Whodunnit: Unforgettable IRP Training with AI

Let us all just admit it upfront, no one (not even security pros) likes security trainings. I would contend though that we are approaching them wrong. Why should an incident response training feel like just going through the motions to make an auditor happy? Why can't we have fun with it? In this article, we will walk through what it takes to make an IRP training that engages your participants to a point where they will eagerly anticipate next year's training.

To make all this easier, we will of course be using ChatGPT to do the tedious work of filling in details. The hardest part I always found in creating trainings was just filling in the details in a way that logically (and chronologically) made sense. ChatGPT excels at generating content in 30 seconds that used to take me days to write.

If you are unsure about what kind of training scenario to go with, I suggest choosing one that involves an insider threat. The best trainings I had were treated like a murder mystery dinner. I would look over the participant list and pick someone to be the culprit. They would get to play along and try to deceive everyone to think it isn't them. It will only get better if the other participants don't know at first that they are dealing with an insider. And don't limit yourself to a single culprit, you can combine people to make an even better scenario. For example, an infrastructure engineer could work with someone in finance to change the code and cook the books to siphon off money.

Make a Scene

Before we get started creating a plausible scenario, we need to feed into ChatGPT relevant information about our organization. Creating a plausible threat scenario will be much more engaging for your audience than a generic one that could apply to any company. Look back at the previous articles for an example of setting up a company description in a chat thread. This time we will also feed into it an asset inventory of our infrastructure. If you don't feel comfortable doing that, ask ChatGPT in another thread to create an asset inventory for all AWS resources a company like yours would use.

Using sample output from all AWS resource inventory tools, create a sample complete asset inventory for a mid-sized company focused on e-commerce. The format should be in a spreadsheet that can be easily read by chatgpt. The asset inventory should indicate which assets are connected directly to the others over the network. Include at least 50 assets. Put all assets into a single spreadsheet.        

That should give you a nice spreadsheet you can plug into our working thread. If it doesn't generate all of the resources you think are necessary, follow up asking it to add more resources.

Now that we have given it enough information to work with, let's have ChatGPT give us a menu of options:

Based off that asset inventory, come up with twelve incident response tabletop exercises. Give me a one paragraph introduction to each of those scenarios. The scenarios should require the participation of non-technical roles like compliance and finance and others to resolve the proposed scenario.        

Look over the proposed scenarios and see which one looks the best. If none of them look great, you can either regenerate or ask it to combine the scenarios. In my case, one scenario was about an insider threat (always a fun scenario) and another was about compromised code deployments. Those two could go hand-in-hand so ask it to combine them.

Combine scenarios 6 and 8. Expand on them to include a 4 paragraph summary of the scenario.        

Now we can start expanding the scenario to include everything that makes for a great IRP training. Check to make sure that the scenario template includes all the departments you have on your incident response team. If it doesn't, ask it to add those or explain how they can be integrated into the existing scenario.

How would the HR, legal, PR, and customer service departments play a role in this scenario?        

Play out the scenario in your head. Does it play to your teammates strengths or their weaknesses? In the case of an incident training, you will definitely want to target their weakest skills so they know where they can learn and grow. It will also inject a bit of challenging fun into the training. Who would want to play a game where they will always win?

Your Ingredient List

The best way to get detailed results from ChatGPT is to tell it exactly what you want. In this less, we will need to tell it what we want in an IRP training scenario. Rather than spend our time writing out exactly what we want, let's use ChatGPT to get the ball rolling:

I need to write up a comprehensive incident response tabletop scenario for my company. Do not write the actual scenario. Give me an outline and template for what would make a good scenario that would involve multiple departments and plenty of opportunity for role playing within the scenario.         

For me, that returned a surprisingly comprehensive template. I would suggest looking it over and seeing if there is anything to add that would tailor the training to your company.

