Attackers will inevitably enter your defense. The question is how effectively and quickly your current security and response strategy will work in an attack.

One preparation option is to convert military war games into cybersecurity tabletop exercises. Although cyber-war gaming is not a new concept, it has not been widely accepted – yet.

What is cybersecurity tabletop exercise?

Cyber-war games are designed to give a real-time look at how the company will defend and respond to an attack. The Red Team uses the same tools as the attackers to identify weaknesses in the company’s security strategy. The blue team, meanwhile, works to prevent any successful entry through the red team from entering the system.

However, these tabletop exercises are much more than just trying out access testing and attack methods.

“It’s not the same as a goal like an insecurity scanner or a pen test; you won’t get the same results from there,” said Ken Smith, a national leader in cyber testing at consulting firm RSM US.

Conversely, cyber-war games inform the state of readiness of the company’s cybersecurity policy and how well security teams will respond to an attack.

Successful cyber-war games also involve members of the security team and the company. They are much more involved than red teaming or other safety exercises. Companies need to involve all major stakeholders, from CEOs to security teams.

“It’s not just a response to an attack and an incident, it’s crisis management,” said John Oltsek, an analyst at Enterprise Strategy Group in Tech Target’s division. “What would the CEO say if a reporter called? What would you say to customers, regulators, etc.?” The main thing is to buy from C-suite. Also, the authorities must determine the purpose of the assessment in advance.

How long a game of war takes to practice depends on how deep it is. Scope can range from one month to six weeks. Each test includes a follow-up report that expands on the results of the safety teams.

How cyber-war gaming works

Unless the cyber-war game is about testing a particular tactic or aspect of the system, let the red team do what they want during the attack.

“Realism is the goal,” Oltsek said. “Use tricks, techniques, and tactics that enemies can use.”

It is also important to have a goal before putting cyber-war games into practice. “Are you testing new controls recently?” Said Smith. “Or is your process stuck for a while, and you’re looking for a refresher?”

In one practice, security teams use clones of the company’s live environment to achieve real-world results. The red team launches an attack, while the blue team follows existing security strategies to see if it can detect an initial attack. From there, it depends on which side can use more creative and effective methods to move forward or stop the attack.

Another option is to create a pre-configured environment for IT that the red or blue team is not aware of, as happens in events organized by the National Collegiate Cyber ​​Defense Competition. In his event, the Blue teams tried to identify the system and how the Red team would secure it before launching their attacks, Smith said.

Consider the maturity level of the organization, the resources

Businesses of all sizes host cyber-war games, but don’t just take the test for granted. Companies need to assess their maturity level before making an effort and know what they want out of the exercise.

Companies that conduct annual pen tests and two-year concrete results show readiness, Smith said, especially if you’re scanning quarterly vulnerabilities, both internally and externally, and you don’t see coal-in-the-coal. My kind of situation. “

Before considering cyber-war gaming, it is also important to consider whether there is infrastructure and personnel to conduct, detect and respond to attacks. “If you miss any of these pillars, it’s not going to cost you time and effort,” Smith said.

In this case, outsourcing is an option. Companies don’t have to deal with all aspects of cyber-war gaming internally – and in fact, outsourcing at least part of the exercise can be beneficial.

If your company only has a blue team, for example, it may hire a third party to attack. Even if your company has the staff and resources to exercise, consider hiring an outside red and blue team to test the opposite internal team. Your red team may know how the internal blue team will respond, and vice versa, which may not be the case with a third-party attacker. This can affect the test and the results.

Challenges of cyber-war gaming

Cyber-war gaming is not all rose. Be aware of these potential disadvantages before exercising.

Cyber-war gaming is not cheap

Conducting an assessment can be expensive. It takes time to create the situation, set the ultimate goal, and exercise. In some cases, the end result is not worth the time and expense. If the blue team prevented the red team from entering the perimeter, you just took the expensive pen test. On the other hand, if the Red Team easily accesses the system and experiences it without any resistance, it indicates the need for repair for your cyber security protection.

“You don’t always have to pay the price because you’re testing the unknown,” Smith said. “Exercise may not be a big hit for your money. But, if your program is at the right maturity level, you have worked hard, you have your controls and you are testing regularly, that’s it. Your processes are working as you wish. That’s the decent thing to do, and it should end there. “

Poor C-suit communications can hurt security teams

C-suits should be included in cyber-war games, but unfortunately, this is not always the case. However, let the board and C-suit know how tabletop exercises work and always make sure they understand the purpose of the exercise. Remind them that a successful attack does not mean that the blue team has failed or that people should lose their jobs.

Transform it into a competition

Another concern is that tabletop exercises can become more competitive. Forrester Research analyst Jeff Pollard said the red team wins more often, but that doesn’t mean the blue team is a failure. Do not harm future cooperation by making the exercise a competition between the red and blue teams.

“When it becomes controversial and toxic,” Pollard said.

Purple teasing as an alternative

Organizations may consider using purple teaming instead of cyber-war gaming. This approach encourages collaboration on competition. In purple team the red team works with the blue team to explain what they would do if they were attacking. This helps blue teams understand potential attacks and know what to look for in the future.

“Purple teaming is a collaborative effort,” Pollard said. “War gaming can be competitive; there is a clear ‘winner’. With purple teaming, you can place the red team next to the blue team and show them what they will do next in the attack.”

Overall, both exercises aim to improve the security of an organization, but cyber-war gaming is more widespread. In cyber-war gaming, successful red teaming helps to inform the company where the current process or technology is lacking and where it needs to work and gives the blue team more experience of what the actual attack looks like.