Dungeons, Dragons, and Data Security

Security is a solved problem. We broadly know the things we need to do. We've seen what technology works and what doesn't (spoiler alert, it's not a Three Letter Acronym piece of tech from a vendor flouting "military-grade crypto" and "next-gen machine learning"). We've also seen the processes that work in surfacing the outliers and indicators of note, and we know how to handle them when they do arise.

What we've yet to nail, is the people aspect. Where we as an industry are really falling down is in how to get the business to buy in to what we deem it necessary to do. Aligning both the goals of the business with the goals of the security team and having everyone bought in, is the part that's hard. As an industry, we spend so much time arguing whether security is a "people problem", or a "people solution" - whatever your perspective, the only way to actually get on with fixing it, is by focusing in on your people.

Those were my main thoughts as our InfoSec team away day approached. And any problem, solved or not, is just another problem you've already solved but in a different shape. By that I mean, when you're faced with a difficult situation and you're unsure how to proceed, think about other similar problems you've already learned to how to solve in other areas of your life, and apply those learnings to this situation.

Being the massive nerd that I've grown to be, as well as a millennial leader with a team of millennials and gen Zs; of course I looked to gaming!

I've always been a huge fan of strategy games since being a kid. What started as an obsession with "catching them all "on my Gameboy Colour in the 90's, grew into a penchant for obscure JRPG's as a teenager, and on to a machiavellian yet fair Dungeon Master as an adult.

One thing I learned is that in these games, when you come to a point where you feel like you're stuck, and you need to level up to progress to the next area, what you need to do is grind!

grinding

/?ɡr??nd??/:

the playing time spent doing repetitive tasks within a game to unlock a particular game item or to build the experience needed to progress smoothly through the game

The term "grinding" (before it was highjacked by business bros and insufferable thought leaders) was originally from gaming. Grinding is the process taking time away from what it is you're supposed to be doing, to repeatedly do a set of specific more menial tasks to build up a particular kind of experience you think you'll need to go back and get on with your quest. And what is a team away day if not an opportunity to deviate from the main storyline for a moment to build the skills necessary to smash your goals!

The remaining questions then become:

1. What are the skills we as a team should be grinding?
2. What are the activities that we can design that will help develop these skills?

Choosing which 1337 SKILLZ to grind

For anyone unfamiliar with DnD, the basic premise is that through selection of character traits and equipment, you can develop expertise in predefined skill areas which will in turn make certain kinds of actions more or less likely to success when using a number of dice to inject randomness.

For example, a character with high Acrobatics skills gets an ability modifier that makes actions such as jumping across a dangerous cavern more likely to succeed, and avoid the impact of falling and taking damage.

Sound familiar? It should do, because that's literally just risk management, only fun. In it's simplest form, both DnD and risk management is about trying to ensure a positive outcome by predicting likelihood and impact.

As someone who knows their way around a skill tree, there was 3 particular stats from Dungeons and Dragons that immediately jumped out as super important people skills needed by an infosec team to be successful.

• Wisdom (WIS) is knowing about the world around you as well as how perceptive you are. It determines what you naturally notice.
• Intelligence (INT) is how smart you are. It’s that simple really – Intelligence is usually academic intelligence – so how much you know about things.
• Charisma (CHA) is how good you are with people. It is how good you are at persuading people you are a good guy or how well you get on with NPCs

To revisit my first point, the hardest part of security is the application of the technology and process to the people of the org. So now we've selected the people-centric skills we want to grind, now to come up with the activities we can build to develop the teams Wisdom, Intelligence, and Charisma.

Team Activity 1

Wisdom (WIS) Grinding

This activity involves having the team sit in a circle and ask everyone to put their wallet/purse/handbag on the table without explaining or giving anything away. You then ask the group to pass their wallet to the person to their right. You then tell the group that the activity is to organise the wallet you've been given in a more efficient manner than it already is.

The key here is to not actually let anyone get to the point of going into the other person's wallet, but instead to pay close attention to each person's reaction to being told this.

