Welcome to our new website!
Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity
Hackback Your Tabletop Exercise: Glen Sorenson on the Benef…
A Role To Play
Send us a text Unlock the secrets to transform cybersecurity training with Glen Sorensen, a seasoned cybersecurity expert and virtual Chief…
Choose your favorite podcast player
Feb. 1, 2025

Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity

Hackback Your Tabletop Exercise: Glen Sorenson on the Benefits of Gamification in Cybersecurity
Spotify podcast player icon RSS Feed podcast player icon Castbox podcast player icon Podcast Addict podcast player icon iHeartRadio podcast player icon Apple Podcasts podcast player icon
Season 2

Send us a text

Unlock the secrets to transform cybersecurity training with Glen Sorensen, a seasoned cybersecurity expert and virtual Chief Information Security Officer. Glen combines his cyber expertise and passion for role-playing games into innovative tabletop exercises. Through Hackback Gaming, these exercises turn mundane simulations into immersive learning experiences, promising to revolutionize how leaders perceive and engage with this incident response planning tool.

Journey with us as we explore how gamification can enhance teamwork and problem-solving skills in corporate environments. By stepping into roles outside their professional comfort zones, participants gain fresh perspectives and foster empathy, transforming incident response exercises from stressful drills into fun learning sessions. Listen as we reveal how this creative approach not only boosts engagement but also deepens understanding of cybersecurity dynamics, turning a routine task into a highly anticipated event.

This episode doesn't stop at gamification; it delves into the broader landscape of cybersecurity, addressing crucial issues like the communication gap during incidents and the industry's skills gap. Discover how the gaming community's creative problem-solving can bridge these divides and learn practical strategies for tackling modern cyber threats. As we wrap up, we invite you to visit hackbackgaming.com for more insights and to connect with Glen Sorensen for an engaging exploration into the fusion of play and incident response in cybersecurity.

Support the show

A Role to Play is an Untamed Dandelion production - Make a wish. Dream it true.



A Role to Play is an

Production

Make a wish. Dream it true.  Dandelion seed (wish)

Chapters

00:04 - Cybersecurity and Gaming

11:56 - Game-Based Tabletop Exercise for Team Building

23:25 - Experience and Game Mastering Insights

32:45 - Navigating Technology, Security, and Communication

46:17 - Incident Response Simulation Impacts and Insights

57:31 - Closing the Cybersecurity Skills Gap

01:09:01 - Podcast Conclusion and Contact Information

01:09:01 - Hackbackgaming.com

Transcript
WEBVTT

00:00:04.847 --> 00:00:10.154
Calling all tabletop exercise incident response folks and tabletop gamers.

00:00:10.154 --> 00:00:13.128
Cybersecurity meet tabletop gaming.

00:00:13.128 --> 00:00:19.932
Welcome to A Role to Play, an RPG community podcast exploring the world of role-playing games.

00:00:19.932 --> 00:00:21.361
This is episode 10.

00:00:21.361 --> 00:00:22.282
This is episode 10.

00:00:22.282 --> 00:00:33.856
I'm Sara, your host, and today I'm talking with Glen Sorensen, a cybersecurity expert and a virtual CISO, that's, virtual Chief Information Security Officer.

00:00:33.856 --> 00:00:39.862
He has a background in role-playing games.

00:00:39.862 --> 00:00:41.524
He brings these skills together as an incident master for hackback gaming.

00:00:41.524 --> 00:00:48.563
Let's face it, tabletop exercising is boring, but role-playing games are fun, so why not put them together?

00:00:48.563 --> 00:00:54.725
I'll talk with Glenn today about the gamification of tabletop exercising with Hackback Gaming.

00:00:54.725 --> 00:00:56.209
Welcome, Glen.

00:00:56.209 --> 00:01:03.472
Glen Sorensen, Moderator and virtual CISO and managing director Cyber Risk Opportunities.

00:01:03.472 --> 00:01:03.874
Is that?

00:01:04.441 --> 00:01:05.427
what I should have checked with you.

00:01:05.519 --> 00:01:06.644
That is the correct title.

00:01:07.299 --> 00:01:09.668
That's a good title, yeah, absolutely.

00:01:09.668 --> 00:01:14.025
And also Incident Master for Hackback Gaming, as we'll get into here.

00:01:15.242 --> 00:01:17.349
Yes, and that's a pretty exciting piece.

00:01:17.349 --> 00:01:25.551
I think that that spawns off of the other title, the Virtual CSO and man director.

00:01:25.551 --> 00:01:38.001
Cyber Risk Opportunities must have had something to do with leading into Incident Master for Hackback Gaming, which is in itself an interesting title an Incident Master versus a Game Master or a Dungeon Master.

00:01:38.001 --> 00:01:57.715
But before we go to that, I just want to say, looking at your profile here, it looks like you have a lot of experience covering a lot of different industries and wow, a lot of experience also in industries in cyber roles security analyst, engineer, consultant, auditor, regulator.

00:01:57.715 --> 00:01:59.882
What haven't you done?

00:02:01.888 --> 00:02:02.490
Good question.

00:02:02.490 --> 00:02:05.981
I think I've done a lot of things, a little bit.

00:02:05.981 --> 00:02:22.475
There are certainly more areas that I've not covered, but I've always enjoyed seeing at least enough to understand an area and be able to manage it to some degree.

00:02:22.475 --> 00:02:27.640
So I've worn a lot of hats and, you know, kind of enjoyed doing that.

00:02:27.640 --> 00:02:34.993
So that is kind of ultimately what led into this, this virtual seesawing, we'll call it so.

00:02:36.379 --> 00:02:38.246
Cool, cool, all right.

00:02:38.246 --> 00:02:43.480
Well, before we get fully into that, I said earlier that I would surprise you.

00:02:43.480 --> 00:02:50.146
Well, surprise, this is the surprise, and it'll be a surprise for both of us, because I haven't done this before.

00:02:50.146 --> 00:03:21.992
But uh, I was gifted a fabulous deluxe edition of the deck of many things by a traveling wizard who thought that maybe I would never like actually pick this up myself which I wouldn't, it was right but that I should have it and that it might be useful for my podcast and that, if my guests are willing, I can offer that you can pull from the deck.

00:03:21.992 --> 00:03:23.014
Are you game?

00:03:23.014 --> 00:03:27.046
Let's do it.

00:03:27.046 --> 00:03:29.501
All right, I'll give you the option.

00:03:29.501 --> 00:03:41.372
Do you want to pull from the original 13 cards of the deck of many things, or do you feel ready to, or would you rather just pull from the, the extended version?

00:03:44.039 --> 00:03:45.004
oh, great question, let's do the extended version.

00:03:45.004 --> 00:03:46.995
Oh, great question, let's do the extended version.

00:03:48.620 --> 00:03:49.723
Wow, that's a lot of cards.

00:03:49.723 --> 00:03:50.443
Look at that.

00:03:52.889 --> 00:03:54.453
There are many things in that deck.

00:03:54.979 --> 00:03:57.223
There are very many things in this deck.

00:03:57.223 --> 00:03:58.586
I assure you.

00:03:58.586 --> 00:04:11.174
I just read the book, or was reading the book and contemplating the deck and the cards for good couple of weeks before I actually pulled the card.

00:04:11.174 --> 00:04:38.552
And then, finally, I got up the nerve and I pulled a card from the original deck of many things, which only has 13 cards and you know many of them are not cards that you would necessarily want to pull but I'm happy to say elite say the least, yeah but I am happy to say that I pulled the fates card out of that deck and that is a transformative card of like.

00:04:39.012 --> 00:04:45.692
just overnight, like whatever dire predicament you were in, your whole world has changed in a way that you never thought was possible.

00:04:45.692 --> 00:04:53.300
So, yeah, I pulled that in relation to you know, just thinking about this podcast.

00:04:53.300 --> 00:04:55.228
So I think that that's a very good sign.

00:04:55.228 --> 00:04:58.490
So let's see what fortune will hold for you.

00:04:58.490 --> 00:05:03.288
You're pulling from the extended deck here and I have to ask how many cards, sir, will you pull?

00:05:03.288 --> 00:05:15.007
Well, let's do two, two cards, all right, and how would you like to choose them?

00:05:15.007 --> 00:05:19.440
Would you like to like just tell me to stop shuffling, or would you like me to lay them out or cut the deck a certain number of times?

00:05:20.802 --> 00:05:22.225
you know what I'm.

00:05:22.225 --> 00:05:27.694
I'm good with the cards as they may be, so pull one when you see fit.

00:05:29.781 --> 00:05:30.742
You are very daring.

00:05:30.742 --> 00:05:33.569
You're not even going to tell me when to stop.

00:05:35.192 --> 00:05:35.733
How about now?

00:05:36.319 --> 00:05:37.122
This is your card.

00:05:37.122 --> 00:05:38.487
Oh, and there's two.

00:05:39.449 --> 00:05:39.951
And there's two.

00:05:42.483 --> 00:05:47.814
Well, I'm not sure what these will mean for you, but we got a pit and a mine.

00:05:49.040 --> 00:05:51.608
Well, I have an affinity for dwarves.

00:05:51.608 --> 00:06:00.307
So you know, Although the pit is maybe not the kind of pit, you want to be in there from the looks of it.

00:06:00.307 --> 00:06:01.550
Let's see.

00:06:05.180 --> 00:06:31.216
A pit and a mine, an affinity for dwarves and, and a mind so mining something open, open mining for something, yeah, digging for treasure, opportunities, opportunities abound, bringing things to light, finding things, yeah, yeah, not being afraid to go into the dark and recover what might lie there and bringing it back to the surface.