Key elements that you should make sure are included in your template are:

• The scenario overview - use this as an introduction for the participants. Going back to our murder mystery theme, think of this as the setup your host would provide for all players before the game begins. It will be up to the participants to take it from there.
• The trigger event - what set off this particular investigation? I've always found it good to start off with an email to one of the participants from an outside person who noticed something odd. Other options include starting with something found in the logs.
• A list of all participants and observers - in the real world, not every one of your coworkers is going to be around for an incident. Some might be sick or on vacation. Your training should reflect that. Nominate a handful of people to be observers only. They can still learn from the exercise but cannot participate.
• Injects - as the host of this game, be prepared to throw in new information like new emails or suspicious logs throughout the investigation. Include ones that further the plot, but also include a few red herrings. Your team should be prepared to discern what is and is not useful during an investigation.
• The scope of the investigation - this may feel a bit like cheating, but detail what systems or departments won't be involved in this scenario. Give your audience too wide a latitude can lead to frustration and not resolving the incident.
• Insider threats - if you are going with this type of scenario, you will want to pick out who your culprits are ahead of time and brief them. They should know all of the details of the incident and the motivations for their characters.

Now that we have a template, we can ask ChatGPT to build our scenario. Upload that to the original working thread and give it this message:

Use the attached file as a template and a guide. Create a comprehensive incident response tabletop training scenario based off the selected scenario.        

That will give you a decent scenario to run with but be sure to ask follow-up questions to make sure it includes all the critical elements you want in your training. In my case, I had to remind it to include injects and sample emails from the outside. You can also feed it a list of participants and their titles to assign roles ahead of time.

Playtime

Before the day of your training, find a few test subjects for a dry run of the scenario. It will be impossible to see if the scenario is workable until you really try it. Figure out what information you are giving who and when. That will be critical to make sure there is no interruption in the flow of the game. You should also check to see that the play is spread out evenly amongst all departments. If anyone is ignored, they will tune out the training and gain nothing from it.

As you get closer to the training day, you will need to don your carnival barker outfit and get people excited about the training. Let's use ChatGPT to come up with a draft announcement email.

Write up a short, two paragraph email to all participants to prepare them for the incident. This email will be sent the day before the training. They should get a sense of what to expect, get an intro to the scenario, and feel excited to join the training. Include a teaser about the scenario they are going to investigate. The opening line of the email should leave them eager to participate. Use bold and italics as necessary.        

Now your team is primed and ready for an exciting training.

A critical piece to get right during the incident response training is to be ready to answer questions that come up about the scenario itself. For example, the first inject in my scenario is this:

Inject 1 - 9:30 AM: During the HR investigation, it is discovered that the insider had access to not only Lambda functions but also several customer databases. HR needs to expand the scope of the investigation, and legal must determine if additional data breach notifications are required.

Rather than try to come up with an answer on your own, use ChatGPT:

For inject 1, what other customer databases were accessed? Include the implication of the access for each and include any additional actions required.        

And now you have a list of databases that were accessed, what the implications are (keep this to yourself to let the team figure it out), and any additional actions required.

The Game Doesn't End There

So you've all found the culprit and think the fun is over? Not at all. Like any real incident, this is a chance to conduct a post-mortem and review any opportunities for improvement. It is critical that you either conduct this review immediately after the exercise or within a day. You don't want your participants to lose the firefighting mindset that they developed mid-game. A big hurdle I've seen in past trainings is getting the discussion going. How do you know what to discuss? How do you effectively ask questions of each team involved to get input to improve their specific actions? This is where ChatGPT can be a game-changer. Imagine having a tool that helps you generate insightful questions tailored to your incident scenario.

Each department involved is conducting a post-mortem of the incident. Create a list of five questions for each department that will prompt a discussion about the results of this particular incident scenario.        

Don't hand these questions out without reminding everyone that these are only ice-breakers to get conversations going. If any of the participants have other points to discuss, run with it. Depending on the size of your audience, you may need to have each time break off to do their own post-mortem. If that happens, make sure that you bring everyone back together in the end to discuss key points. And yes, you can feed everyone's notes into ChatGPT to get a summary to make it easier for folks to follow along.

The Fun Never Ends

Together, we can dispel the myth that security trainings are inherently boring. Security professionals all know that the firefighting mentality of incident response is one of the most fun aspects of the role. So why not share that excitement with everyone? It would be a disservice to your organization to not share that sense of fun and excitement with everyone. Embrace the latest in AI technologies to make it happen and make it immersive. I can guarantee that you will lead a training no one will ever forget.

All of this only breaks the surface of what is possible in IRP training backed by AI. There are so many more avenues to explore including smaller and more frequent trainings focused on particular departments. You can also feed into it post-mortem notes from past incidents to create trainings based off past experiences to ensure your team took those lessons to heart. I also look forward to details of data breaches in SEC 8K filings, those will make for fantastic IRP training fodder.

Play on!