The purpose of this exercise is to get the team to examine and discuss how they feel about:

1. having someone go through their wallet.
2. having someone believe they can organise their possessions.
3. having to invade their colleagues privacy by going through their wallet.
4. having to do something they may or may not agree with emotionally or morally.

The Player's Handbook defines Wisdom (WIS) as "knowing about the world around you as well as how perceptive you are. It determines what you naturally notice.". As security professionals, a huge part of our job is to tell people how to do their jobs ""better"" than they're currently doing it. That phrasing was purposefully incendiary, because that's often how we're perceived by the business users who are subject to the policy, procedural, and technical controls we implement, which can feel like they're the digital equivalent of rummaging through someone's wallet.

By taking the moment to examine how we feel individually when it's done to us, and our colleagues we are close to and spend each day together, we can begin to develop our key emotional intelligence skills that will allow us to be more cognisant of what we ask of the users we're here to protect.

I'm a firm believer that each and every security exception exists because there is a users who's needs we have not met. By training our ability to perceive our own and each other's emotional reactions to being told something potentially jarring, we can more reliably predict what level of compliance an organisation would have to a given control being implemented, and ultimately help us design better ones.

Team Activity 2

Charisma (CHA) Grinding

Now that we'd developed our ability to scrutinise our actions and thought processes through the skill of being able to perceive other people's emotions as an impact of doing what you're told to do; then next most important skill we looked at was persuasion. Thinking about how would we go about persuading a hypothetical person of the importance of a control if we're confident it's the correct course of action.

For this activity the team sat in a circle and were told we'll each be given a 1 minute window of time, and just before it starts you'll be given the name of an animal, and their objective is to use that minute to convince us why that's the best animal in the world. Meanwhile the other team members point out the bad aspects and counter their argument.

The objective of this exercise is to examine as a team each individual's ability to deliver an off the cuff persuasive argument for a random and objectively awful thing (doesn't have to be animals, a great personal alternative could be having picking things you know each individual hates!).

Some of the key persuasion techniques we learned from each other by examining how we each convince each other of the animals we were assigned:

• Stick to the facts, and nothing but the facts - actually sharks don't kill that many humans per year if we look at the data.
• Think outside the individual's frame of reference - humans (arguably objectively the worst animals from the exercise) may seem beyond redemption given the state of the world right now. But if you widen your perspective to the centuries before your current frame of reference there's the entire wealth of human history, art, technology and science to pull arguments from as to why they're great.
• Link the importance of the individual's thing to a higher purpose and goal - mosquitos whilst unpleasant are actually a key part of any ecology and if we got rid of them other animals higher in the food chain would be at risk.
• If all else fails, make the other thing seem worse? - It's fair to say wasps are universally hated; so if all else fails - just sh*t talk bees for a minute and people won't think about the

As security professional, I don't think a single day of my career has passed where I haven't had to, in some degree, convince another person of something Having built infosec programmes at a number of start-up/scale-up organisations, this is a super common challenge and often comes in the shape of the objection: "but we've always done it this way!".

The key parts of this activity is that it's a short 1 minute window and that you only find out the animal you've been assigned the second before it starts. It can be nerve-wracking to do this off the cuff which is why we warm the team up with the previous exercise, but it's also part of the challenge. Working in security, we don't often get to prepare. I'm sure we've all had those conversations that start with "can I borrow you quickly for your thoughts on x?" (which oftentimes results in thoughts that are unpopular and having to use persuasiveness).

Developing your ability to identify and convey a persuasive argument off the cuff only bolsters your ability to get the organisation on your side, but more importantly the side of good security.

Team Activity 3

Intelligence (INT) Grinding

Our final activity of the day was to begin to build out our Intelligence stats.

Intelligence comes from the more you experience. Intelligence is more than book-smarts and passing certifications. It's being there where things fail so you know what not to do next time. Life's biggest winners are yesterday's biggest losers who have reclaimed the failure narrative and taken the learnings of today's failure and made themselves smarter tomorrow.

Brené Brown said it 100x better than I ever could and I strongly recommend her talk on the power of vulnerability for those that haven't watched it.