00:06:31.661 --> 00:06:34.524
That sounds good, you know, I'll take it.

00:06:35.425 --> 00:06:35.786
Yeah.

00:06:36.086 --> 00:06:36.387
Yeah.

00:06:36.548 --> 00:06:37.911
Yeah, all right.

00:06:37.911 --> 00:06:38.952
Well, that's awesome.

00:06:38.952 --> 00:06:41.588
Well, thank you for humoring me.

00:06:41.588 --> 00:06:43.425
That's fun to play a little game, isn't it?

00:06:43.899 --> 00:06:44.521
Absolutely.

00:06:45.684 --> 00:06:49.892
You know, this podcast is largely around role-playing games and the role-playing game community.

00:06:49.892 --> 00:07:03.529
Many people in this community will know exactly what we're talking about, but there's also going to be a lot of people that know of cyber attacks and cyber risks but aren't really living it day to day or not having a deeper understanding.

00:07:03.529 --> 00:07:09.375
Can you just start, maybe, with giving like a high level overview for the lay person about what this is all about?

00:07:18.959 --> 00:07:19.100
Sure.

00:07:19.100 --> 00:07:23.855
So I think there's some, maybe misconceptions even around cyber security and cyber risks, in that it's kind of the you know, the dark arts, and maybe that's something that's you know, mystical and we don't really understand it.

00:07:23.855 --> 00:07:27.966
But it's something that's you know, mystical and we don't really understand it, but it's, it's all.

00:07:27.966 --> 00:08:08.262
It's pretty grounded when you get into the, the, the details of it and it's it's really, you know how do people misuse systems for their benefit rather than the intent of the system, and we've grown to a place where this can be even an existential threat for businesses out there, with the prevalence of large-scale ransomware attacks where, whatever the case may be, and I think that's I mean, we've gotten to this stage where it's such a large-scale thing that we can't ignore it.

00:08:08.262 --> 00:08:09.543
It's not that thing.

00:08:09.543 --> 00:08:17.567
That is the dark arts that nobody except the wizards can deal with and think about and fix.

00:08:17.567 --> 00:08:20.050
It's something that everybody has a role in.

00:08:20.050 --> 00:08:23.531
So that's kind of my high level.

00:08:23.531 --> 00:08:24.492
Two cents on it these days.

00:08:24.872 --> 00:08:34.197
Maybe it's difficult to comprehend exactly how it's done, but suffice to say that there are a number of ways and they're getting pretty advanced in how they can occur.

00:08:34.197 --> 00:08:36.245
And this isn't just big companies.

00:08:36.245 --> 00:08:38.508
We're not just talking about Microsoft getting hacked here.

00:08:38.508 --> 00:08:43.006
We're talking about the town of Huntsville was hacked, like Hamilton, I think, was hacked.

00:08:44.341 --> 00:08:52.614
Small businesses, large businesses, especially the cyber criminals that are out for money and deploying ransomware.

00:08:52.614 --> 00:09:00.520
They're going for the vulnerable systems and they don't care who you are, they just want to get paid.

00:09:00.520 --> 00:09:10.308
And some of them have some fairly twisted manifestos and that they think they're they're actually doing the the world a favor, but they're not.

00:09:10.308 --> 00:09:32.801
And the the the way that we have built systems, the way that we have thought about systems in the past, it has migrated this into the realm of business risk, and a lot of what I do in my day job these days is managing cybersecurity as a business risk, and that's how we have to think about it at this point.

00:09:32.801 --> 00:09:44.551
And you know business risk, organization risk, like whatever you want to use, whatever term you want to use, it's about helping keep your mission, doing what you intend.

00:09:44.551 --> 00:09:51.549
You know keeping, keeping on your journey and and not getting stopped by something like this, somebody that wants to.

00:09:51.549 --> 00:09:53.802
You know railroad you and you know get paid.

00:09:54.523 --> 00:09:54.764
These are.

00:09:54.764 --> 00:10:00.433
These are significant real world problems and this is.

00:10:00.433 --> 00:10:02.203
This is like your, your, your day job.

00:10:02.203 --> 00:10:03.225
It's pretty serious stuff.

00:10:03.225 --> 00:10:10.265
It's like there's a lot of technical expertise that goes into this as well as just understanding, like the how of everything.

00:10:10.265 --> 00:10:11.304
How does this all work?

00:10:11.304 --> 00:10:18.768
But this is also paired with the gaming side of things, so tell me a little bit about that.

00:10:18.768 --> 00:10:22.671
Maybe let's start with how did you get into games?

00:10:23.759 --> 00:10:42.125
Well, so I played games, including especially role-playing games, growing up until I was in my probably mid-20s, and then life took me other directions and I didn't play as much, so that's part of my history there.

00:10:42.125 --> 00:10:57.663
Where this kind of came up again was a few years ago in a Slack group that was full of a bunch of CISOs and friends of CISOs and whatnot, and that CISO being Chief Information Security Officer.

00:10:57.663 --> 00:11:01.192
So the security leadership community, I guess.

00:11:02.200 --> 00:11:07.860
And Slack is like a chat group leadership community, I guess, and Slack is like a chat group.

00:11:07.860 --> 00:11:25.139
Yeah, discord and a handful of other things are similar, and what came out of that was somebody was looking for somebody that could run a tabletop exercise, a security incident response tabletop exercise in the form of a game, and they'd kind of already had the recipe.

00:11:25.139 --> 00:11:39.086
And so myself and our now CEO of Cyber Risk Opportunities kind of latched onto this and said we like games, we like security incident response, let's see what we can do and let's see what this is about.

00:11:39.086 --> 00:11:43.390
So it turns out that this is actually a lot of fun.

00:11:43.390 --> 00:11:56.581
It turns out that this is actually a lot of fun and there's a there's a good, a good basis for doing a security incident response tabletop exercise as a game, and some of the reasoning for that is, you know, the.

00:11:56.860 --> 00:12:00.663
A tabletop exercise is something where you it can be boring.

00:12:00.663 --> 00:12:03.745
It can be boring, it can be stressful.

00:12:03.745 --> 00:12:06.365
And let me back up a little bit.

00:12:06.365 --> 00:12:31.466
What a tabletop exercise is is getting people in a business or in a leadership and technical teams together to run through a scenario and think through what all the pieces are, test their incident response plans, really just kind of exercise their capabilities and find their gaps.

00:12:31.466 --> 00:12:38.250
One of the problems with traditional tabletop exercises is it can be boring or it can be stressful.

00:12:38.250 --> 00:12:40.620
It's hard to get everybody in a room to do it.

00:12:40.620 --> 00:12:44.587
There's a lot of people that won't necessarily see the value of it until they get in it.

00:12:44.587 --> 00:12:45.789
And then there is you.

00:12:45.789 --> 00:12:47.192
The value usually becomes pretty clear.

00:12:47.832 --> 00:12:51.024
But there's a lot of, there's a lot of ego that can be involved in it.

00:12:51.024 --> 00:12:59.240
There's, um, you know, not wanting to look bad in front of your, your peers and colleagues, and there there can just be a lot of pressure around it.

00:12:59.240 --> 00:13:06.707
Um, so that's where the gamification element comes in and you let somebody play a character.

00:13:06.707 --> 00:13:07.828
That's maybe.

00:13:07.828 --> 00:13:10.490
That's that's not themselves, it's maybe not their normal day to day role.

00:13:11.251 --> 00:13:16.897
So you might have an IT director that's playing a communications manager role or a chief marketing officer.

00:13:16.897 --> 00:13:31.893
Move that ego a little bit and the pressure and let somebody have some fun with a character and maybe even learn something a little bit different, like a different perspective.

00:13:31.893 --> 00:13:45.815
The communications manager, the chief marketing officer, they have very different angles, interests, things that they need to take care of in their role than you would as an IT director, for example.

00:13:45.815 --> 00:13:55.946
So I think there's a lot of benefit there and every time we run one of these the folks come away saying that was a lot of fun.

00:13:55.946 --> 00:13:56.850
When can we do it again?

00:13:56.850 --> 00:14:09.009
So that solves some of the problems around the traditional tabletop exercise when you're not herding cats to get people in a room if they want to come because they know they're going to have a good time.

00:14:09.279 --> 00:14:12.791
Yeah, the traditional approach would be here's the scenario, here's the list.

00:14:12.791 --> 00:14:16.187
Let's run down the list when are you at with these things?

00:14:16.187 --> 00:14:24.028
And it could get pretty, because it's also it's not real, which makes it safe because nothing's seriously on the line.

00:14:24.087 --> 00:14:38.272
But at the same time, there is an expectation that things will go well, because it's like a test to say you know, if this was a real exercise would we be OK, and, of course, if you find something wrong with it, then that's the win is that you're able to improve it.

00:14:38.272 --> 00:14:46.234
But I can see how people would want to come out without having too many improvements required.

00:14:46.234 --> 00:14:49.830
So, yeah, there's a safety in making something a game.

00:14:50.860 --> 00:14:59.424
Exactly, and so that removes a whole lot of the pressure and I think it also provides some structure in it in a way.

00:14:59.424 --> 00:15:01.351
That is kind of hard sometimes.

00:15:01.351 --> 00:15:16.423
Otherwise In a tabletop exercise you always have the stronger personalities that talk a lot and do everything, and you have the other ones that just like, maybe they don't want to talk a lot and they kind of sit back in the corner and want this thing to be done and get out of the room as quickly as they can.

