You are currently viewing How to Conduct a Cyber ​​Warfare Game Exercise

How to Conduct a Cyber ​​Warfare Game Exercise

Defenses are in place and a cybersecurity strategy has been designed. But how does your organization know it’s working? Waging a cyberwar game can reveal all the loopholes that a real attacker might discover.

Most cybersecurity professionals are aware that they need to conduct cyberwar game drills to ensure overall cybersecurity readiness. But questions remain about how to conduct this exercise, including the following:

  • What should cyber warfare games include?
  • How often should they be done?
  • Who should participate?
  • What documentation is required?
  • What should the end results and deliverables look like?

Let’s take a look at what is needed for successful cyber warfare gaming exercises, starting with what they are and why companies should conduct them.

Characteristics of an Effective Cyberwar Game

Cyberwar games are creative exercises in which an incident response team reacts to a hypothetical set of scenarios.

The military has a long history of organizing war games, also known as tactical decision games, because they work. Participants learn to understand the unintended consequences of decisions in the context of the chaos of war. As the military adage attributed to Prussian Field Marshal Helmuth von Moltke the Elder goes, “No plan survives first contact with the enemy”.

Now take these lessons and adopt them for cyber war games. An important part of conducting effective cyberwar games is to develop scenarios that incorporate multiple unforeseen events and generate perfect storm scenarios. For example, what if the attack vector is an IoT network and an attack on the connected HVAC system brings down the data center? Or what if a session initiation protocol man-in-the-middle attack compromises sensitive voice calls, while a DDoS attack disrupts the mail server? Or what if a key person is out with the flu?

Another important element is the frequency of exercises. Conducting cyber war games on a regular basis is essential – ideally quarterly but at a minimum annually. Creating the perfect game is less important than waging cyber war games early and often, learning and improving as you go.

Critical Game Roles in Cyber ​​Warfare

The two most important roles in cyber wargaming are the scenario creator and the referee, sometimes called the animator. These can be the same person and often come from outside the company, for example, a third-party consulting company.

The scenario designer’s job is to design the exercise and explain it to the participants. The scenario is often determined at a high level by senior management, who may be particularly concerned about a specific incident, such as ransomware. The scenario creator’s job is to turn a high-level concern, such as “What if we get hit by ransomware?” in a real-life scenario, such as “Jody arrives at work and can’t log on to her computer, so what does she do?”

The referee’s job is to keep everyone on the same page and move through the drills – ideally, under a time constraint. After the scenario creator has explained the scenario, the referee gives participants a limited time to determine their next actions and then provides them with feedback to take next steps.

Additional Game Roles in Cyber ​​Warfare

The biggest mistake most cybersecurity organizations make with cyber warfare games is assuming that participation should be limited to security practitioners. It couldn’t be more wrong.

For a cyberwar game to be truly effective, everyone has to be on deck; everyone in the organization should play a role, including senior management, legal staff, human resources, support services and administrative staff, as well as public relations and investor relations teams. communicate the incident to customers and shareholders.

Organizations should have an incident response plan detailing how each business role responds to a significant incident. The specific role played by each participant should be described in the incident response plan. Start with NIST Special Publication (SP) 800-61 Revision 2 (Rev. 2), which outlines key roles and responsibilities.

Within IT and cybersecurity, system owners typically report incidents to incident response teams. These teams support the incident response process from this point and work with system owners and cybersecurity teams, as well as other stakeholders.

Other roles and responsibilities in a cyberwar game depend on the nature of the breach. An extortion request, for example, may require early involvement from legal and finance departments, while a more technical breach may be handled entirely by the infosec team.

Specify how incidents should be communicated to teams outside of technology, including legal, risk, and compliance teams, as well as human resources and public relations. For public companies, investor relations is usually on the list. Don’t forget the customers either. Customer relations teams, which may be a separate department or a group within the sales team, also need to stay informed.

As incident response teams learn more about the breach, they should clearly outline who is potentially affected, whether customers, employees, etc., and what action, if any. appropriate, these groups must take, including contacting law enforcement. This is as true in a cyber warfare exercise as it is in a real incident.

Finally, teams should pay close attention to the need for verifiable logging and chains of evidence. For many categories of security incidents, it is essential to keep records so that law enforcement and regulatory agencies can review them. In the heat of the moment, documentation may be the last thing on participants’ minds, but ensuring that evidence is kept and documentation is kept up-to-date is essential. It is also important to review this documentation during the after action review.

Cyberwar Game Takeaways and Deliverables

Security teams often overlook the most important part of a cyberwar game: the after action review. As NIST wrote in SP 800-61 Rev. 2: “Holding a ‘lessons learned’ meeting with all parties involved… can be extremely helpful in improving security measures and the incident handling process itself.”

NIST also suggested in its guidelines that an interactive meeting be held to answer the following questions:

  • What exactly happened and at what time?
  • How successful were staff and management in handling the incident?
  • Have documented procedures been followed?
  • Were they adequate?
  • What information was needed earlier?
  • Were any measures or actions taken that could have prevented recovery?
  • What would staff and management do differently the next time a similar incident occurs?
  • How could information sharing with other organizations have been improved?
  • What corrective actions can prevent similar incidents in the future?
  • What precursors or indicators should be monitored in the future to detect similar incidents?
  • What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

It is essential to rely on the five whys approach to root cause analysis when answering these questions. Participants should keep digging to find why specific issues have arisen, rather than simply assigning blame and moving on without making changes. For example, the question “Why didn’t Bob tell Mary about a particular situation?” could have answers such as “He was not aware of the situation”, “He was not aware that Marie’s role required her to be informed”, “He did not have his contact details easily accessible, etc. move from an unproductive and uncomfortable blame to a real opportunity for improvement.

The incident response team should also have an explicit goal of using the results of the cyber war game to update the incident response plan. This ensures that the incident response plan is a living document, capturing information from real and simulated breach responses.

Other after action review deliverables may include a list of action items, such as updating contact information for key participants. After action reviews should also generate a detailed report containing a timeline and a defined action plan so that future participants are aware of what happened during the exercise.

Leave a Reply