Enterprises often talk about the need for cyber-war gaming but struggle when it comes to the nuts and bolts of conducting it. Information is available on how to create and execute a cyber-war game, but practicing one is another question.
The following case study describes the experiences of a real-world CISO conducting a cyber war game. The company is a medium-sized firm of about 3,000 employees with distributed operations throughout the US with a heavy emphasis on knowledge work and no manufacturing plants or retail stores.
Editor’s Note: The company that organized the cyber-war game wishes to remain anonymous. The author interviews CISOs annotated with observations and insights.
What inspired the decision for a cyber war game?
“We were really pushed by our board to do a better job on ransomware. We’ve never been hit, but we realized the risk was much higher than before. So, we focused on what we needed to do to make ourselves better. Ready and more flexible,” said the CISO.
In Nemertes’ experience, this is typical. The decision to conduct cyber-war games comes from senior-level management, including the CEO and sometimes the board. The concern is that executives and boards don’t know what could happen in the event of an attack, and they want something more concrete than the assurances they get from the CISO.
How did you prepare for the Cyber War game?
In preparation for the war game, the CISO said, the security team completely revised and updated the company’s Incident Response Plan (IRP). A ransomware-specific version of IRP was then developed.
After those two tasks were completed, the CISO said the team conducted a “technical incident response focused on detecting, preventing and restoring services.”
According to Nemertes, this is the perfect way to prepare for a cyber-war game. The company’s board was particularly concerned about ransomware, so the security team made sure it had both a general-purpose IRP and a ransomware-specific playbook.
Before conducting any kind of cyber-war game or tabletop exercise, companies should have at least basic guidelines on how to respond.
Did you use a partner? If so, how did you choose a partner?
CISOs reported that while most CISOs work with Nemertes, the company outsourced the work.
When choosing a partner, CISOs look for the following:
- his skills and abilities;
- How Ransomware made cyber-war games different from other cyber-war games; And
- His current history and relationship with the firm.
Because he and his company had previously had a positive experience with the provider, the CISO said he decided to repeat the exercise with that partner.
What output are you hoping to achieve?
The main goals, the CISO said, were to make everyone aware of how ransomware attacks differ, and for both the security team and the organization as a whole to know how the ransomware-specific playbook works. “There [were] A lot of new people who haven’t been through tabletop exercise before,” he added.
In general, “awareness of response gaps” is the main objective of most organizations for cyber-war gaming. With practice, security teams can flag areas for improvement.
Were those results achieved?
The CISO said the cyber-war game exercise yielded the expected results. The primary gap the company found was — not surprisingly — in the area of communication. “Though we have focused on improving our communication aspect, there are still communication gaps,” he said.
In the case of this company, however, the issue had more to do with it how Communicating effectively is more than just knowing who to communicate with or how to reach them. In an unrelated episode, there was an urgent need to reach out to IT and cybersecurity personnel. CISOs find that emailing employees after hours doesn’t work; They weren’t reading email. But leaders who called or texted their teams were able to reach them immediately.
lesson? “In an incident, you have to call people,” said the CISO.
In Nemertes’ experience, all this is typical. Communications is always the biggest gap in any IRP. Knowing how to communicate effectively with different individuals poses a real challenge in today’s multichannel world. Some people — like this CISO’s team — read text but not email. Others respond to phone calls but not texts or emails, while others still may respond through enterprise collaboration tools like Slack or Teams.
The bottom line? To be effective, an IRP need not simply specify WHO But to reach how to reach them. The channel also needs to match the trend of the team. Don’t try to tell a text-centric team that they need to answer phone calls or emails.
Was the exercise in person or virtual?
“It was done virtually. But the fact is: we are a virtual organization,” said the CISO, adding that the virtual exercise was just as effective as the in-person exercise before the Covid-19 pandemic.
This matches the experience of Nemertes. We virtually conduct cyber-war games and our clients report a high degree of satisfaction with the outcome.
Who was involved in the exercise? Does it extend beyond the technical team?
This particular exercise involved only the technical team, the CISO said, but the company plans a broader exercise later in the year that includes management.
In Nemertes’ experience, this is the right strategy. If an organization has never played a cyber-war game before, do the first one with the technical team. Once all obvious gaps in confidence have been identified and addressed, expand the exercise to the broader organization.
What will you do differently in the future?
Even a successful exercise can be improvised, and this was no exception.
“Tabletop exercises require planning and coordination,” said the CISO. “There are different scenarios. More planning should be done on different types of scenarios to stress different elements of the IRP.”
This is the key point. Focus on cyber-war gaming exercises. If communication is the weak link in your organization, for example, make sure that a cyber-war game addresses communication. Or, if the tooling or automation to successfully contain a type of breach is lacking, ensure that the cyber-war game includes that particular type of breach.
What additional advice do you have?
“Tabletop exercises are really valuable. We don’t do them often enough,” said the CISO. “We can send documents; people can read things. But it’s not until everyone is in the room that you really learn what everyone’s responsibilities are. It’s like any other wargaming — the best learning happens when you try to practice what happens. . in real life.”
Nemertes agrees. We recommend cyber-war gaming at least twice a year, which is also a CISO recommendation. That said, quarterly cyber-war gaming is optimal, but CISOs think it could be too much.
The bottom line? Cyber-war gaming is an effective tool in any threat mitigation portfolio. If your organization has never hosted one before, there’s no time like the present. And, if you’ve tried cyber-war gaming in the past, it’s time to take it to the next level.