00:15:16.423 --> 00:15:45.193
But having some structure around it it gives everybody opportunities to talk and say what they need to say, and because it's become a safer place then they're more free to say what they want to say and you know, if they see something in their, in their role, in their day to day, you know that that's maybe harder than if they see it in the game, but you can still take that that discovery in the game and, you know, apply it back to your reality.

00:15:45.559 --> 00:15:55.745
I like what you said before too, about having the IT director play a different role, play the marketing role or something, for example, because playing a different role gives a whole different view.

00:15:55.745 --> 00:15:57.833
It takes the pressure off.

00:15:57.833 --> 00:16:05.192
I don't have to now perform as the IT director and I get to play at being the marketing director and see what that's like.

00:16:05.379 --> 00:16:06.615
I don't have to know everything.

00:16:06.615 --> 00:16:09.929
Yeah, I don't have to know everything about being that role, because I don't.

00:16:09.929 --> 00:16:13.389
That's not my, that's not my day to day, and that's okay, right.

00:16:14.130 --> 00:16:20.293
Right, and that really opens up like the mind for for learning to say like well, what is this all about?

00:16:20.293 --> 00:16:23.429
What is the experience of being the marketing director in this scenario?

00:16:23.429 --> 00:16:29.601
What is that about Right?

00:16:29.601 --> 00:16:32.974
So there's like learning that can happen with that and I would think a lot of empathy to say, oh, this is what you have to deal with.

00:16:32.994 --> 00:16:56.110
And that's one of the things I really love about it when you, when you start shuffling you know roles and characters around a little bit and removing those from the, the, the individual and their, you know their own real self, then you get a lot of opportunity to really understand what somebody else goes through in a security incident, in this case.

00:16:56.110 --> 00:16:58.506
But I think the applicability is a lot larger than that.

00:16:58.506 --> 00:17:22.862
But I mean, I do the same thing with your communications manager and your chief marketing officer and put them in the IT director's role or the security analyst role and suddenly, like you have to think about things a little bit different way or you know, are compelled to, and you do so and, being a character, the pressure is not there, you can have fun with it.

00:17:22.862 --> 00:17:24.105
The pressure is not there, the you can have fun with it.

00:17:24.125 --> 00:17:33.190
One of the things we like to do with characters too is just like, have that, that one thing that's just a little bit over the top that you can have a lot of fun with.

00:17:33.190 --> 00:17:49.422
Like, the chief marketing officer has a book deal, it's on the table and you know everything wants, they want to talk about the book and you know there's, maybe there's a systems architect that is just like pro-Microsoft all the time, and we all know folks that just have those things.

00:17:49.422 --> 00:17:52.990
And lets you exaggerate it a little bit and really just have fun with it.

00:17:53.721 --> 00:17:55.204
Right, that's neat.

00:17:55.204 --> 00:18:03.426
So each role kind of gets like they get like sheet or a card or something that says these are your character traits and the things that are important to you.

00:18:03.426 --> 00:18:04.449
Can you describe that a bit?

00:18:05.211 --> 00:18:10.202
Yeah, so we have a number of kind of pre-built characters that we've used.

00:18:11.065 --> 00:18:22.383
We've also experimented with a little bit of character creation and I think there's probably some middle ground that we want to try again, where the character is partially built out but you let the player then customize it a little bit.

00:18:22.383 --> 00:18:29.568
But we have let the player then customize it a little bit, but we have, depending on the scenario, because you need different scenarios all the time.

00:18:29.568 --> 00:18:35.634
There's plenty of room to customize that and I mean really the sky's the limit, just like any other RPG.

00:18:35.634 --> 00:18:55.025
But we have those roles like the chief financial officer, chief marketing officer, some of the C levels, and then you have, you know, on down into you know, kind of middle, middle management, it, um, security, um, uh, I guess your your frontline service, desk help, desk, sorts.

00:18:55.025 --> 00:19:10.711
So we've got a number of characters like that that are, you know, prebuilt that way, um, and the way the, the way the game plays out, you have the, the incident master, that's kind of keeping the facilitation going, much like your dungeon master or game master.

00:19:11.413 --> 00:19:12.815
This is you, yeah, yeah.

00:19:13.580 --> 00:19:15.248
And that's the role I typically play.

00:19:15.248 --> 00:19:25.954
But we usually have a second person that is like an assistant or assistant incident master, for lack of a better term.

00:19:25.954 --> 00:19:36.711
But you know they keep track of some of the turn orders and some of the, you know, the company health, the things that we like as the game there.

00:19:38.141 --> 00:19:39.226
Sorry, I love it.

00:19:39.226 --> 00:19:41.445
You just said company health and turn orders.

00:19:42.249 --> 00:19:43.030
Company health.

00:19:43.030 --> 00:19:47.663
Yes, Exactly so.

00:19:47.663 --> 00:19:53.193
Like this is a little bit of structure and rules to the game, which I can get into here in a minute.

00:19:53.193 --> 00:20:28.344
Npcs or play roles that are just like, okay, I'm the third party vendor coming in to sell you incident response services or digital forensics or things that you might need, and I mean that can be a lot of fun in and of itself, but if there's not any reason to have the CEO as a full player in there, that's how you can have the, you know the, the NPC come in and, you know, have a little minor role in it.

00:20:29.326 --> 00:20:30.087
I would love that.

00:20:30.087 --> 00:20:32.133
It just sounds so fun.

00:20:33.160 --> 00:20:35.993
Yeah, so uh, we always have a good time with it.

00:20:38.061 --> 00:20:42.833
So how many people are typically involved in an exercise like this?

00:21:05.680 --> 00:21:15.882
lose attention span, in that we have experimented a little bit with team games, where a couple of people can play a character or maybe a function in the exercise, and some of the things that we've done have worked fairly well there.

00:21:15.882 --> 00:21:27.711
So that's a way that you can expand it to have a much larger audience, but it becomes a different game at that point, which is okay too.

00:21:28.480 --> 00:21:32.652
Well, there must be a lot of planning that goes into even just negotiating to get this set up.

00:21:33.061 --> 00:21:34.000
Yeah, absolutely.

00:21:34.000 --> 00:21:46.259
We do this for a number of audiences actually and we've done it as a security vendor, sales and marketing event, marketing event to where they will invite their customers or prospects or whatever, and then we play the game and that's.

00:21:46.259 --> 00:21:51.413
That's a different, that's more, more fun, more salesy sort of event.

00:21:51.413 --> 00:21:55.325
The other case is really training your incident response team.

00:21:55.325 --> 00:22:02.234
When you you have somebody from the same organization or you know it can be multiple organizations, organizations too, depending on how you do it.

00:22:02.599 --> 00:22:10.426
But understanding the goals of the exercise up front and the audience that's going to be in it are extremely important.

00:22:10.426 --> 00:22:20.884
I mean, it's it's easy to miss the mark and have uh, you know, if you're not conscious of that, have a have a scenario that doesn't make sense or have elements in it that doesn't make sense in the context of the people you've got.

00:22:20.884 --> 00:22:30.592
I guess, when it comes to characters and roles, there will be people that aren't going to be that comfortable in moving well, outside of their role.

00:22:30.592 --> 00:22:38.032
So not everybody's going to be comfortable moving from an IT director to a marketing officer, communications manager role.

00:22:38.032 --> 00:22:41.470
So you have to be conscious of the personality involved there too.

00:22:42.299 --> 00:22:46.892
What would you say has surprised you the most about how this has gone over, how it's been received?

00:22:47.779 --> 00:22:50.547
It's almost universally positive.

00:22:50.547 --> 00:23:06.309
Everybody has a good experience with it, which is not always something that you expect, and maybe that's just me that paranoid, cynical part of my brain it's like not not everybody's going to have fun all the time, but it's.

00:23:06.309 --> 00:23:08.522
It's really been pretty positive.

00:23:08.522 --> 00:23:22.789
On that front, I think one of the challenges that we we run into with it is not everybody's really on drunk the Kool-Aid yet, in that that you can actually have a gamified exercise that has a lot of learning value in it.

00:23:22.789 --> 00:23:23.632
It's this.

00:23:23.632 --> 00:23:25.403
There's still that, that gap.

00:23:25.584 --> 00:23:33.409
In some cases, when I'm, when I'm trying to sell the concept in conversation, like you can see the people that light up and get it.

00:23:33.409 --> 00:23:35.192
Those, those are the folks.

00:23:35.192 --> 00:23:38.147
They get excited about it pretty quickly and you can just see it.

00:23:38.147 --> 00:23:45.933
You know those are the folks that'll that'll champion the game and get other people involved and, you know, make it happen.

00:23:45.933 --> 00:24:03.441
What I found, too, is there's a remarkable number of people who have some sort of history with role-playing games, people you wouldn't expect Like you know, in technology and security communities that's a pretty prevalent thing, I would say to have been involved in games in one way or another.

00:24:03.441 --> 00:24:10.894
But lawyers and executives and marketing people and financial people.

00:24:10.894 --> 00:24:13.267
They've come out of the woodwork.

00:24:14.130 --> 00:24:14.510
Really.

00:24:15.240 --> 00:24:16.001
Yeah, yeah.

00:24:16.001 --> 00:24:40.614
So I've seen that quite a bit, and what you end up with in a game like this is you'll have a mix of people that have some experience with RPGs and whatnot and some that won't, and then the ones that do are easier to get into their character and they pull the other people along with them, so it becomes a well, it's okay to do this, so let's have fun doing it.

