For those of you in a blue team within your organization, you have no doubt heard of the Incident Response card game by Black Hills Information Security called Backdoors and Breaches. Backdoors and Breaches is a tabletop card game designed to help players understand and practice incident response and cybersecurity tactics. The game simulates real-world cyber attack scenarios, allowing players to experience the challenges of defending against threats in a controlled environment.
Participants of Backdoors and Breaches assume roles within an organization’s incident response team, facing various types of cyber attacks, such as phishing, malware, and insider threats. The game uses a deck of cards that represent different elements of a cyber incident, including attack vectors, defenses, and procedures. Through gameplay, participants must identify, respond to, and mitigate these attacks, enhancing their knowledge and skills in cybersecurity1.
While I have found plenty of resources on the Internet about how to play Backdoors and Breaches, I find very little on tips and techniques specifically aimed at the Dungeon Master / Scenario Builder. The purpose of this blog post is to generate a dialog surrounding best practices, tips, and techniques for maximizing the gameplay experience for the participants. Here are my top 5 tips for building a compelling storyline and scenario in Backdoors and Breaches.
Tip 1: Select an overall theme for your attack scenario. For example, will you center your scenario on corporate espionage, a ransomware attack, or an insider threat? At the front end of the scenario building exercise, you should make a decision on the type of threat you will cover in your game. In my current organization, we rotate the theme to address as much coverage as we can possibly cover throughout the year. We hold structured tabletops on a monthly basis, giving us twelve potential themes per year.
Tip 2: Always use the Custom Scenario Builder. Black Hills Information Security make it very easy to quickly jump into a game. At the onset of each game, the four scenario elements (Initial Compromise, Pivot and Escalate, C2 and Exfil, and Persistence) are randomly generated, along with the Established and Other Procedures. This allows the Dungeon Master / Scenario Builder the ability to quickly weave a story from the dealt cards. While noble in theory, my experience has been that it can be challenging to narrate from the position of surprise and pressure. Therefore, save yourself some headache, and invest some prework time in building a custom scenario.
Tip 3: Weave your own controls and opportunities into the story. I have found that the more realistic the scenario, the better the gameplay is, and the more the participants learn. If you are in a Splunk shop, drill into the procedures and challenge your team’s knowledge of Splunk and its operations. Furthermore, tailor scenarios to match the skill levels and interests of the participants. Beginners may need more guidance and simpler scenarios, while experienced players may enjoy complex challenges. Conversely, you may completely want to detach from reality and derive exotic parameters, actors, and situations just to make things more interesting.
Tip 4: Bring all participants along. Participants will undoubtedly have different experiences and comfort levels in speaking up. Take this as an opportunity to have folks step outside of their comfort zone! Rotate the roles so that everyone is in the seat. Encourage teamwork and communication by encouraging participants to share information, collaborate on solutions, and discuss their strategies and thought processes openly and without fear of ridicule.
Tip 5: Be Flexible. You have done your homework in preparation for your game, and now it is time to showcase your creative abilities in facilitating a journey through a cyber attack scenario. You have your scenario built. Your storyline is tight. The challenge is appropriately scoped for the participants. You get 10 minutes into the game, and a participant asks a question that completely threatens your Pulitzer-worthy story. A good DM rolls with the punches throughout the game. The game is not about the DM, it is about the participants and their ability to learn and have fun. So be ready for anything: an inject card roll, the participant’s engagement levels, etc.
Call To Action
With the popularity and expansion of the Backdoors and Breaches tabletop card game growing on a regular basis, I am seeing plenty of information on the Internet regarding how to play the game as a participant; however, very little information exists on how to be a good Dungeon Master in the game. I would be curious to know what tips, tricks, and strategies you use to craft an excellent Backdoors and Breaches experience. Please consider imparting your perspectives on this blog or LinkedIn.
Conclusion
In conclusion, being a Dungeon Master in Backdoors and Breaches offers a unique opportunity to blend entertainment with education, immersing participants in the complex world of cybersecurity and incident response. By preparing your scenarios in advance, you remain in control of the game’s mechanics. Start by selecting an overall theme. Use the custom Scenario Builder to drill on specific areas of opportunity. Make the story and gameplay interesting by incorporating realism and accuracy using your own organization’s controls and systems, or alternatively, inject humor, and suspend disbelief… the choice is yours. Whatever you do, bring all of the participants along for the ride, and don’t let the session be dominated by one or two people. Finally, be flexible and roll with the punches.
- OpenAI. (2024). ChatGPT (GPT-4) [Large language model]. Description of Backdoors and Breaches. ↩︎