Security operations · 2 MIN READ · TINA VELEZ · OCT 6, 2023 · TAGS: MDR / Tech tools
Back by popular demand: Oh Noes! role-playing game actually makes testing your incident response (IR) plan fun
You asked us to refresh our popular IR role-playing game (RPG) and we heard you.
A real-life security incident isn’t the best time to test your incident response plan. Cyberattacks tend to be, you know, stressful. You’re dealing with the technical response, pressure from upper management, incomplete information, and probably a lack of sleep. Add it all up and you’re looking at bad decisions and worse results.
If you’ve got an IR plan, that’s great. You’re already (sadly) ahead of many organizations. However, if you’re not regularly exercising your plan, chances are you’ll struggle to answer basic questions when your org (inevitably) comes under attack.
So, how’s a security pro to prepare and practice in the absence of real incidents? How about a tabletop exercise where you pretend a Bad Thing has happened and your organization must work together to resolve it? When performed regularly, these tabletops serve two purposes:
- They help identify issues in your organization before real attackers do; Oh Noes! is very much a holistic evaluation—it’s a great tool for assessing people and processes as well as tech gaps.
- They build muscle memory around the IR process so that when attackers strike, everyone knows what to do
Enter the Oh Noes!: a new approach to IR tabletop exercises
A meeting invite with the subject “Quarterly incident response exercise” may not capture the imagination of the average busy executive. So how do you get people engaged?
Try this subject line instead: Oh Noes! An adventure through the cyberz and $#*!. Oh Noes! is an RPG our former CISO developed with his son, an avid gamer. It draws on RPGs like “Dungeons & Dragons” and “Stars Without Number,” combining them with more traditional cyber tabletop exercises. In Oh Noes! you and your coworkers create characters with unique abilities and skills. Then, you role-play through cybersecurity incidents specific to your organization.
As with recreational RPGs, you’ll roll dice, gain experience, enhance your skills, and (if you’re doing it right) eat snacks covered in messy cheese dust. You’ll also learn about your strengths and weaknesses as an organization and cultivate insight into your IR plan—all while playing a game and (trust us on this) having a blast.
We’ve used Oh Noes! at Expel and have made some pretty big changes to our systems based on what we’ve learned. We hope you get as much value from it as we have.
Download the Oh Noes! kit
You can download everything you need to get started with Oh Noes! here. It includes:
- The Incident Master Guide (like the Dungeon Master Guide … get it?)
- A blank character sheet
- A scenario guide, including sample scenarios to get you started with your first few games and an editable sheet so you can easily create your own
Take it for a spin and let us know if you have any questions or feedback on how we can make Oh Noes! better.