Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Teams: Virtual Tabletop Experience - War Room - Guide

The War Room is hosted on Living Security’s Teams: CyberEscape Online platform. Living Security Teams combines hands-on exercises and visual storytelling for an immersive and interactive experience. However, a moderator will also be present to start conversations on organization specific policies and commentary throughout the experience.

Learning objectives:

  1. Increase awareness and understanding of threats and how to respond to them
  2. Clarify roles and responsibilities during an incident
  3. Assess the capabilities of existing resources
  4. Solicit feedback for program improvement
  5. Simulate the decision-making process among key stakeholders during an incident

The Storyline

The War Room participants experience the exercise through the point of view of a member of leadership within a fictitious company experiencing a cybersecurity breach. After a successful vendor email compromise attack, a cybercriminal was granted access to the company’s instant messaging platform. Unfortunately, one of the channels contained a link to a document with clear-text default passwords - and it looks like someone never updated that default password. Now the cybercriminal has access to a customer service platform and has used it to offload customer data. During this exercise we will walk through a series of incident responses by the company’s Chief of Staff.

The Flow

The War Room incorporates 8 scenario-based exercises designed to simulate real cyber incidents. Participants will use plans, policies, procedures, and other resources to successfully navigate the exercises. The experience’s flow is as follows:

Storyline video → Moderator-led discussion → Exercise Cycle {Intro to exercise → Exercise → Outro the exercise → Moderator-led discussion} x8 → Conclusion → Moderator-led discussion

* Note that if a shortened version of the experience is being hosted, there will be 5 exercise cycles instead of 8.

________________________________________________________

DISCUSSION GUIDE & STORY BREAKDOWN

After each exercise cycle, participants will engage in a moderator-led discussion surrounding how the content of the experience applies to potential cybersecurity threats, incidents, policies, or procedures at their real-world company. The moderator is in control of how long these discussions run; you may select more or less discussion questions per cycle depending on the length of time scheduled for your virtual tabletop experience.

Setting up for the Experience:

Enter the Virtual Tabletop Experience on the Living Security Teams platform.

If the Tabletop Experience is conducted remotely, initiate your web conferencing software and share your screen and sound on the Living Security Teams platform.

Welcome participants.

Explain why we need to do an incident response tabletop exercise.

Explain how the flow of the game will work.

 

Before initiating the experience:

Discussion Questions

  • What are your goals or desired outcomes for this exercise?
  • What are the potential consequences of a cybersecurity breach?
  • How would your department be directly affected by a cybersecurity incident? What about indirectly?
  • What are our current cybersecurity policies? How do they protect us?

Initiate the experience on the Living Security Teams Platform

Intro/Storyline:

In the video: Annie, the Chief of Staff, alerts the protagonist (the incident commander) of a possible incident. She introduces him to Oliver, a new member of the IT team who reported unusual activity (exporting of data) in a customer service administrator account spotted during a routine check of the company’s data loss prevention software. Oliver and Annie have gathered important documents, which they hand over to the protagonist. 

In the exercise: N/A

Discussion Questions

  • In the event of an incident at our company, what documents need to be accessed?
  • Who would be named incident commander at our company?
  • Who is the first to be notified in the event of an incident?
  • Who is responsible for detecting cybersecurity incidents?
  • How are cybersecurity incidents reported at our company?
  • What constitutes confidential information? What about PII?

 

Challenge Cycle 1:

In the video: Annie takes the protagonist to a meeting room, where the owner of the admin account and two others are waiting. The protagonist is asked to question them about their password hygiene and how credentials are shared.

Exercise 1 - Gathering Intel: Passwords & Authentication

Participants are provided a bank of questions related to password hygiene, credential sharing, and multi-factor authentication. After asking 3 questions from the bank, participants must use the answers given to choose who of a group of 3 company employees has the worst password hygiene.

Resources: Password & Authentication Policy, Briefing on the incident

Questions coming out of exercise:

  • Surprises?
  • More learning/training for employees?
  • What do we do well/not so well?