"If you are brave with your life and you choose to live in the arena, you’re going to get your ass kicked. You are going to fall, you are going to fail, you are going to know heartbreak. It’s a choice. It’s a choice I make every day.”

– Brené Brown

As a leader in security, it is my responsibility to provide a safe environment where failing is accepted and even encouraged. The best security teams are the ones that have experienced it all. You only have to live through a single major incident to know that you never want to have to go through one again and will do everything in your power to prevent that happening again. So our third and final activity for the day was a Dungeon's and Dragon's themed tabletop incident response exercise.

Aside from being one of the greatest positive factors in reducing the cost of a data breach (see below image from IBM's 2019 Report on the cost of a data breach), incident response exercises provide a perfect opportunity to fail and subsequently learn, without having to face what could be catastrophic effects of failing during a real incident.

(A big shoutout to the team at Black Hills Information Security for coming up with the idea!)

The way we run the activity is as such:

• One team member (myself in this instance) plays the role of the Incident Manager/Dungeon Master and conceives beforehand of an end-to-end incident timeline that's relevant to their org's estate and structure, potentially highlighting known areas of concern.
• The team are then given an inject along the lines of "it's 9am on a Monday and the following screenshot is shared in the help channel"
• The team then talks through their actions where they describe an action, and the Incident Manager describes its effect.
• For actions where there is a possibility of a number of different outcomes, the Incident Manager can request a 20-sided dice (a d20) be rolled and the outcome used to say whether the action was successful or not. A score of 11 or more is a successful action, a 10 or below is unsuccessful.
• The team can add +5 to their score if the action they describe exists as a documented policies within the org. They gain a +2 to their score if they are trained to do that action. Further modifications can be made here at the IM's discretion. For example, +5 if that person has done that exact thing before, +3 if it's a particular coding language they use frequently with, etc.

An example of what this looks like in practice is:

Team Member 1: "I identify the infected server and unplug the ethernet cable"

Incident Manager: "Roll a d20 to see if that's successful"

***Team Member 1 rolls a d20 and the result is a 3***

Incident Manager: "The server rack was incorrectly labelled by the support team and you accidentally unplug the only working domain controller"

In the example above, (which was a real example of something that happened in our team away day exercise, much to the frustration of the team) is then something the team would have to factor into the situation as they continue to deal with the event.

Unplugging the wrong server may seem like a silly and pointless complication designed to annoy the team, but it's an important step in being able to also holistically examine your end-to-end incident response and disaster recovery processes, whilst validating the failure modes of your controls and resilience efforts is of significant value. These convergences of black swan events area important to consider and anyone who's had the unenviable pleasure of working in DFIR can agree, that these things do happen.

Other injects we used on our away day as examples:

• "The CEO comes and takes <insert most senior team member> into a board meeting for 2 hours to explain the incident to the legal team". This is a great way to temporarily silence the seniors and see how the more junior members handle the challenge (as well as being a common and frustrating thing that happens during a real incident)
• "You receive a message from the marketing manager that a public ransom note has been posted by an unknown group with a link to pastebin with what they claim to be a dump of your users' plaintext usernames and passwords" - this was a great way to see how the team think about the less common, but more complex, later stages of an incident where they may have to interact with functions like PR, legal, execs etc.

Wearing a dungeon master cape is optional, but strongly advised (good luck getting that expense past finance).

And of course just like real incidents, all incident response exercises have to end with capturing and actioning what you've learned along the way; cause the only times you ever really fail, are the time that you don't learn from what's happened.

Takeaways

Hopefully this blog about some of the things we've tried, enjoyed, and found value in has helped in someway or other, But whatever you take away from this, whether it's the team building exercises themselves, or the concept of looking to other areas of your life to pull experience from, it doesn't really matter. The most important thing you and your team can do, begins with taking a moment to stop and look candidly at your own personal and organisational stats. Because to be the very best like no-one ever was, the only way to get there is to gather a strong and capable team around you, and be brave enough to get out there into the tall grass.