00:24:42.240 --> 00:24:51.824
It would be kind of neat if there was like a I don't know like an epilogue game, that, where the stakes aren't as high, but you can just go and play this for fun, understanding what it's like to be in the hot seat of the CISO, for example.

00:24:52.385 --> 00:25:10.067
Yeah, and we have a lot of plans for this and we have a GitHub repo that we're planning on open sourcing some of this stuff with in the future, and the idea really is that you know, you let somebody just pick it up and do whatever they want with it.

00:25:10.067 --> 00:25:25.865
When we get that done, I want to I'll just be really interested to see where the community takes that and what they, what they come up with, because you know as much as I talk about it and have been in it like I have my silo in how I view this and there will be people that have completely different ideas.

00:25:25.986 --> 00:25:28.112
And can you expand on that a little bit?

00:25:28.112 --> 00:25:29.582
You said GitHub repo.

00:25:29.781 --> 00:25:40.327
That is a place where you can let other people one see what you've done, but then take it and branch off and take, then take it their own direction.

00:25:40.327 --> 00:25:40.788
So it's.

00:25:40.788 --> 00:25:51.365
It's commonly thought of as a software development code repository, something that only developers use, but you can do that with documents and other things too.

00:25:51.365 --> 00:25:56.787
So that's kind of where we're going with it and it just like you can take it and do whatever you want with it.

00:25:57.359 --> 00:26:05.894
So sharing some of the foundations of the game itself, like to say you can take this and then build your own exercise off of that or turn it in a new way.

00:26:05.894 --> 00:26:18.003
So the value that is coming that Hackback Gaming is offering then is the facilitation of the exercise and all of the expertise that goes into that and the game itself, the rules of the game.

00:26:18.003 --> 00:26:22.211
It's kind of like an open source gaming license, you know.

00:26:22.211 --> 00:26:27.068
Kind of comparable to that, like wizards, yeah exactly we want to.

00:26:27.328 --> 00:26:32.405
What we want to sell is really the experience, exactly what you said and what.

00:26:32.405 --> 00:26:42.691
What I think we're going to find is that, in the same way we do a lot of other things, we we share knowledge as as freely as we can, and I mean I'm talking to the cybersecurity business side of it.

00:26:42.691 --> 00:26:43.625
We share as much knowledge as we can, and I mean I'm talking the cybersecurity business side of it.

00:26:43.625 --> 00:26:51.806
We share as much knowledge as we can because that just opens doors and broadens horizons, makes everybody a little bit better.

00:26:51.806 --> 00:26:55.711
But what we find is the knowledge is not the same as the experience.

00:26:57.380 --> 00:27:00.119
And the things that are going on in the cybersecurity world.

00:27:00.119 --> 00:27:01.244
They're always changing.

00:27:01.244 --> 00:27:08.730
There's so many different ways that you need to interface within a company and externally, like with vendors or law enforcement or regulators.

00:27:08.730 --> 00:27:20.521
So it would take quite a bit of coordination and knowledge and then even just to run the exercise like having a basic understanding of how all those pieces are like.

00:27:20.521 --> 00:27:28.210
It's one thing to run the exercise for the company and following your plan, and then it's another to take that and actually gamify it.

00:27:36.247 --> 00:27:37.867
So that's like a whole next level piece.

00:27:37.867 --> 00:27:48.757
You understand that whatever scenario you craft, you never know exactly what the players are going to do or what direction they're going to take things or where they're going to want to go.

00:27:48.757 --> 00:27:51.079
So you may find yourself.

00:27:51.079 --> 00:27:53.608
So you have to think on your feet and adapt a little bit.

00:27:53.608 --> 00:28:10.009
And I would say a security incident response is a little bit more defined in how that works than you know, kind of an open world where you know players can do anything they can imagine, but the same principle applies and things do.

00:28:11.701 --> 00:28:29.553
I'm like I don't have a good example off the top of my head, but players take things in a direction you just did not expect and you're like, well, now I've got to adapt to this and and rein it back in toward this, the, the, the story that we intended, somehow in a way that makes sense.

00:28:29.553 --> 00:28:32.486
So, like, that's where some of the experience comes in.

00:28:32.486 --> 00:28:39.028
And uh, having lived through my share of incidents, um, like I, that's that's where the experience comes in.

00:28:39.028 --> 00:28:50.755
I think and uh, and I think we there's plenty of room for, for people who've maybe not lived through incidents the same way, to still learn how to do that and adapt quickly.

00:28:52.541 --> 00:28:54.028
Yeah, yeah yeah.

00:28:54.028 --> 00:29:06.528
But even just like running turns and keeping track of whose turn it is and the effects from whatever decisions have been made, it could be a lot.

00:29:06.528 --> 00:29:12.214
So did you have a lot of game mastering experience behind you in addition to the security incident response?

00:29:12.942 --> 00:29:15.049
I did a little bit of game mastering back in the day.

00:29:15.049 --> 00:29:21.153
I was more a player, more often than I was doing any mastering myself.

00:29:21.153 --> 00:29:27.183
More often than I I was doing any um mastering myself, um.

00:29:27.183 --> 00:29:28.727
So I I had, I had the experience that way and, you know, quickly latched on.

00:29:28.727 --> 00:29:41.892
But then I think when it came to to hack back, I had plenty of experience leading incidents and surviving them, I guess, because that's usually what you do.

00:29:41.892 --> 00:29:51.172
I had that experience and that kind of helped really get into the incident mastering I guess.

00:29:52.840 --> 00:29:56.750
I think this is why you had the pit and the mine cards.

00:29:57.171 --> 00:29:57.852
Yeah.

00:30:01.861 --> 00:30:03.483
Going in there pulling that stuff out.

00:30:03.483 --> 00:30:05.627
Yeah, oh, that's interesting.

00:30:05.627 --> 00:30:14.624
So in terms of of games then, was it like so obviously we're talking about role-playing games like dnd, dungeons and dragons, probably earlier editions.

00:30:14.624 --> 00:30:18.375
Anything else that helped inform your experience?

00:30:19.178 --> 00:30:20.540
warhammer fantasy roleplay.

00:30:20.540 --> 00:30:22.083
That was one of the big staples.

00:30:22.083 --> 00:30:28.053
I played that for a number of years, Well, well into my 20s, I would say.

00:30:28.053 --> 00:30:35.702
So that was, that was good and that was one of the main foundations.

00:30:35.702 --> 00:30:47.550
I'd say Played a lot of like video games that were, you know, RPG types as well and I'll always gravitate toward them over a number of other genres so I haven't actually played warhammer myself or a game like that.

00:30:47.611 --> 00:30:52.650
Certainly played some video games, but warhammer it's much more of a tactical game.

00:30:52.690 --> 00:31:07.169
Like you have, you're not just playing an individual character, you're playing like whole troops and things, so you're thinking on that level I would say there's, uh, there's a distinction between, like warhammer 40K and Warhammer Fantasy Roleplay, which is Warhammer Fantasy Roleplay was much more like Dungeons and Dragons.

00:31:07.169 --> 00:31:08.271
Oh, okay.

00:31:08.701 --> 00:31:11.890
Some of the tactical element, I would say, but in much the same way as D&D was.

00:31:11.890 --> 00:31:23.890
So it really was playing a character and, like we, there was a group of us that had the same set of characters for years and years and I was a dwarf, I mean, that was my.

00:31:29.711 --> 00:31:30.292
Oh, there we go.

00:31:30.292 --> 00:31:33.607
This really holds true, then, with the mines.

00:31:34.730 --> 00:31:43.068
Oh yeah, I also used to work at a coal mine back in the day too in a past life, so I mean I have actual mining experience.

00:31:43.450 --> 00:31:50.714
So so was it like a pit, or did you go down into a mine it?

00:31:50.775 --> 00:32:09.710
was, it was an open pit, but uh, yeah, really yeah, wow, that's fascinating yeah, so I uh, one of the things I did was I I drove a, a truck, but it was the sort of truck that was like the size of your house, so you get in the, you know, go up the ladder and take your house for a drive.

00:32:09.710 --> 00:32:11.551
That's kind of what it was like.

00:32:11.551 --> 00:32:16.977
So yeah, that's a little bit about my past life and mining experience.

00:32:17.480 --> 00:32:20.608
Wow, I'll go back to what I said at the beginning.

00:32:20.608 --> 00:32:21.811
Is there anything that you haven't done?

00:32:22.200 --> 00:32:23.701
Wow, I'll go back to what I said at the beginning.

00:32:23.701 --> 00:32:25.883
Is there anything that you haven't done?

00:32:25.883 --> 00:32:44.394
Well, I mean a lot of things, but yeah, I do have to say that it took me all of about an hour to realize I didn't want to be doing the mining thing for the rest of my life, because it was kind of rough work in a lot of ways and I have a lot of respect for the people that make a career out of it.

00:32:44.394 --> 00:32:57.299
But that was not me, and I was always more interested in the devices and computers and whatnot which led me into technology and security ultimately.

00:32:57.299 --> 00:33:04.130
And now I pretty much just deal with people, which is not the reason I got into technology and security to begin with.

00:33:04.250 --> 00:33:12.271
But yeah, You're right, like the IT stuff, the technical stuff, the security stuff, you can get into that pretty deep.

00:33:12.271 --> 00:33:25.749
You could just stare at a screen all day and be fascinated with just figuring out a know, investigating something or looking at logs or whatever it happens to be, and then you got to turn around and talk to somebody.

