Defensive measures are in place and cybersecurity strategies are designed. But how does your organization know they are working? Playing a cyberwarfare game can reveal flaws that real attackers may discover.
Most cybersecurity professionals recognize that cyberwarfare game exercises need to be conducted to ensure overall cybersecurity readiness. However, the following questions remain about how to perform this exercise.
- What should be included in cyber warfare games?
- How often do you need to do it?
- Who should participate?
- What kind of documents do you need?
- What should the final result and deliverable look like?
Let’s see what it takes to make a successful cyber warfare game exercise. First, let’s see what they are and why companies need to implement them.
Features of effective cyber warfare games
Cyber warfare games are creative exercises An incident response team responds to a fictitious set of scenarios.
The army has been playing war games for a long time. Tactical decision game, To work. Participants learn to understand the unintended consequences of decisions in the turmoil of war. “There are no plans to survive the first contact with the enemy,” as the military saying by Elder Helmuth von Moltke, Prussian Army Marshal, indicates.
Now, take those lessons and adopt them for cyber warfare games. One of the key elements in conducting an effective cyber warfare game is to develop a scenario that incorporates multiple unplanned events and generate a perfect storm scenario. for example, Attack vector is IoT network Did the data center go down due to an attack on the connected HVAC system?Or what about the SessionInitiationProtocol? Man-in-the-middle attack Did a DDoS attack bring down your email server while jeopardizing sensitive voice calls? Or what if the key person has the flu?
Another important factor is the frequency with which the exercises take place. It is important to play cyber warfare games on a regular basis. Ideally quarterly, but minimally annual. Creating the perfect game is less important than playing cyber warfare games early and often and improving while learning.
The important role of cyber warfare games
The two most important roles in a cyber war game are the creator and referee of the scenario, Facilitator.. These can be the same individual and often come from outside the company, such as a third-party consulting firm.
The job of the scenario creator is to create an exercise and explain it to the participants. Scenarios are often determined at a high level by senior management who may be of particular concern about a particular incident, such as ransomware.The job of the scenario creator is “If we Ransomware hits“?” To a real scenario such as “What does she do because Jody arrives at work and can’t log in to her computer?”
The referee’s job is to keep everyone on the same page and practice. Ideally, under time constraints. When the scenario creator explains the scenario, the referee gives the participants a limited amount of time to decide on the next action, and then provides feedback on what to do next.
The role of additional cyber warfare games
The biggest mistake most cybersecurity organizations make in cyberwarfare games is that they assume that participation should be limited to security professionals. This will definitely be.
Everything is practical for a cyberwarfare game to be truly effective. Everyone in the organization must be involved, including senior management, legal, personnel, support services, management staff, public relations teams, and investor relations teams. To inform customers and shareholders of the case.
The organization is Incident response plan Learn more about how all roles in the company respond to critical incidents. The specific role each participant plays should be outlined in the incident response plan.Starting with NIST Special Publication (SP) 800-61 Revision 2 (Rev. 2)Describes key roles and responsibilities.
Within IT and cybersecurity, system owners typically report incidents. Incident response team.. From that point on, these teams will take over the incident response process and work with system owners, cybersecurity teams, and other stakeholders.
Other roles and responsibilities in cyber warfare games depend on the nature of the breach.Ann Blackmail requestFor example, early legal and financial participation may be required, but more technical breaches may be fully handled by the infosec team.
Specifies how incidents are communicated to non-technology teams such as legal, risk, compliance teams, HR, and PR. For public companies, investor relationships are usually on the list. Don’t forget your customers. The team responsible for the customer relationship (which may be another department or group within the sales team) also needs to be informed at all times.
Incident response teams need to be clear about the people, customers, employees, etc. that may be affected and what actions these groups should take, including contacting law enforcement agencies, to learn more about the breach. .. This applies to cyberwarfare game exercises as well as in real-life cases.
Finally, the team needs to pay close attention to the need for auditable logging and a set of evidence. For many classes of security incidents, it is important to keep records so that law enforcement and regulatory agencies can see them. At this point, documentation may be the last thing in the participants’ minds, but it is important to make sure that the evidence is maintained and that the documentation is up to date. It is also important to review this document during the post-action review.
Cyberwar game takeaways and deliverables
Security teams often ignore post-action reviews, which are the most important part of cyberwarfare games. As NIST wrote in SP800-61 Rev. 2, “Holding“ Lessons ”Meetings with All Stakeholders can be very helpful in improving security measures and the incident handling process itself. “
In its guidance, NIST also suggested holding an interactive meeting to answer the following questions:
- Exactly what happened and when?
- How well did the staff and management work in dealing with the case?
- Did you follow the documented procedure?
- Were they appropriate?
- What information did you need earlier?
- Were there any measures or measures that could have hindered your recovery?
- How will staff and management be different the next time a similar incident occurs?
- How could you improve information sharing with other organizations?
- What corrective actions can be taken to prevent similar incidents in the future?
- What precursors or indicators need to be monitored in the future to detect similar incidents?
- What additional tools or resources do I need to detect, analyze, and mitigate future incidents?
When answering these questions, it is important to rely on five why approaches to root cause analysis. Participants need to continue digging to find out why a particular problem occurred, rather than simply assigning responsibility and moving forward without making changes. For example, the question, “Why didn’t Bob notify Mary of a particular situation?” “He didn’t know her situation,” “I didn’t know that Mary’s role needed to be notified to her,” “he didn’t have immediate access to her contact information.” You may have an answer such as. This changes later behavior A review from an unproductive and unpleasant blame fest to a true opportunity for improvement.
Incident response teams should also have a clear goal of using the output of cyberwarfare games as follows: Update incident response plan.. This allows the incident response plan to be a living document and gain insights from responding to both real and simulated violations.
Other post-action review artifacts may include a list of action items, such as updates to key participant contact information. Post-action reviews should also generate a detailed report that includes a chronology and an action plan defined. This allows future participants to know what happened during the exercise.