Discussion Questions

  • How do we assign and share credentials with new employees? Who is responsible for this?
  • How does our password hygiene affect the company? What are the dangers of weak passwords?
  • What policies and software's do we have in place to protect against cyber threats?
  • What departments have access to confidential information? What about customer data?

Challenge Cycle 2:

In the video: Annie mentions that Oliver is setting up a conference room to use as the war room. She asks the protagonist to put together a list of key team members who need to be invited in as incident responders.

Exercise 2 - Calling in the War Room: Appropriate Personnel

Participants will need to think through which departments need to be involved in a cybersecurity incident, what tasks those departments will be responsible for, and who in that department is the best choice to tackle those tasks.

Resources: BCDR, Org Chart, Contact list, Incident Response Plan

Questions coming out of exercise:

  • Do we know which departments to involve?
  • Do we know which people and how to reach them?
  • How has this gone in the past?

Discussion Questions:

  • At our company, who needs to be notified of an incident? How will they be notified?
  • How quickly does each responder need to be notified?
  • How will we meet? In person? On Zoom? Conference call via telephone?
  • Who is responsible for organizing calls?
  • Where is home base in the event of an incident at our company?

 

Challenge Cycle 3:

In the video: On his way to the war room, the protagonist bumps into Oliver, who informs him that Annie needs him to look over the company’s incident response plan. The protagonist makes it to the war room, where he opens his folder and reviews the IR plan. When he’s finished, Annie enters with his laptop and lets him know she has called in the team members requested in Challenge 2.

Exercise 3 - Prioritizing Tasks: The Incident Response Plan

Participants must put tasks from the company’s IR plan in the correct order.

Resources: Incident Response Plan

Questions coming out of the exercise:

  • Does everyone know where to find the appropriate resources (incident response plan/playbook)
  • How has this gone in the past? 
  • How can we improve?

Discussion Questions

  • Where can you find a copy of our company’s Incident Response Plan?
  • How often is the Incident Response Plan reviewed or updated?

 

Challenge Cycle 4:

In the video: Oliver announces that he’s ready to begin an IT investigation; Annie asks the protagonist to join him. She specifies that evidence preservation should happen first, so that no one panics and deletes emails, files, etc. Oliver and the protagonist begin the IT investigation together. They discover that the cybercriminal was able to access the cleartext spreadsheet containing default passwords by gaining access to the company’s instant messaging platform (I.E. Slack, Teams, etc.) via a phishing email.

Exercise 4 - Threat Containment & Evidence Preservation

Participants must find and correct cybersecurity breaches in the company’s workspace. 

Resources: Incident Response Plan, Briefing on the incident, Cybersecurity Policy Memo

Questions coming out of exercise:

How to treat devices to preserve evidence

Discussion Questions

  • How do you handle affected devices or preserve evidence?
  • Do you allow vendors/contractors access to instant messaging platforms?
  • How do you review what they have access to and remove as necessary?

 

Challenge Cycle 5:

In the video: Annie appears and tells the protagonist that Henry from the legal department is on the phone in his office, needing to speak with him. He makes his way to the office and speaks with Henry. *At this point, participants skip to the final ending if the shortened version of the experience is being undertaken.*

Exercise 5 - Privacy & Legal Regulations

Participants will need to think through which departments need to be involved in a cybersecurity incident, what tasks those departments will be responsible for, and who in that department is the best choice to tackle those tasks.

Resources: Compliance Requirements (GDPR, CCPA, etc.), Privacy Requirements, Reporting Responsibilities

Questions coming out of exercise:

What are our compliance requirements?

What are our reporting requirements?

Cyber insurance? What does it cover?

Discussion Questions

  • How do you communicate with people involved in the incident that things should be kept confidential?
  • At what point do you decide to notify the company and how have you done this?