00:33:25.749 --> 00:33:28.683
It's like it's using a whole different part of your brain.

00:33:28.924 --> 00:33:29.547
And I.

00:33:29.547 --> 00:33:50.287
What I, what I learned early on in my career was that in order to do the things that were right with the devices that I wanted to work with, I had to communicate with the people that pulled the purse strings and allocated resources and whatnot, and if I was ineffective at that, I didn't get the things that I needed to do what I.

00:33:50.287 --> 00:33:50.666
You know that.

00:33:50.666 --> 00:33:56.009
That ultimately led me down a path where I deal with people more often than I deal with with machine technology directly anymore.

00:34:10.940 --> 00:34:13.409
Do you miss working with the technology more directly?

00:34:13.780 --> 00:34:30.235
Yes, I definitely do, and sometimes my I mean one of my, one of my vices then is like I'm just going to, I'm going to block off three hours and, you know, whatever that may be, usually doesn't happen during the workday because there's too much work going on during the day.

00:34:30.235 --> 00:34:40.813
But and I'm just going to, you know, play with something, and you know, so that's, that's, I guess, an outlet for me sometimes.

00:34:41.440 --> 00:34:49.271
You use the word play there again, like play with something, and it just goes back to I guess I was thinking about this like it's the importance of play.

00:34:49.271 --> 00:34:57.206
Yeah, the importance of play to be creative, to learn new things, have new experiences, yep.

00:34:57.206 --> 00:35:09.577
Also, it's not a new thing to use games or gaming in strategy or for I don't know if we want to call it warfare or just attacks in general, like whatever you want to call it, like a simulation.

00:35:09.577 --> 00:35:15.929
This is the origin of many games is strategies and tactics.

00:35:15.949 --> 00:35:28.309
Yeah, long, long history, going back to, you know, military endeavors, I would say I feel like that's just changed form in the modern day and we're dealing with cyber attackers.

00:35:28.309 --> 00:35:30.010
The game is just different.

00:35:30.010 --> 00:35:43.960
You're not necessarily shooting other people, for example, you're attacking their systems to insert your goal here, goal here.

00:35:43.960 --> 00:35:45.244
In a lot of cases it's just like steal money from somebody.

00:35:45.244 --> 00:35:57.144
But I mean, the point is really pretty similar in the grand scheme and you know where we are with technology now is that even 2025 years ago, if somebody was going to rob you, they probably had to be within a certain radius of your physical presence.

00:35:57.144 --> 00:35:59.815
Right, and you know for the most part.

00:35:59.815 --> 00:36:01.800
And now that's no longer the case.

00:36:01.800 --> 00:36:08.940
Now you have, you know, billions of people behind keyboards that are, you know, that potentially have some sort of access to you via the Internet.

00:36:09.882 --> 00:36:14.072
And they'll always be trying new things or figuring out ways to to do the attacks.

00:36:14.072 --> 00:36:15.945
I mean, they have nothing to lose and everything to gain.

00:36:15.945 --> 00:36:18.960
Right, just try this, try that and something works yeah.

00:36:19.000 --> 00:36:23.588
Until something does or you know, move on to the next organization, which maybe is more vulnerable.

00:36:23.588 --> 00:36:27.032
So how do we, how do we protect against that?

00:36:27.032 --> 00:36:33.068
Well, I mean knowledge and understanding and practices, and you know this.

00:36:33.068 --> 00:36:45.454
This gaming element is just one more way that that you can raise people's awareness and understanding, and the more that people have fun doing it, the more likely they are to continue doing it.

00:36:45.454 --> 00:37:02.463
I guess another way to think about play, too, is, if you talk to most of the hackers and penetration testing types, they think of their work as play, and that's how they learned in most cases.

00:37:02.463 --> 00:37:03.063
I would say.

00:37:03.643 --> 00:37:15.853
Until a few years ago, there was no training you could really go get to teach you how to be an ethical hacker or not ethical hacker, for that matter.

00:37:15.853 --> 00:37:23.882
I'm just going to bang away on the keyboard until I get this thing to do what I want it to do rather than what it's intended to do.

00:37:23.882 --> 00:37:29.873
That is really how a lot of hackers, for good or ill, started.

00:37:29.873 --> 00:37:33.065
I mean, that was a little bit of my background too.

00:37:33.065 --> 00:37:33.947
It was fun.

00:37:33.947 --> 00:37:35.130
It was fun to do.

00:37:35.130 --> 00:37:40.594
It was fun to learn how to do this thing, to make this thing, to get access to this thing when maybe you weren't supposed to.

00:37:40.594 --> 00:37:47.793
I didn't make a career path out of that particular you know focus in in security.

00:37:47.793 --> 00:37:52.467
I did everything but the, the folks that are really good penetration testers.

00:37:52.467 --> 00:38:06.782
You, you get them in a room and have them start talking and they go down the deeper than I can follow in in the rabbit hole of you know systems and technology and the ins and outs of it.

00:38:07.284 --> 00:38:08.666
Indecipherable from magic.

00:38:08.666 --> 00:38:15.210
Right, you get to a certain level and it's just like the common person is not going to have a clue what any of that means.

00:38:15.391 --> 00:38:15.592
There.

00:38:15.592 --> 00:38:23.664
There are some people that I know that I talk to on a somewhat regular basis, that I, I, when they, when they start talking about that, I have to really focus.

00:38:23.664 --> 00:38:34.324
There are a lot of, there are a lot of conversations that I can have with a part of my brain, but when they, when I if I'm going to actually track what they're saying they have to get my full attention.

00:38:34.945 --> 00:38:35.226
Right.

00:38:35.606 --> 00:38:46.402
Because otherwise I can't process enough to, and I mean, that's that's me, who's been dealing with technology and security for 20 plus years at this point.

00:38:46.561 --> 00:38:53.344
So I had a former coworker explain some trials that he went through as he got into the world of security as well.

00:38:53.344 --> 00:38:57.500
Yeah, I have some high level appreciation for what that is.

00:38:57.500 --> 00:39:06.485
I saw on your profile that you have and you just mentioned it here briefly about your misspent youth bending technology.

00:39:07.849 --> 00:39:08.289
And that was.

00:39:08.289 --> 00:39:13.844
You know that was a little bit of that too, and I never went as deep as some down that path.

00:39:13.844 --> 00:39:26.277
But I remember doing things like my mom ran a small business and, um, had, you know, expensive software that she had to.

00:39:26.277 --> 00:39:28.445
You know that they wanted license fees for.

00:39:28.445 --> 00:39:30.170
And she's like I'm a small business, I can't do this.

00:39:30.170 --> 00:39:37.425
And granted, I mean this was in the nineties and I so I started messing with a little bit and you know, oh, there's a text file sitting here.

00:39:37.425 --> 00:39:38.789
Okay, well, let's just see what's in that.

00:39:38.789 --> 00:39:43.222
Oh, license equals zero.

00:39:43.242 --> 00:39:45.007
Like, well, what if I change that to a one?

00:39:45.007 --> 00:39:57.141
They're like oh well, and you know that's a pretty simple example, but like that's, that is a reality, like that is something that that you know, that that happens, that that did happen, at least back then.

00:39:57.141 --> 00:40:03.264
I mean, you don't see it, it's not as simple as now, as it was then, but I mean that was the idea.

00:40:03.264 --> 00:40:09.648
And well, one of the other things I did was well, how do I play this game that I want to play on this system?

00:40:09.648 --> 00:40:13.110
Because the system, what I've got, how do I, how am I going to make this work?

00:40:13.110 --> 00:40:14.291
Yeah, well, if I.

00:40:14.291 --> 00:40:19.934
Okay, well, if I load the memory here in this upper memory block then I can do this.

00:40:19.934 --> 00:40:25.521
And you know, and that you know that was some of that misspent youth.

00:40:25.603 --> 00:40:37.001
I would say my father worked at a university in the computing services department and I may or may not have you know, I may or may not have like access to mainframe.

00:40:37.702 --> 00:40:39.865
You know, cannot confirm or deny.

00:40:40.887 --> 00:40:55.967
I cannot confirm or deny, except that you know my focus, my passion, was games Like maybe even especially then, though I did poke around and actually learn a few things too, but that's never bad.

00:40:58.230 --> 00:41:00.532
I remember playing Ultima VII.

00:41:00.532 --> 00:41:09.487
That was one of my biggest drivers for making this work on this machine and it had an unusual memory management system.

00:41:09.487 --> 00:41:11.652
That was kind of a pain in my butt.

00:41:11.652 --> 00:41:23.768
I played a few of them and then you know, all right, I have this opportunity to play Ultima VII, so I'm going to make this work one way or another, and so I did.

00:41:24.889 --> 00:41:27.893
You can learn something new if you take the risk.

00:41:35.019 --> 00:41:45.929
And I really like it when we get executive leadership from a business that is outside of technology into these games, because they really start to see the whole breadth of an incident and realize, you know, the thought was always, it's just the technology.

00:41:45.929 --> 00:41:47.114
But it's not.

00:41:47.114 --> 00:41:48.480
It's not just the technology.

00:41:48.480 --> 00:41:54.306
The technology is maybe the you know the component of it, that is, you know how the risk manifests.

00:41:54.306 --> 00:42:15.184
But I mean you have to manage it in the same way that you would manage other things Like um, you're, you're, you're still making business decisions, uh, and it, it affects your, your money and reputation and how, um how, this thing goes or doesn't go.

