where I think threat modeling blurs things. Everything starts to blur a little bit like it's a tabletop, but it's also threat modeling, and I think it's all good. All of this stuff is important to do and I want to stress for people who might be wondering or might be skeptical, I have seen tabletops, whether they're hack back or traditional produce, many, many insights that I don't think you can...
I think the only other way to get those is much more painful, which is to go through an actual incident, and trust me, trust both of us, you would much rather discover these things by playing a game or doing a traditional tabletop exercise than you would experience in a real incident. They're traumatic and I don't think people... I mean, people like us who work in the space, particularly me as a lawyer, I've seen way more incidents.
I've done dozens. My colleague who will be a guest on the podcast in the near future has done literally a thousand or more, thousands of incidents, and like the emergency room doctor, you see it all and you have to just let it wash over you. But for the people who are experiencing it probably for the first time in many cases, for the first time, they're all going to hope it's also the last time. And these exercises are the only way to understand some of what will happen in a real incident. So Glen, with that, do you have any final thoughts or words and do you have any online presence where listeners could go to find out more about you or do you prefer to be a man in the shadows?
Glen Sorensen: Well, to your last point there, I think doing the tabletop exercise and learning without the stress is much better than learning with the stress. So advertisement, do a tabletop exercise, I don't care who with or how just please do one. As to my online presence, you can find hack back games at hackbackgaming.com and you can find me on LinkedIn and I'm sure we can throw my profile link in.
Jake Bernstein: We'll do that. All right. Well, that wraps up this episode of the Cyber Risk Management Podcast. Today we explored the function of tabletop exercises and how to conduct them in a new way using the hack back gaming technique. And we did that with the help of our guest, Glen Sorensen, who is a Virtual CISO and a Managing Director at Cyber Risk Opportunities. See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities