Security is in place, and a cybersecurity strategy has been developed. But how does your organization know they work? Conducting cyber-war games can expose any shortcomings that real attackers can reveal.
Most cybersecurity professionals know that they need to practice cyber-war gaming to ensure overall cybersecurity readiness. But questions remain about how to do this exercise with the following:
- What should be included in cyber-war games?
- How often should they be held?
- Who should participate?
- What documents are required?
- What should the final result and deliverable look like?
Let’s take a look at what is required for successful cyber-war game exercises, what they are and why businesses should conduct them.
Features an effective cyber-war game
Cyber-war games are creative exercises in which the event response team reacts to an imaginary set of situations.
The military has long held war games, also known by this name Strategic game decision game, Because they work. Participants learn to understand the unintended consequences of decisions in the context of war turmoil. A military saying attributed to Elder Field Marshal Helmuth von Moltke of Prussia is, “No plan can survive the first contact with the enemy.”
Now, take those lessons and accept them for cyber-war gaming. An important factor in organizing an effective cyber-warfare game is to develop a situation that involves many unplanned events and creates perfect-storm situations. For example, what if the attack vector is an IoT network and an attack on a connected HVAC system brings down the data center? Or if the session initiation protocol man-in-the-middle attack compromises sensitive voice calls, if the DDoS attack degrades the email server? Or what if a major person comes out with the flu?
Another important factor is how often exercise is done. It is important to organize cyber-war gaming regularly – ideally, quarterly but at least annually. Cyber-war gaming is less important than creating quick and often perfect games, so keep learning and improving as you go.
Serious cyber-war gaming role
The two most important roles in cyber-war gaming are the landscape maker and the referee, sometimes called Facilitator. They can be the same person and often come from outside the firm, e.g. Third-party consulting company.
The task of the landscape creator is to create the exercises and explain them to the participants. The situation is often determined at a high level by senior leadership, who may be particularly concerned about a specific phenomenon, such as ransomware. “What if we get hit by ransomware?” In real-world situations, such as “The couple comes to work and can’t log in to her computer, so what does she do?”
It is the referee’s job to keep everyone on the same page and move through the exercise – ideally, within the time limit. Once the situation maker has clarified the situation, the referee gives the participants limited time to determine their next action and then provides feedback to them to take further action.
Additional cyber-war gaming roles
One of the biggest mistakes made by most cyber security organizations, including cyber-war gaming, is that participation should be limited to security practitioners. This could not be more wrong.
For a cyber-war game to be truly effective, it’s all set up – everyone in the organization, including senior management, legal, human resources, support services and administrative staff, as well as PR and investor relations teams, must play a role. To inform customers and stakeholders about the incident.
Event response planning organizations should have details detailing how each role in the company responds to an important event. The specific part played by each participant should be outlined in the event response plan. Start with the NIST Special Publication (SP) 800-61 Rev. 2, which outlines the main roles and responsibilities.
In IT and cybersecurity, system owners typically report incidents to incident response teams. These teams take the incident response process from that location and work with system owners and cyber security teams as well as other stakeholders.
Other roles and responsibilities in the cyber-war game depend on the nature of the violation. Requests for ransom, for example, may require early involvement from legal and finance, while more technical breaches may be handled entirely by the Infosec team.
Specify how incidents should be reported to legal, risk and compliance teams, as well as teams outside of technology, including HR and PR. For public companies, investor relationships are usually on the list. Don’t forget about customers too. Teams responsible for customer relations, which may be a separate department or group in a sales team, should also provide information.
While the incident response team learns more about the breach, they should clearly communicate who the potential impact is, be it customers, employees, etc. Whether there are, and what action these groups should take, including reaching out to law enforcement. This is as true in cyber-war gaming exercise as it is in the case of real events.
Finally, teams need to pay attention to the need for auditable logging and chain of evidence. For many categories of security incidents, it is important to maintain records for law enforcement and regulatory bodies to review. At this point, documentation may be the last thing on the participants’ minds, but it’s important to make sure the evidence is maintained and the documents are up to date. It is also important to review this documentation during the post-action review.
Cyber-war gaming takeaways and deliverables
The most important part of the cyber-war game is often overlooked by security teams: post-action review. NIST has approved SP 800-61 Rev. As written in 2: “Holding ‘Learned Lessons’ meetings with all stakeholders … can be extremely helpful in improving safety measures and the incident handling process.”
In its guidance, NIST recommends holding interactive meetings to answer the following questions:
- What exactly happened and at what time?
- How well did the staff and management do to deal with this incident?
- Have the paperwork been followed?
- Was that enough?
- What information was needed early?
- Were any steps or actions taken to prevent recovery?
- What will the staff and management do differently next time such an incident happens?
- How can the exchange of information with other organizations be improved?
- What corrective measures can prevent such incidents in the future?
- What are the indicators or indicators to look for in the future?
- What additional tools or resources are needed to detect, analyze, and mitigate future events?
In answering these questions, it is important to rely on a five-point approach to root cause analysis. Participants should continue digging to find out why specific problems have arisen, rather than simply shifting the blame and moving on without change. For example, the question, “Why didn’t Bob inform Mary of the particular situation?” The answers may be, “He was not aware of the situation,” “He was not aware of the need to inform her of Mary’s role,” “He did not have her contact information readily available,” and so on. This translates into subsequent action. Review the real opportunity for improvement from unproductive and inconvenient blame.
The incident response team should also have a clear goal of using the output of the cyber-war game to update the incident response plan. This ensures that the incident response plan is a living document, capturing insights from responses to both actual and simulated violations.
Other post-action review deliverables may include a list of action items, such as updating contact information for key participants. Post-action reviews should also include a detailed report with chronology and a defined action plan so that future participants are aware of what happened during the exercise.