00:42:15.184 --> 00:42:17.309
And I mean we can.

00:42:18.751 --> 00:42:20.260
You have to think about things like communication.

00:42:20.260 --> 00:42:27.655
Well, who in your organization do you need to communicate with if you're in the midst of an incident and you have some disruption in your services?

00:42:27.655 --> 00:42:34.713
Well, maybe you have customers and partners that need a certain message.

00:42:34.713 --> 00:42:39.572
Maybe you have the general public that needs a little bit different message.

00:42:40.641 --> 00:42:43.465
Your internal employees well, I mean they need some guidance too.

00:42:43.465 --> 00:42:46.501
They need to know that something's going on and that it's being handled.

00:42:46.501 --> 00:42:52.773
They need to know what they can and can't say to anybody in the public or the media.

00:42:52.773 --> 00:42:54.804
Who is authorized to talk to the media?

00:42:54.804 --> 00:43:23.543
Because it's pretty easy, for maybe there's a ransomware event or something and somebody just goes and starts talking to the media about that without really knowing what's going on and pretty soon the speculation and the you know, the gossip and the half-truths and the not really true at all you know spreads like wildfire out there and then you have a reputation problem and I mean, that's all just about communication.

00:43:23.543 --> 00:43:29.972
That's that's not about you know the elements of the incident that are actually happening and the teams that are dealing with those internally.

00:43:30.596 --> 00:43:35.940
Yeah, Plus, there's aspects to that like not just what you say, but when you say it and what that could mean at different times.

00:43:35.940 --> 00:43:40.447
You don't really know what your response is until you're actually tested.

00:43:40.969 --> 00:44:01.798
In a situation that makes you really think about it, and I love challenging assumptions, and one of the common assumptions that we see in tabletop exercise, gamified and otherwise, are well, you know, we'll just restore the system from our backups, right, oh, okay, let's think through this a little bit.

00:44:01.798 --> 00:44:07.362
And okay, so what are your backups actually backing up?

00:44:07.362 --> 00:44:13.208
And when you dig into that a little bit, well, it turns out maybe they're not backing up everything because that's too costly.

00:44:13.208 --> 00:44:15.791
Maybe it's backing up these things that we think are important.

00:44:15.791 --> 00:44:24.237
Maybe it's this server and this server and this server, and you get into it well, okay.

00:44:24.257 --> 00:44:36.597
Well, maybe the incident is with, you know, server four over here that wasn't backed up on the same cadence or the same schedule, and so maybe there's, you know, maybe it's further behind, and you run into other things too, like, okay, well, do you know for sure that your backup is going to work?

00:44:36.597 --> 00:44:37.920
Have you tested it?

00:44:37.920 --> 00:44:43.635
And then you often get deer in the headlights, look and like well, you know, I just assume it'll work.

00:44:43.635 --> 00:44:57.036
Like, well, if you know, there have been a number of occasions that I've run into in real life where we thought we had this backed up and turns out we didn't, or it wasn't what we thought it was.

00:44:57.436 --> 00:44:59.983
At what point do you start communicating to your customers?

00:44:59.983 --> 00:45:03.663
Or maybe they're reaching out to you sooner than you thought that they would.

00:45:03.663 --> 00:45:07.822
There could be a whole slew of things that could happen that weren't foreseen as to.

00:45:07.822 --> 00:45:10.027
That could be driving a response that you didn't plan.

00:45:10.275 --> 00:45:13.900
Yeah, exactly, and you know, you never know.

00:45:13.900 --> 00:45:17.826
Even with the best communication management, you never know who.

00:45:17.826 --> 00:45:25.485
Who may say something to the wrong person, who may say something to the wrong person, and pretty soon you have, you know, media on.

00:45:25.485 --> 00:45:35.467
You know, I always like to use Brian Krabs, who's famous in the security community, for, you know, reporting and maybe he's coming to knock on your virtual door and ask you questions.

00:45:35.467 --> 00:45:39.382
You know, do you have a statement on this ransomware event that you're experiencing right now?

00:45:39.382 --> 00:45:46.027
Like that's a question that you want to be out in front of, not reacting to.

00:45:46.416 --> 00:45:47.782
Do you have intelligent answers?

00:45:47.782 --> 00:45:49.641
Does it seem like you have things under control?

00:45:49.641 --> 00:45:57.704
Having the experience of being under pressure to do this in a game-like setting is going to increase the odds that you're going to say something intelligent.

00:45:57.704 --> 00:46:04.815
I would expect any company will still go through a lot of rigor before they say anything, but I think it might make it come a little bit easier.

00:46:04.994 --> 00:46:16.505
Yeah absolutely, and I think there's always a right level of communication, and that's not oversharing, that's not undersharing, that's timing it right.

00:46:16.505 --> 00:46:23.632
Companies that are experiencing incidents or breaches you see them fall flat on that all the time.

00:46:23.632 --> 00:46:34.260
The example that comes to mind is oh, we had an incident, it was only these systems were accessed and maybe just like two customers.

00:46:34.260 --> 00:46:42.963
And then it turns out well, the investigation goes on and a day later it's like okay, well, actually it was bigger than we thought and you know it was actually this.

00:46:42.963 --> 00:46:45.387
And then pretty soon it grows and grows and grows.

00:46:45.387 --> 00:46:54.726
So you have the, the poor expectation set up front where, oh, it's just this little tiny thing, it's not really consequential, and turns out it's actually a big, friggin deal.

00:46:54.726 --> 00:46:57.233
So you know, then they have to.

00:46:57.233 --> 00:47:06.010
Their communication is very poor in that case, when what they should have said instead of it's not a big deal is this is what we know.

00:47:06.010 --> 00:47:07.641
Here are a couple of facts.

00:47:07.641 --> 00:47:09.815
We are progressing with our investigation.

00:47:09.815 --> 00:47:14.266
We'll update you again in four hours or tomorrow or whatever.

00:47:14.574 --> 00:47:16.603
What's your favorite part about running the exercises?

00:47:17.556 --> 00:47:19.402
The learning watching people.

00:47:19.402 --> 00:47:28.983
You can almost visibly watch people grow in their knowledge and experience when going through either the traditional or a hackback game.

00:47:28.983 --> 00:47:57.161
We ran an impromptu game at Wild West Hackenfest in Deadwood last year and there were a couple of security operations center analysts that were relatively new, I would say, and so they were faced with a situation where, okay, they needed to investigate this thing a little bit and they, like one in particular, would say well, I'm going to go look at this in my SIM system, which is, you know, security information event management system.

00:47:57.161 --> 00:48:03.742
So it's kind of a place that you send all your logs to and there's some, you know, some analytics magic.

00:48:03.742 --> 00:48:07.449
That's some analytics magic that happens and you find information that's important to your investigation.

00:48:07.449 --> 00:48:19.268
And I think I blew this guy's mind when I said you don't have one of those Like this organization you have that doesn't exist.

00:48:19.268 --> 00:48:53.376
So now, what no-transcript You're going to adapt?

00:48:53.376 --> 00:48:54.601
And I don't have to tell somebody how to adapt.

00:48:54.621 --> 00:49:13.829
They will naturally go learn and figure it out, and that's one of the things that is amazing about all of this, and it opens pathways that were not open before in people's minds, and thank God it's a simulation, because if it wasn't and I imagine that there must be some kind of a report that comes out of this like you mentioned earlier that there was like you know the company health.

00:49:13.829 --> 00:49:16.543
And what does that look like at the end of the exercise?

00:49:17.815 --> 00:49:22.382
We can talk about the game and some of the rules a little bit here too, just for that background.

00:49:22.382 --> 00:49:29.190
And we've experimented with this and sometimes we'd use it and sometimes we don't but rolling for initiative, so that every player has a turn order.

00:49:29.190 --> 00:49:33.394
Sometimes that works and sometimes that doesn't work that well, depending on the scenario.

00:49:33.394 --> 00:49:43.130
But having a turn order can be important in this structure, just so that if everybody has something to do or wants to do something or say something, that they have the opportunity.

00:49:43.130 --> 00:49:53.199
But the other part of it is okay, well, you want to go do something, now roll the dice, and so the D20 roll.

00:49:53.862 --> 00:49:58.268
We kind of do it as like an easy, medium or hard thing, depending on what it is.

00:49:58.815 --> 00:50:06.342
So, like you know easy things, you give me, give me greater than a five and you're, you're good, whereas something that's hard, maybe you need 15 plus.

00:50:06.704 --> 00:50:10.702
Your character has certain certain skills and abilities that modify that a little bit.

00:50:10.702 --> 00:50:19.659
So you may have a plus two and you know something highly technical or security or whatnot, and if that's what you're trying to do, okay, there's a modifier to your role.

00:50:19.659 --> 00:50:44.583
But at the end of the day, I I find that this is really good at simulating reality because you roll the dice and oh, I'm gonna go investigate this log for this particular thing, like well dice say, turns out you weren't logging what you thought you were, which is like like tuesday, in incident response, like Like, oh well, I thought I was logging those assumptions again.

00:50:44.583 --> 00:50:52.331
And why having these things come out in a game is much better than having them come out in a real incident.

00:50:52.331 --> 00:50:58.407
Oh well, okay, we need to start logging these events that we weren't logging before and we didn't know we weren't logging before.

00:50:58.407 --> 00:51:04.588
That randomness is a good representation of reality in a lot of cases.

00:51:04.994 --> 00:51:11.440
That element of chance, I think, is also what keeps it interesting, like the chance that something could go right or could go wrong.

