Cyber-war gaming: a tabletop cybersecurity exercise
Attackers will inevitably penetrate your defenses. The question is how effectively and quickly your current security and response strategies will work in the event of an attack.
One preparation option is to adapt military war games into tabletop cybersecurity exercises. Although cyber warfare gaming is not a new concept, it is not yet widely adopted.
What is a cybersecurity tabletop exercise?
Cyber warfare games are designed to provide real-time insight into how a business would defend and respond to an attack. Red teams use the same tools as attackers to identify weaknesses in a company’s security strategy. The blue team, on the other hand, works to prevent any successful penetration by the red team from getting far into a system.
However, these tabletop exercises are not limited to penetration testing and testing attack methodologies.
“Because the goal isn’t the same as with a vulnerability scanner or a penetration test, it won’t be the same; you won’t get the same kind of results that you would get from there. “said Ken Smith, national cybertesting manager at consulting firm RSM US.
On the contrary, cyber warfare games provide insight into the readiness of a company’s cybersecurity strategy and how security teams would respond to an attack.
Successful cyberwar games also involve the security team and members of a company. They are much more encompassing than red teams or other safety drills. Companies need to involve all key stakeholders, from the CEO to the security teams.
“It’s not just attack and incident response, it’s crisis management,” said Jon Oltsik, an analyst at Enterprise Strategy Group, a division of TechTarget. “What would the CEO say if a reporter called? What would you say to customers, regulators, etc. ? C-suite membership is essential. In addition, managers should determine in advance the purpose of the evaluation.
The duration of a war game exercise depends on the depth at which it is intended. The litter can extend from one month to six weeks. Each test includes a follow-up report that expands on the results for security teams.
How Cyber War Game Works
Unless the cyberwar game is about testing a specific tactic or aspect of a system, let the red team try whatever they want during the attack.
“Realism is the goal,” Oltsik said. “Use tactics, techniques and procedures that an opponent might use.”
It is also important to have a goal for the cyberwar game exercise before putting it into action. “Are you testing any new controls that have just been put in place? said Smith. “Or has your process been ingrained for a while and you’re looking for a refresher?”
In an exercise, security teams use a clone of the real company environment to get a real result. The red team launches an attack, while the blue team monitors existing security policies to see if they can detect the initial attack. From there, it comes down to which side can use more creative and effective methods to continue or stop the attack.
Another option is to have IT create a preconfigured environment that neither the red team nor the blue team knows about in advance, as happens at National Collegiate Cyber Defense Competition events. . At his events, blue teams try to discern the system and how to secure it before red teams begin their attacks, Smith said.
Consider an organization’s maturity level, resources
Companies of all sizes are hosting cyberwar games, but not just testing to test. Companies should assess their level of maturity before attempting one and know what they expect from the exercise.
Companies that perform annual penetration testing and have two years of strong results indicate that they are ready, Smith said, especially “if you do quarterly vulnerability scans, both internal and external, and you don’t see any canaries-in-the-coal-mine type situations.”
Before considering cyber war games, it is also important to consider whether there is infrastructure and personnel in place to conduct, detect and respond to attacks. “If you’re missing any of these pillars, it’s not worth the time and effort,” Smith said.
In this case, outsourcing is an option. Companies don’t have to handle every aspect of the cyber war game in-house – and it can, in fact, be beneficial to outsource at least part of the exercise.
If your company only has a blue team, for example, it could hire a third party to carry out the attack. Even if your company has the personnel and resources to carry out the exercise, consider hiring an outside red and blue team to test against the opposing internal team. Your red team can know how the inner blue team would react and vice versa, which a third-party attacker probably wouldn’t know. This could impact the test and its results.
Cyber war game challenges
The cyber war game is not all rosy. Be aware of these potential drawbacks before performing any exercise.
Cyber war games don’t come cheap
Conducting an assessment can be expensive. It takes time to design the situation, determine the final objective and carry out the exercise. In some cases, the end result may not be worth the time and cost. If the blue team prevents the red team from entering the perimeter, you have just performed an expensive pen test. On the other hand, if the red team easily penetrates the system and meets almost no resistance, it shows that your cybersecurity defense needs an expensive overhaul.
“You always run the risk that it’s not worth the cost because you’re testing strangers,” Smith said. “You might not get enough bang for your buck from exercise. But, if your program is at the right level of maturity, you’ve done your due diligence, you have your controls in place, and you’re doing regular testing, c It’s kind of that next step to give you confidence whether or not your processes are working as planned.”
Miscommunications with the C-suite could hurt security teams
The C-suite should be included in cyber warfare games, but unfortunately that won’t always happen. However, keep the board and C-suite informed about the performance of tabletop exercises and always make sure they understand the purpose of the exercise. Remind them that a successful attack doesn’t mean the blue team has failed or people have to lose their jobs.
Turn this into a competition
Another concern is that tabletop exercises can become too competitive. The red team wins most often, said Forrester Research analyst Jeff Pollard, but that’s not meant to be an indication of the blue team failing. Don’t harm future cooperation by making the exercise a competition between the red and blue teams.
“That’s when it gets controversial and toxic,” Pollard said.
Purple association as an alternative
Organizations can consider using purple teams instead of cyber war games. This methodology encourages collaboration rather than competition. The purple team involves the red teams working alongside the blue teams to explain what they would do if they were an attacker. This helps blue teams understand potential attacks and what to look for in the future.
“The purple team is a collaborative effort,” Pollard said. “War games can be competitive; there is clearly a ‘winner’. With the purple team, you can put the red team next to the blue team and show them what they would do next when an attack.”
Overall, the goal of both exercises is to improve an organization’s defenses, but cyber warfare games are much more encompassing. In cyber warfare games, a successful red team helps inform a company where current processes or technology is insufficient and where work needs to be done and gives the blue team more experience on what a real attack.