War games are not new. Armed forces throughout history have been conducting them for ages to strengthen defenses, test their strategies, check the capabilities of their soldiers, and hone their ability to improvise in a highly charged situation. But, in today's world, cyberwars are increasingly replacing physical wars. So, it's only natural that we are seeing armed forces and organizations adopting cyberwar games.
Encountering a cyberattack in today's landscape is inevitable. So, is your organization equipped to handle one? Is your security team prepared and qualified to protect your network and assets? A good way to identify and answer these questions with any degree of certainty is to conduct cyberwar games that test your organization's incident response capabilities.
Cyberwar games are exercises conducted to test and improve an organizations' security posture and preparedness against cyberattacks. These exercises can be of the tabletop variety or simulations in a test environment that models a replica of the participating organization's business and security environment, to provide the experience of a real attack. But are cyberwar games any different from pen testing? The answer is a resounding yes.
While pen testers are ethical hackers hired by organizations to find security loopholes or vulnerabilities in their network, cyberwar games involve an attack simulation happening around a business scenario where members from different teams in an organization participate together—security, HR, legal, customer care, marketing, business operations, application development, finance, risk management, corporate communications, and ideally even C-suite executives. Through these exercises, organizations can also navigate between the various stages of a potential attack, both from the attacker's perspective and the defender's perspective.
The cyberwar games can be conducted by the organizations in-house or they can be outsourced, either completely or partially. Choosing to outsource has the potential to be more enriching, as there's no chance that the results will be impacted (or even rendered inaccurate) by your red and blue team being too familiar with each other's capabilities, styles, or strategies. Moreover, not all organizations will even have a dedicated red team and blue team, so in this case, outsourcing the team they lack would be the only viable option.
Whoever conducts the war games creates the scenario. The central theme is usually decided by the C-suite executives of the participating organization. This could be based on a specific attack that the organization is trying to defend against (e.g. ransomware) or it could be to test for general readiness against cyberattacks.
Once the scope and objective have been defined, the game scenario will be mapped out by the scenario creator. This scenario creator may also be the facilitator who conducts the game, or it could be an external war-gaming expert.
Once a game begins, it is structured so that the participants receive some basic information but are left to figure out the entire scope of the issue and devise a strategy to respond. As things unfold, the sequence of events adapts according to the actions taken by your teams. While they may perform actions from their existing incident response playbook, in most cases, they'll have to improvise their response based on the information and feedback that the facilitator provides. Time, being of the essence in the war games, will serve as an excellent way for organizations to identify how their MTTD and MTTR stands in the event of a real attack.
Organizations can obtain the following benefits by participating in cyberwar games.
An organization participating in cyberwar games will experience attack stages and their impact from both an attackers' and defenders' point of view. Through the scenario, the teams can witness the various ways an attacker could enter a network, how they escalate privileges to carry out the attack, and the potential impact of a breach on the organization and its customers. Consequences include financial loss, harmed reputation, losing customers, and in the case of a public organization, the loss of the investors' trust and goodwill. From the defenders' performance, everyone in the organization can evaluate the strategies and tactics they use to identify, prevent, and stop an attack in its tracks, in real time.
Through these games with their diverse pool of participants, organizations will learn how to communicate, strategize, and cooperate among their non-technical teams in the event of a possible breach, and figure out ways to mitigate and contain the damage before it becomes irreparable. For instance, a scenario could be about the news of a breach being leaked to the public before the organization has made an official statement. Right from the customer-facing and investor relations team verifying the validity of the claim, to how the situation should be dealt with among the various teams, will all be a part of the process. Most of the time, the true impact of a breach on organizations depends on the way they handle the situation in the wake of a breach rather than the actual breach, especially if it doesn't involve any loss of data. Cyberwar games can thus help organizations understand the roles of different team members in dealing with an incident that extends beyond the scope of just the security or product team. In fact, these games help inculcate the concept of "security as a shared responsibility."
Organizations will be able to identify how their security team performs: from identifying the breach or vulnerability, to assessing the damage and risks involved, promptly and effectively responding, and preserving the evidence for forensic analysis. Games help you to figure out if your existing response playbook and personnel are effective or if improvement is needed. Through these games, organizations can identify security vulnerabilities such as flawed security of assets (due to lack of DevSecOps) that attackers can exploit to invade a network. Organizations can also identify if the right guidelines are in place to contain an attack effectively, which mode of communication different teams prefer in the event of an attack, and even determine if their security might be designed around a trend that has long since become outdated! Organizations can then review and redefine their security approach based on the inferred insights.
While it's undeniable that cyberwar games are necessary, it's also important to know that they come with their own challenges. Cyberwar games are going to cost both time and money. It takes months to plan the games, and the games themselves can take days to weeks depending upon the scope, sophistication, and complexity of the game planned. Since it involves members from multiple teams participating and you might need days or weeks of their time, planning and conducting the games could be quite laborious.
Since conducting a war game is expensive, if you don't have the necessary resources or personnel, outsourcing is your best option. While conducting the games twice a year would be ideal, they should be conducted at least once a year.
It's also essential to involve the C-suite executives right from the planning stage to their participation in the games. If not, one of the following two scenarios might play out at the end of gaming. If the defenders stop the attackers effortlessly, then the senior management might feel like they've just facilitated an extravagant exercise to positively affirm their existing cybersecurity posture. And if the attackers win the game, then they might be frustrated by the need to invest more money to revamp their security. Moreover, it's important that they understand that the red team winning doesn't translate to the blue team's poor performance or skills, but rather the need for more stringent security guidelines and protocols in dealing with sophisticated attacks. This can only be achieved if the senior executives understand the intent and extent of the cyberwar gaming exercise.
Cyberwar games are a great way to assess and increase the preparedness of your security team. It's a way of increasing cyber resiliency through repeated training exercises, so the security team becomes primed to effectively respond to real life attacks instinctively.
Just as agencies across the government and world have joined together in holding cyberwar games, organizations in the private sector could benefit from following this example. Teaming up could help overcome the time and cost constraints inherent in planning these exercises. And not only will the burden be shared between two or more organizations, but the scope of learning will also increase drastically! As threat landscapes might differ among the organizations, the attack scenarios that the participating organizations will be exposed to will be varied, leading to greater strategies and solutions.
So, irrespective of the number of participating organizations, cyberwar games are a great learning experience and one that your organization should consider. Are you ready to step up to the challenge of testing your organization's security preparedness against cyberattacks? Best of luck, warriors!
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
