Defensomania is a security monitoring and incident response card game.
Defensomania (formerly known as Cyber Against Humanity) is an incident response card game. When your web server is compromised which steps would you initiate? What are your priorities if malware was executed on an endpoint and you shortly after identify data exfiltration to a remote server? Playing Defensomania using the provided scenarios educates and trains defenders and provides a basis for discussing different activities and their priorities. How would you implement those activities in your environment? Defensomania uses well-known incident phases for the activity categories and focuses on cyber threat detection and response.
Each round, one player is the attacker and reads a scenario card. All others are defenders and choose their best activity card. See section gameplay for the proposed gameplays and rules.
Defensomania is for security monitoring and incident response what "Elevation of Privilege" (EoP) is for threat modeling or Cornucopia is for web application security.
Disclaimer: Defensomania is a personal project developed in the spare time and scenarios are purely fictional or related to external writeups.
See PDFs-to-print for different PDFs, either including both scenarios and activities or only one of them. Additionally, different layouts are used: 1, 6 or 9 cards per sheet. The PDF with only the front cards using 9 cards per sheet is suitable for home printing.
See PNGs-to-print for all scenario and activity front and back PNG image files.
Future versions of Defensomania will use ATT&CK for additional attack events during the game and RE&CT for the activity cards instead of an internal IR activity list.
Defensomania uses two types of cards: scenarios and activities. The scenario cards describe fictional security incidents and the activity cards describe activities used to handle these incidents. See column Source in the cards for external content attribution.
The activity cards are categorized based on the following well-known incident response phases:
See the list of scenarios and activities in the source files.
More activity cards means more possibilities during the game to react. Consider adding more scenarios and activities.
The proposed gameplays depend on your goal and what your team would like to exercise and what the scope of the training is. Choose between the following modes:
Best card wins lets you think about and discuss single activities and how they fit for a given scenario.
Incident response process is a more in-depth way of dealing with one scenario and considers priorities and the whole incident response process. This is serious business now. The goal is to see how the team would handle a fictional scenario from the beginning to the end of an incident. Discuss the processes, the responsibilities, the tools, the priorities and also who would you contact in case of emergency. Ask questions like "if we have that incident, what preparation is needed to be able to handle it?", "if we must contain the compromised host how would we do that?". If you incorporate a new subsidiary company into your security monitoring and incident response scope, ask questions like how would you handle that scenario for the new company and its infrastructure.
Consider adding scenarios and activities, improve wording and rule descriptions or improve the layout and design.
Build your own Defensomania card deck using Squib and the instructions.
Further extend the card deck by adding event cards to inject new events to a otherwise static scenario. These events could be "credentials were stolen from server X", "credentials abused on system X", "data exfiltration identified on server X" and so on and the team can react with the activity cards to these additional events.
Secondly, build extra packs e.g. "Worst Response Pack". An activity for a scenario about a compromised workstation could be "log into the machine as domain administrator to search for malware" or "forward maldoc file to ticketing system where different others have access too", "communicate on twitter that you was hacked before social media department is informed". See worst cards for some examples. Not funny enough? Then what about building a PowerShell pack with only incident response activities using PowerShell commands called PowerShell Against Humanity? Now you're scared!
Icons made by Freepik, srip, Gregor Cresnar and Kiranshastry from www.flaticon.com.
The content of this project itself is licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License, and the underlying source code used to format and display that content is licensed under the MIT license.
Defensomania is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.