How to conduct a cyber-war gaming exercise

Defenses are in place, and a cybersecurity technique has been designed. But how does your group know they work? Conducting a cyber-war sport can expose any shortcomings a actual attacker could uncover.

Most cybersecurity professionals are conscious they want to conduct cyber-war gaming workouts to guarantee general cybersecurity readiness. But questions stay about how to conduct this exercise, together with the next:

  • What ought to the cyber-war video games embrace?
  • How usually ought to they be carried out?
  • Who ought to take part?
  • What documentation is required?
  • What ought to the tip outcomes and deliverables appear like?

Let’s take a look at what’s wanted for profitable cyber-war sport workouts, beginning with what they’re and why companies ought to conduct them.

Characteristics of an efficient cyber-war sport

Cyber-war games are creative exercises wherein an incident response crew reacts to a hypothetical set of situations.

The army has lengthy carried out conflict video games, also referred to as tactical determination video games, as a result of they work. Participants be taught to perceive the unintended penalties of selections within the context of the chaos of warfare. As the army adage attributed to Prussian Field Marshal Helmuth von Moltke the Elder goes, “No plan survives first contact with the enemy.”

Now, take these classes, and undertake them for cyber-war gaming. One necessary ingredient to conduct efficient cyber-war video games is to develop situations that incorporate a number of unplanned occasions and generate perfect-storm situations. For occasion, what if the attack vector is an IoT network and an assault on the linked HVAC system introduced the info middle down? Or what if a Session Initiation Protocol man-in-the-middle attack compromised delicate voice calls, whereas a DDoS assault took down the e-mail server? Or what if a key particular person is out with the flu?

Another necessary ingredient is how usually the workouts are held. Conducting cyber-war gaming on a common foundation is vital — ideally, quarterly however minimally yearly. It’s much less necessary to craft the right sport than it’s to conduct cyber-war gaming early and infrequently, studying and bettering as you go.

Critical cyber-war gaming roles

The two most necessary roles in cyber-war gaming are the situation creator and the referee, generally referred to as the facilitator. These may be the identical particular person and infrequently come from exterior the agency, e.g., a third-party consulting firm.

The situation creator’s job is to craft the exercise and clarify it to the members. The situation is commonly decided at a excessive degree by senior management, which can be notably involved about a particular incident, equivalent to ransomware. The situation creator’s job is to flip a high-level concern, equivalent to “What if we get hit by ransomware?” into a real-world situation, equivalent to “Jody arrives at work and might’t log in to her pc, so what does she do?”

The referee’s job is to maintain everybody on the identical web page and transferring by way of the workouts — ideally, underneath a time constraint. Once the situation creator explains the situation, the referee offers members a restricted period of time to decide their subsequent actions after which supplies them with suggestions to take subsequent actions.

Additional cyber-war gaming roles

The greatest mistake most cybersecurity organizations make with cyber-war gaming is assuming participation ought to be restricted to safety practitioners. This could not be extra flawed.

For a cyber-war sport to be actually efficient, it is all arms on deck — everybody within the group ought to play a half, together with senior administration, authorized, HR, help providers and administrative employees, in addition to the PR and investor relations groups to talk the incident to prospects and shareholders.

Organizations ought to have an incident response plan detailing how each function within the firm responds to a important incident. The particular half every participant performs ought to be outlined within the incident response plan. Start with NIST Special Publication (SP) 800-61 Revision 2 (Rev. 2), which describes key roles and tasks.

Within IT and cybersecurity, system homeowners usually report incidents to incident response teams. These groups take over the incident response course of from that time and work with the system homeowners and cybersecurity groups, in addition to different stakeholders.

Other roles and tasks in a cyber-war sport rely on the character of the breach. An extortion request, for instance, may require early participation from authorized and finance, whereas a extra technical breach could also be dealt with solely by the infosec crew.

Specify how incidents ought to be communicated to groups exterior of expertise, together with authorized, danger and compliance groups, in addition to HR and PR. For public corporations, investor relations is often on the listing. Don’t overlook about prospects, both. Teams chargeable for buyer relationships, which can be a separate division or a group throughout the gross sales crew, also needs to keep knowledgeable.

As the incident response groups be taught extra concerning the breach, they need to clearly talk who’s doubtlessly affected, whether or not it is prospects, workers, and many others., and what motion, if any, these teams ought to take, together with reaching out to legislation enforcement. This is as true in a cyber-war gaming exercise as it’s within the case of a actual incident.

Finally, the groups want to pay shut consideration to the necessity for auditable logging and chains of proof. For many lessons of safety incidents, it’s important to keep information for legislation enforcement and regulatory our bodies to evaluate. In the warmth of the second, documentation could also be the very last thing on members’ minds, nevertheless it’s important to guarantee proof is maintained and documentation stored up to date. It’s additionally necessary to evaluate this documentation in the course of the after-action evaluate.

Cyber-war gaming takeaways and deliverables

Security groups usually neglect crucial a part of a cyber-war sport: the after-action evaluate. As NIST wrote in SP 800-61 Rev. 2: “Holding a ‘classes discovered’ assembly with all concerned events … may be extraordinarily useful in bettering safety measures and the incident dealing with course of itself.”

NIST additionally instructed in its steering holding an interactive assembly to reply the next questions:

  • Exactly what occurred, and at what occasions?
  • How nicely did employees and administration carry out in coping with the incident?
  • Were the documented procedures adopted?
  • Were they ample?
  • What data was wanted sooner?
  • Were any steps or actions taken that may have inhibited the restoration?
  • What would the employees and administration do otherwise the subsequent time a related incident happens?
  • How may data sharing with different organizations have been improved?
  • What corrective actions can stop related incidents sooner or later?
  • What precursors or indicators ought to be watched for sooner or later to detect related incidents?
  • What further instruments or sources are wanted to detect, analyze and mitigate future incidents?

It’s important to depend on the five-whys strategy to root trigger evaluation when answering these questions. Participants ought to proceed digging to discover why particular points arose, quite than merely apportioning blame and transferring on with out making adjustments. For instance, the query, “Why did Bob not inform Mary of a specific scenario?” may need solutions equivalent to, “He was not conscious of the scenario,” “He was not conscious Mary’s function required her to be told,” “He didn’t have her contact data readily accessible,” and many others. This transforms the after-action evaluate from an unproductive and uncomfortable blamefest into a true alternative for enchancment.

The incident response crew also needs to have an express purpose of utilizing the output of the cyber-war sport to update the incident response plan. This ensures the incident response plan is a residing doc, capturing perception from responses to each actual and simulated breaches.

Other after-action evaluate deliverables may embrace a listing of motion objects, equivalent to updating contact data for key members. After-action opinions also needs to generate a detailed report containing a chronology and outlined motion plan so future members are conscious of what occurred in the course of the exercise.

Related Posts