00:51:11.960 --> 00:51:16.398
And sometimes the beauty of that too, is you don't necessarily have to tell them the outcome.

00:51:16.780 --> 00:51:24.898
There can be ambiguity in that too, Like they may know one more piece, but they don't necessarily know if they got the piece they wanted or not.

00:51:25.519 --> 00:51:38.728
Usually, if you're the one rolling the dice, you can probably assume that you know some something did or did not go right, but but you don't always know exactly how the how the success or failure will play out in relation to what you're trying to do.

00:51:38.728 --> 00:51:42.943
So the way the game is structured is there's three rounds.

00:51:42.943 --> 00:51:54.882
There are things in the scenario that I want the players to identify and succeed at, and there may be six or seven things in each round, and some of them can bleed over between rounds too.

00:51:54.882 --> 00:52:16.958
But what we're really doing is, at the end of the round, we have 10 D6 and we've experimented with numbers here too and for everything that players find that we wanted them to and we're in succeeded at, we remove one of those at the end of the round that's rolled against, uh, the company health, and that is what comes off of a company health.

00:52:16.958 --> 00:52:22.166
If, if you're above zero at the end of the game, you're still in business, oh no.

00:52:22.166 --> 00:52:33.920
And if not, well okay, Everybody needs to go get a new job.

00:52:34.501 --> 00:52:45.659
So you know, not huge consequences in terms of the game, but it is another element that we like, even if the company health is below zero at the end of it.

00:52:45.659 --> 00:52:47.503
That doesn't mean that everybody should be fired.

00:52:47.503 --> 00:52:57.117
It just means that there was some learning and maybe a couple of things that could be done, and maybe some just like luck of the rolls as well, right?

00:52:57.277 --> 00:53:00.280
Yeah, and that comes out in the report too.

00:53:00.280 --> 00:53:18.842
So, really, what we like to do in the report is and this can be sometimes it's just a conversation Somebody doesn't necessarily want a written report, but in a lot of cases they do but we want to talk about how the game went and, more importantly, what were the takeaways?

00:53:18.842 --> 00:53:20.396
What did we really learn from this?

00:53:20.396 --> 00:53:21.679
Like, what were the takeaways, what did we really learn from this?

00:53:21.679 --> 00:53:37.920
It may be something like well, okay, we need to go back and check what we're logging on the systems that we think we are, even if it's just a verification, because maybe we're not actually logging the things that we think we are.

00:53:37.940 --> 00:53:42.148
If we were in a situation where we needed to see which account accessed what data, could we do that?

00:53:42.148 --> 00:53:44.856
Well, we don't know.

00:53:44.856 --> 00:53:45.898
So we need to go investigate that.

00:53:45.898 --> 00:53:46.701
You have things like that.

00:53:46.701 --> 00:53:55.865
Maybe we need to rework our communications plan because we didn't take into account what might happen if some rumor got out.

00:53:55.865 --> 00:54:09.820
Or maybe there was this partner that was actually pretty key that we didn't think about, but in the course of the game, somebody thought about that and said that Like okay, well now let's go make sure that they're baked in properly to the communication plan.

00:54:09.981 --> 00:54:12.967
How much prep is required to set up the scenario?

00:54:13.476 --> 00:54:18.967
It depends a fair bit, but it can often take me eight or 10 hours to properly set everything up.

00:54:18.967 --> 00:54:27.822
What's maybe different than a typical RPG and you know your D&D type game is you get to know your players pretty good and you know your audience there.

00:54:27.822 --> 00:54:36.804
In cases like this, where you don't know your audience, you have to do some research and you know LinkedIn, stalk them if nothing else, and see what you can learn about them.

00:54:36.804 --> 00:54:44.670
You know, ask people that might know them about personalities and that kind of helps with characters and roles and what the expectations are.

00:54:44.835 --> 00:54:51.155
One of the things that I read up on this was it was the gamification and the zoomification of the incident response planning.

00:54:51.556 --> 00:55:00.550
I think a lot of this gamification of security incident response tabletops came out of a talk or a set of talks at DEF CON, circa like 2018.

00:55:01.074 --> 00:55:35.347
Def CON being one of the like hacker security conferences that sparked a number of, I guess, those pathways again where a bunch of people started doing a bunch of different things, and the hackback was one of them, and you know, I wasn't involved with it then, but when, when they initially spun this up, it was right before the pandemic hit, and so there was some in-person events, there was a lot of fun was had, and then, when suddenly everybody was remote, well, zoom was the only way that this could be conducted, and so it was, and I mean, my introduction to it was during that time.

00:55:35.347 --> 00:55:46.161
So I started from the Zoomified version, and it turns out you can have a lot of fun with it and do similar things without necessarily being in the same room.

00:55:46.161 --> 00:55:52.242
I think there are different dynamics, not necessarily just positives or just negatives.

00:55:52.242 --> 00:55:56.360
It just changes the nature of it a little bit, but it also expands your player base.

00:55:56.782 --> 00:55:58.407
Where do you see things going from here?

00:55:58.755 --> 00:56:09.844
I am hoping that this really expands the way that people think about having fun and learning and having a real professional experience too.

00:56:10.324 --> 00:56:14.086
I think there's a lot of room for that and I think there's a lot of appetite for that.

00:56:14.086 --> 00:56:30.755
I've seen some real energy and excitement about hackback, gaming and the idea of gamification of some of these things that were traditionally maybe a little bit less fun or higher pressure, and when you're not as pressured, learning happens a little bit better.

00:56:30.755 --> 00:56:32.481
A lot of things happen a little bit better.

00:56:32.481 --> 00:56:37.735
I mean, we have cybersecurity skills gaps and that's been pretty highly publicized.

00:56:37.735 --> 00:56:44.179
So if this can help interest people in cybersecurity that maybe weren't before, that's a win.

00:56:44.179 --> 00:57:19.907
If it can influence business leadership to learn a little bit more about hesitation for, you know, for paying for a game in a way that a lot of times companies have no problem dropping $5,000, $10,000, $15,000 on a tabletop exercise, it's like, well, how about you do that for, or some portion of that, for a version of that?

00:57:19.907 --> 00:57:30.469
That's just more fun and that gets everybody interested in coming back, and then that keeps shelter over our heads and food on the table while we continue to do this.

00:57:31.335 --> 00:57:32.298
You said a few things there.

00:57:32.298 --> 00:57:50.431
You said cybersecurity skills gaps, and by that I think you were referring to just a gap in general, that there aren't enough people that have those skill sets that are available to fill the roles that are required in order to ensure security for, like across industries, right?

00:57:50.452 --> 00:57:52.543
Yeah, and I think there's a couple of layers to that.

00:57:52.543 --> 00:57:56.565
There's, you know, not enough people that are qualified to fill the roles that are out there.

00:57:56.565 --> 00:58:04.757
So that's one, but I think some of the others are really just that the awareness of cybersecurity needs to expand into other areas.

00:58:04.757 --> 00:58:17.682
And there may be people that are systems administrators and, you know, it directors, that are perfectly content in that role, but an organization need to have an awareness of cyber risk, and I mean it's a material business risk and it's something that they can't ignore.

00:58:17.682 --> 00:58:19.184
So I mean let's expand those skills too.

00:58:19.184 --> 00:58:47.465
There's room for the advancement of security awareness in culture at large, and I think that is one of those skills gaps too.

00:58:48.235 --> 00:58:50.844
It doesn't have to be about the deliverable of the end report.

00:58:50.844 --> 00:58:54.865
It can be the deliverable of the experience right.

00:58:54.865 --> 00:58:59.358
And it's a team building exercise and I think it could be a lot of fun.

00:58:59.699 --> 00:59:10.702
Yep, and I, having been on incident response teams in organizations myself, like you, grow together as you live through real incidents.

00:59:10.702 --> 00:59:16.376
Maybe let's grow together before that in you know a more fun setting before we have to.

00:59:16.376 --> 00:59:21.501
You know, before we're actually like worried about it and doing you know check-ins every two hours, including in the middle of the night.

00:59:21.501 --> 00:59:28.277
Build that a little bit more deliberately, instead of having to do so organically in the midst of high-stress chaos.

00:59:28.858 --> 00:59:35.103
You mentioned earlier about how there's a lot of people in IT and in security who may have a background in playing the games.

00:59:35.103 --> 00:59:37.188
So I find that interesting.

00:59:37.188 --> 00:59:46.690
It almost seems like there might be some kind of a correlation or some benefit to having that exposure or transferable skills, at least from one to the other.

00:59:47.090 --> 01:00:00.248
It might not seem like a straight line to make that correlation, yeah but I think it is there, and I've seen that too, in that the people who have that experience at least some of that experience translate better into this game.

01:00:00.248 --> 01:00:06.307
But that same sort of personality can also do well in a traditional tabletop exercise setting too.

01:00:06.307 --> 01:00:11.342
It helps think outside the box a little bit and expand.

01:00:11.342 --> 01:00:13.527
I mean open new pathways, for example.

01:00:13.527 --> 01:00:23.706
I mean that may not be available otherwise, and the more that that can imprint on people who've maybe not had that experience, the more those pathways that open.

01:00:24.255 --> 01:00:42.007
Some people may not realize the gifts or the strengths that they have and they might be really great thinkers or outside of the box thinkers, and maybe the only place they're really expressing that is in games, and not recognize that there's so much value in being creative and having that ability to think differently.

01:00:42.007 --> 01:00:49.726
Because if everyone is thinking the same and you're the one person that's thinking something different, that thing that you're thinking might be the thing everybody needs.

