Backdoors & Breaches is an Incident Response Card Game that contains 52 unique cards to help you conduct incident response tabletop exercises and learn attack tactics, tools, and methods.
Details
Publisher: Black Hills Information Security
Store Link: Amazon
Cost: $10 USD
Ages: N/A. Made for technical people and/or Incident Response within an organisation
Store Link: Amazon
Cost: $10 USD
Ages: N/A. Made for technical people and/or Incident Response within an organisation
Disclaimer: I did not receive a copy of this game from BHIS or related parties (I bought it myself) and there are no affiliate links within the article.
Gameplay
This game comes from Black Hills Information Security (BHIS) who are very well known in the Information Security community for their work in penetration test, threat hunting and red teaming as well as their and contribution to the community in the form of conference talks, tools, mentorship and educational programs.
If you have ever been in a scenario where you want to run an Incident Response walkthrough or tabletop - developing resources that are flexible and easy to understand can seem boring, be time consuming, or can be too unusual to be useful (What John Strand defines as a "Rainbow Unicorn Attack").
Backdoors & Breaches aims to help facilitate incident creation by providing a range of cards to help an Incident Master craft a scenario, as well as a set of procedures to help the team navigate the incident.
The Incident Master draws 4 cards. 1 from each deck. There is an example pictured above.
1. Initial Compromise (e.g. Phishing)
2. Pivot and Escalate (Internal Password Spray)
3. Persistence (Logon Scripts)
4. C2 and Exfil (HTTPS as exfil)
1. Initial Compromise (e.g. Phishing)
2. Pivot and Escalate (Internal Password Spray)
3. Persistence (Logon Scripts)
4. C2 and Exfil (HTTPS as exfil)
This is the basis for the incident scenario and the goal for the participants is to figure out what the attacker has done in the network (all 4 cards). The Incident Master will start the game by constructing the beginning of an incident. For example, the scenario I recently constructed for a help desk team was:
It's 3:30pm, and you (I point at an individual person) receive an email from the CEO which states "How did the emergency upgrade go this morning? Was there much disruption to services?"
From there we unfold the scenario, ask what they would do - and they will give answers based on SOP (Standard Operating Procedures) or their own thoughts and experiences. In many cases, I'll add in additional questions to challenge the participants - see if they'll adhere to SOP, or if they'll sway away from it.
For example, if they say "I'll ask the CEO what he's referring to", I'll ask them "how" they're asking the CEO. If it's email, does the scenario suggest that his email is compromised and being monitored? (In this case, no, but they don't know that) Would you message his PA instead to schedule a phone call? If I'm not familiar with their organisation, the participants can fill in the blanks since they tend to know how the people/culture of the organisation works.
If the responders perform an action that would uncover something suspicious (or if they look for something specifically) - I'll reveal one of the 4 attacks cards. So for example, upon further questioning it became apparent that the CEO had been targeted by a phishing attack and so I revealed that card and explain what they found.
Depending on the group, there are "Procedure Cards" that can be used to guide the participants. Sometimes I don't use them, sometimes I only use them with inexperienced people. I know you're supposed to use them to give bonuses and help with dice rolls - but I rarely play with those rules (and I don't tend to use dice rolls for that matter). It'll always depend on the group though.
Procedure cards:
And finally, there are "inject cards" which can either help the responders if they're struggling (or if they have the infrastructure) - or maybe sway things towards the Incident Master and add additional curve balls - for example - if there is one person who is quite knowledgable and giving all the answers - you can remove them from the game with an inject card. This can be a fun way to encourage participation from more quiet members of the group and ensure that the team knows what to do even when the more outspoken / experienced handler isn't available.
Review
I love everything about this deck of cards. They are simple, but full of information. The cards are easy to understand and they simultaneously demonstrate powerful attacking techniques - as well as giving some more information of the attack/defence type and the available tools an attacker/defender would use order to help stimulate conversation.
Backdoors & breaches is a fun, accessible and engaging way to explore cyber attacks, defences and incident response.
There are lots of ways to play (as you can see, I've made it a bit more roleplay-like rather than using dice and points), but everyone who plays learns something new - about attackers, about their own policy, about weaknesses, about security compromises that have been made within the organisation for productivity/budget purposes - it is such an accessible deck that I recommend it to anyone who wants to or who presently run Incident Response tabletop/walkthroughs.
I love that when my students play Backdoors & Breaches, they learn something new, ask questions, explore what they know and have fun - that's a win in my book.
I really hope they add more Inject cards - like if there were multiple attacks and the responders need to figure out how to differentiate between the two attackers. Or maybe "the attacker is actively in the network" - to see how that changes how they respond to the attack. It would be interesting to see what other decks they'll add - maybe a "consultant deck" to make things easier/harder for the team.
I'm really looking forward to the next version to add onto this amazing deck - I look forward to seeing some of my fellow Many Hats Club members in the deck too :)
For a more detailed "How to play" as well as an example play through, see the video below.