Attackers will inevitably penetrate your defenses. The question is how effectively and quickly your current security and response strategies will work under attack.
One preparation option is to adapt military war games into cybersecurity simulation exercises. While cyber wargaming is not a new concept, it has yet to be widely adopted.
What is a cybersecurity simulation exercise?
Cyber war games are designed to provide a real-time view of how a business would defend and respond to an attack. Red teams use the same tools as attackers to identify weaknesses in a company’s security strategy. The blue team, meanwhile, works to prevent any successful penetration by the red team from going far into a system.
However, these simulation exercises are more than just penetration tests and testing attack methodologies.
“Because the goal is not the same as with a vulnerability scanner or a penetration test, it’s not going to be the same; you’re not going to get the same kind of results that you would get from there,” said Ken Smith, national lead for cyber testing at RSM US consultancy.
Rather, cyber war games provide insight into the readiness of a company’s cyber security strategy and how well security teams would respond to an attack.
Successful cyber war games also involve the security team and members of a company. They are much more comprehensive than red teams or other security exercises. Companies need to engage all key stakeholders, from the CEO to security teams.
“This isn’t just about attack and incident response; it’s crisis management,” said Jon Oltsik, an analyst with the Enterprise Strategy Group, a division of TechTarget. “What would the CEO say if he called a reporter? What would he say to customers, regulators, etc.?” Acceptance of the C-suite is key. In addition, executives must determine the objective of the evaluation in advance.
The length of a wargaming exercise depends on how comprehensive it is intended to be. The scope can be extended from one month to six weeks. Each test includes a tracking report that amplifies the results for security teams.
How cyber war games work
Unless the cyber war game is about testing a specific tactic or aspect of a system, let the red team try what they want during the attack.
“Realism is the goal,” Oltsik said. “Use the tactics, techniques, and procedures that an adversary might use.”
It is also important to have a goal for the cyber warfare exercise before you put it into action. “Are you testing new controls that have just been implemented?” Smith said. “Or has your process been entrenched for a while and you’re looking for a refresher?”
In one exercise, security teams use a clone of the company’s live environment to get a real-world result. The red team initiates an attack, while the blue team follows existing security strategies to see if it can detect the initial attack. From there, it’s a matter of which side can employ more creative and effective methods to promote or stop the attack.
Another option is for IT to create a pre-configured environment that neither the red nor the blue teams know about in advance, such as in events organized by the National Collegiate Cyber Defense Competition. At their events, the blue teams try to discern the system and how to secure it before the red teams begin their attacks, Smith said.
Consider the maturity level of an organization, the resources
Companies of all sizes play cyber war games, but they don’t test just for the sake of testing. Companies should assess their level of maturity before attempting one and know what they want from the exercise.
Companies that do annual penetration tests and have two years of solid results indicate they’re prepared, Smith said, especially “if they’re doing quarterly vulnerability scans, both internal and external, and they don’t see any canaries in the coal.” mine-type situations.
Before considering cyber war games, it is also important to consider whether the infrastructure and personnel exist to conduct, detect, and respond to attacks. “If you’re missing any of those pillars, it’s not worth the time and effort,” Smith said.
In this case, outsourcing is an option. Companies do not have to handle all aspects of cyber wargaming in-house and, in fact, it can be beneficial to outsource at least part of the exercise.
If your company only has one blue team, for example, you could hire a third party to carry out the attack. Even if your company has the staff and resources to carry out the exercise, consider hiring an external red and blue team to test against the opposing internal team. Your red team may know how the internal blue team would respond, and vice versa, which a third-party attacker probably wouldn’t. This could affect the test and its results.
Challenges of cyber war games
Cyber war games are not all roses. Be aware of these potential drawbacks before performing an exercise.
Cyber War Games Aren’t Cheap
Carrying out an evaluation can be expensive. Time is needed to devise the situation, determine the ultimate goal, and carry out the exercise. In some cases, the end result may not be worth the time and cost. If the blue team prevents the red team from penetrating the perimeter, they have just conducted an expensive penetration test. On the other hand, if the red team easily breaks into the system and experiences almost no resistance, it expensively shows that your cybersecurity defense is in need of an overhaul.
“You always run the risk that it’s not worth the cost because you’re testing unknowns,” Smith said. “You may not get enough bang for your buck with exercise. But, if your program is at the right maturity level, you’ve done your due diligence, have your controls in place, and are running regular tests, this is kind of that next step to give you the assurance of whether or not your processes are working as planned.
Poor C-suite communications could hurt security teams
The C-suite should be included in cyber war games, but unfortunately, that won’t always happen. However, keep the board and C-suite informed about how simulation exercises work and always make sure they understand the purpose of the exercise. Remind them that a successful attack does not mean that the blue team failed or that people should lose their jobs.
Turning it into a competition
Another concern is that table exercises can become too competitive. The red team wins most of the time, said Jeff Pollard, an analyst at Forrester Research, but that’s not meant to be an indication of failure for the blue team. Don’t undermine future cooperation by making the exercise a competition between red and blue teams.
“This is where it gets controversial and toxic,” Pollard said.
Purple teaming as an alternative
Organizations may consider using purple team instead of cyber war games. This methodology encourages collaboration over competition. The purple team involves the red teams working together with the blue teams to explain what they would do if they were an attacker. This helps blue teams understand potential attacks and what to look for in the future.
“Purple teamwork is a collaborative effort,” Pollard said. “War games can be competitive; there is a clear ‘winner’. With the purple team, you can put the red team next to the blue team and show them what they would do next in an attack.”
In general, the objective of both exercises is improve an organization’s defenses, but cyber war games are much broader. In cyber war games, the successful red team helps inform a company where current processes or technology fall short and where work needs to be done and gives the blue team more experience of what a real attack looks like.