01:00:50.335 --> 01:00:57.155
Well and I love using this example but you've got your castle and you've built the walls and then somebody comes in a drone strikes you.

01:00:57.155 --> 01:01:01.059
Well, that is one of those things.

01:01:01.059 --> 01:01:04.960
Well, that is one of those things, and you know so.

01:01:04.960 --> 01:01:15.047
Kip, the CEO of Cyber Risk Opportunities, wrote a book called Fire Doesn't Innovate, and the idea of that is fire doesn't innovate, but cyber attackers do so.

01:01:15.047 --> 01:01:25.967
That's why you get drone strikes on your castle because you weren't thinking about that in that context, you weren't thinking about the possibility of being attacked in a completely different way.

01:01:25.967 --> 01:01:38.760
I mean, we need more thinking like that, that is, preparing for the things that maybe they seem outlandish now, but they might not in a few years Quantum computing and artificial intelligence and attacks based on those things.

01:01:38.760 --> 01:01:42.005
Computing and artificial intelligence and attacks based on those things.

01:01:42.005 --> 01:01:52.429
We're not ready for those and we need more people thinking about those things and helping us get ready for those and the things that we don't see coming yet.

01:01:52.449 --> 01:01:53.554
I'm hearing like six years thereabouts.

01:01:53.775 --> 01:01:53.996
Yeah.

01:01:54.597 --> 01:02:23.045
Yeah, and I think a lot of people won't even know what that means but solving very complex problems in very little time that traditional computing can't solve, like with, I don't know, 50 years, a hundred years, yeah exactly, and I mean in security, we're still wrestling with some of the same issues we we have for for 10, 15, 20 years in some cases, where you know, clicking on a bad link and now that still leads to a data breach and it's like, well, how have we not solved this problem yet?

01:02:23.045 --> 01:02:25.083
Well, because it's a complex problem.

01:02:25.083 --> 01:02:27.302
It's a lot harder than we think.

01:02:27.302 --> 01:02:33.311
So now, if we have a whole different paradigm in another six years, what are we going to do with that?

01:02:35.038 --> 01:02:37.405
I don't know, but I'd like to hear what your suggestions are.

01:02:38.856 --> 01:02:41.403
We need more thinkers that think differently.

01:02:41.463 --> 01:02:43.570
we need more thinkers that think differently.

01:02:43.570 --> 01:02:47.885
So this is a call to the role-playing game community to start thinking about getting into cyber, I think.

01:02:49.476 --> 01:03:10.380
Explore different things, and I mean there's cybersecurity and there's privacy and there's so many different pathways that those things can go down, and maybe it's just doing things a little bit differently in your own life that you hadn't thought about before and that you translate into your your work life too.

01:03:10.380 --> 01:03:17.824
I mean, one of the one of the simple examples I like to use is separating your your work digital life from your personal digital life.

01:03:17.824 --> 01:03:23.485
So I mean, don't use your work email for personal things and don't use your personal email for work things.

01:03:23.485 --> 01:03:36.902
And just having some awareness like that that you know if, if something happens on one side of those, it doesn't bleed into the other, it's limiting the blast radius and, uh, you, know, some, some, some cyber hygiene.

01:03:37.543 --> 01:03:40.528
Um, and I I love and hate that term, both.

01:03:40.528 --> 01:03:42.177
You know here, here we are.

01:03:42.177 --> 01:03:49.150
It's some, some of the, some of the good habits and some of the not good habits that we can eliminate, that that go a long way.

01:03:49.150 --> 01:04:03.969
A lot, of, a lot of cyber attacks happen because of some of the foundational things that weren't, that weren't practiced well, and that's that can be as simple as you know updating your systems, patching your systems on a quick and regular basis.

01:04:03.969 --> 01:04:14.840
You know, just like you have a set of characters that can grow over the course of years, so too can you, and you know the things that you know right now.

01:04:14.840 --> 01:04:22.431
If you went and ran a hackback game yourselves, or you know, even with us, the things you know right now will grow.

01:04:22.431 --> 01:04:33.126
And after you've run it, then there's a whole other next level, and then there's a level after that, and it's it's training and iterations of it, and you know in the experience.

01:04:33.726 --> 01:04:41.597
So so do you have like a feedback loop then, like with the like putting the information out there on the GitHub?

01:04:41.597 --> 01:04:44.001
Does this include some kind of uh like?

01:04:44.001 --> 01:04:48.900
Is there feedback from the, from the community, and where and where this is going, where people are taking it?

01:04:49.463 --> 01:05:01.038
We are in our uh, infancy of that, I would say, but we, we have started a discord server, um, and I'll get information for that if people are interested in joining that too.

01:05:01.038 --> 01:05:18.947
Um, ultimately, we want to start building a community around this and letting the community use their brain power and motivation and drive to take things in, to advance things, and maybe in directions that we didn't see.

01:05:20.577 --> 01:05:34.166
I think that's pretty exciting and I think the role-playing game community there's going to be, like you said, there'll be some great overlap between people who play games, people who understand cyber, people who would be able to look at this and say, hey, yeah, I could do something with this.

01:05:34.166 --> 01:05:36.262
I could take it broader.

01:05:36.262 --> 01:05:47.019
I could bring this to the city or the hospital or whatever group it is that has experienced an attack and or is afraid that they're next.

01:05:47.623 --> 01:05:49.088
Yeah, exactly so.

01:05:49.088 --> 01:05:54.985
I mean we've used it as security incident response, but I mean this could be, you know, attacks and penetration testing.

01:05:54.985 --> 01:05:57.418
It could be, you know, just crisis communications.

01:05:57.418 --> 01:05:58.681
It could be disaster recovery.

01:05:58.681 --> 01:06:05.117
You know, I think the applications for it are much broader than we've we've been using it so far.

01:06:05.597 --> 01:06:09.043
So, yeah, that's cool.

01:06:09.043 --> 01:06:12.838
Is there anywhere or any way to see it in action?

01:06:12.838 --> 01:06:21.456
Like I realize, companies are paying for this and that would be private information, but is there like sort of like a sample scenario or something that can be watched on a YouTube or something like that?

01:06:21.677 --> 01:06:45.351
That is our hope and one of the other things that we intend to do and, granted, I've been restricted by the amount of time I've had available but what we want to do is run a semi-regular game, monthly maybe, where people can join and see, and I think we have the interest there.

01:06:45.351 --> 01:07:00.005
Now it's just a matter of doing the coordination and blocking off time on my calendar for one to make it happen, because I think that would be very interesting for a lot of people to see this, to hopefully even get to play.

01:07:00.005 --> 01:07:04.237
We've got, I think, to start this out.

01:07:04.237 --> 01:07:17.588
I've got to have people that that know a little bit about hackback and get started that way, but then once somebody's watched a game, maybe they're ready to play.

01:07:17.628 --> 01:07:20.250
How I'd have to do it on a uh, on a regular basis.

01:07:20.250 --> 01:07:23.733
But uh, um, you know, I, I think there's.

01:07:23.733 --> 01:07:34.744
I want to bring more people in ultimately, and I think that's a good way to do it.

01:07:34.744 --> 01:07:39.139
Um, so um, I, I think, watching the website, um, I think you know I I probably need to start a newsletter for it too.

01:07:39.139 --> 01:07:44.275
And then, you know, advertise in, advertise in our Discord channel and get more people involved in our Discord channel.

01:07:45.336 --> 01:08:02.684
So it's a really wonderful thing to make the tool set available and then grow this, create the community and have that expertise available through Hackback Gaming for the companies and the industries that want to get serious about actually running the exercise.

01:08:02.684 --> 01:08:03.686
I think that's wonderful.

01:08:04.208 --> 01:08:06.617
Yeah, that's the hope I mean.

01:08:06.617 --> 01:08:14.846
Cybersecurity has crossed over into literal life safety at this point, hospitals and critical systems that we use, manufacturing.

01:08:14.846 --> 01:08:25.740
If you disrupt those in the right way at the right time, people's lives are on the line, and I wish that were not the case, but that is the world that we live in these days.

01:08:27.305 --> 01:08:32.064
Yeah, and is there anything else that we haven't touched on that you'd like to bring up before we close?

01:08:33.640 --> 01:08:43.663
If there's any interest in doing this yourselves, or you just want to know more, feel free to reach out to me and I'm happy to connect and see what kind of trouble we can cause together.

01:08:45.055 --> 01:08:50.764
You got a lovely website, hackbackgamingcom, and yeah, I'm excited to see where this is going to go.

01:08:51.114 --> 01:08:52.681
Yeah, looking forward to it too.

01:08:54.457 --> 01:08:56.713
Yeah, all right, thanks so much.

01:08:56.734 --> 01:08:58.060
Glenn, thank you, been a pleasure.

01:09:01.496 --> 01:09:04.663
This concludes episode 10 of the A Role to Play podcast.

01:09:04.663 --> 01:09:06.114
Be sure to head over to hackbackgaming.

01:09:06.114 --> 01:09:08.560
com for more information.

01:09:08.560 --> 01:09:13.538
Fill out the contact form there or connect with Glen Sorensen on LinkedIn.

01:09:13.538 --> 01:09:17.265
A Role to Play is an Untamed Dandelion production.

01:09:17.265 --> 01:09:18.769
Thanks for listening.

01:09:18.769 --> 01:09:20.238
Until next time.

01:09:20.238 --> 01:09:22.985
Make a wish, Dream it true.