 

Challenge Cycle 6:

In the video: Annie leads the protagonist back to the war room, where Thalia from the internal communications department and Liv from the HR department are waiting. Along the way, company employees are seen gossiping. Thalia asks the protagonist to craft an internal message quieting the gossip and letting company employees know that they cannot disclose any information or rumors about the situation on the internet or to any other external source. Once the message is written, Thalia approves it and the protagonist sends it out.

Exercise 6 - Communicating Internally

Participants are asked to craft an internal message notifying employees of the incident as well as laying out expectations surrounding confidentiality.

Resources: Company Communications Policy, Communications Plan

Questions coming out of exercise:

How are we communicating during the incident?  Is there a bridge call?  Who is involved?

Do we know how to ensure that those conversations aren’t discoverable from a legal standpoint (i.e. no chat or email….phone calls are better)

Do we have enough resources to aid internal communications?

Do we involve the security awareness team to help with communications/education?

Do we need to make employees sign an agreement that this information is confidential?

Discussion Questions

  • How do you communicate with people involved in the incident that things should be kept confidential?
  • At what point do you decide to notify the company and how have you done this?

 

Challenge Cycle 7:

In the video: Liv from the public relations department asks the executive to construct a public statement while she takes a crucial phone call. Once he’s finished, she approves the statement and the protagonist sends it off.

Exercise 7 - Public Statement

Participants will craft a public statement regarding the incident. If applicable given your company’s notification requirements, they may also be asked to draft an email to notify the company’s customers of a data breach.

Resources: Past Examples, Draft of previous statement with edit requests, Reporting Responsibilities, Compliance Requirements

Questions coming out of exercise:

Do we use an external PR firm?

Do we have people to handle reviewing the web for misinformation?  Company image reviews?

How are are notifying customers?

Do we have systems in place to handle (potentially) months of customer questions, requests etc. This may need outside resources.

How do we handle it if customers retain legal council and potentially sue?

Discussion Questions

 

Challenge Cycle 8:

In the video: Oliver appears and delivers a message from Annie, summoning the protagonist back to his own office. The pair return to the executive’s office, where Annie provides the protagonist with a partially filled out executive summary. She asks him to finish the summary, as it will be used to catch the CISO up to speed. After it’s finished, she takes a look and gives positive feedback.

Exercise 8 - Executive Summary: Debrief

Participants will work together to complete a summary of the incident. This exercise functions as an interactive debriefing, tackling questions such as what was learned, what was done well, and what could be improved.

Resources: N/A

Discussion Questions

  • What is the difference between an incident and a breach? Who makes that decision?
  • What steps should be taken to contain an incident and stop the spread?
  • Does everyone know where to find the Incident Response Plan and other important documents?
  • Do all employees know how to report suspicious things or where to go for help?
  • What has our company done well during past incidents?
  • Where do we need to improve?

Ending:

In the video: Oliver gives Annie an IT report that he has completed and summarizes it for her as she looks it over. This is a recap of the incident - a cybercriminal used a phishing email to get access to the company’s instant messaging platform, in which they located a clear-text spreadsheet containing default passwords that had been shared with new employees. The cybercriminal then discovered an account for which the user had never changed the default password - the customer service admin account - and offloaded the customer data from it. After the IT report summary, Oliver, Annie, and the protagonist return to the war room to meet with the CISO. Annie thanks the protagonist for his hard work, and the experience ends.

________________________________________________________

GLOSSARY

Challenge Cycle: repeated unit within the experience, composed of an introductory video, a exercise, an outro video, and a moderator-led discussion; completed 8 times for a full experience and 5 for a shortened experience

Resources: tab within teams participants use to access documents or other evidence to help them complete exercises

Teams: Living Security’s virtual escape room platform, on which The War Room is hosted

The War Room: A Virtual Incident Response Tabletop Experience

________________________________________________________

Resources:

The War Room 8 Puzzle Answer Key Here!

The War Room 5 Puzzle Answer Key Here!