Enterprises often talk about the need for cyber-war gaming but struggle when it comes to the nuts and bolts of conducting one. Information is available on how to construct and implement a cyber-war game, but putting one into practice is another question.
The following case study is an account of the experiences of a real-world CISO conducting a cyber-war game. The company is a midsize firm of around 3,000 employees with distributed operations across the U.S. It has a heavy emphasis on knowledge work and no manufacturing plants or retail stores.
Editor's note: The company that conducted the cyber-war game wishes to remain anonymous. The author has annotated the interview with the CISO with observations and insights.
"We were really being pushed by our board to do better on ransomware. We've never been hit, but we realize the risk is much greater than it used to be. So, we focused on what do we need to do make ourselves more prepared and more resilient," the CISO said.
In Nemertes' experience, this is typical. The decision to hold cyber-war games comes from senior-level management, including the CEO and, sometimes, the board. The concern is that executives and the board lack insight into what might happen in the event of an attack, and they want something more concrete than assurances from the CISO.
In preparation for the war game, the CISO said, the security team completely revised and updated the company's incident response plan (IRP). It then developed a ransomware-specific version of the IRP.
After those two tasks were completed, the CISO said the team conducted "a technical incident response focused on detection, containment and restoration of services."
In Nemertes' view, this is the right way to prepare for a cyber-war game. The company's board was specifically concerned about ransomware, so the security team made sure it had both a general-purpose IRP and a ransomware-specific playbook.
Before conducting any kind of cyber-war game or tabletop exercise, companies should have, at minimum, preliminary guidelines on how to respond.
The CISO reported that, as with the vast majority of CISOs Nemertes work with, the company worked with an outside firm.
When selecting the partner, the CISO looked at the following things:
Because he and his company had a positive experience with the provider previously, the CISO said it made the decision to repeat the exercise with that partner.
The main objectives, the CISO said, were to get everybody aware of how ransomware attacks are different and for both the security team and the organization as a whole to learn how a ransomware-specific playbook works. "There [were] a lot of new people who hadn't previously gone through the tabletop exercise," he added.
In general, "awareness of gaps in the response" is one of the main goals most organizations have for cyber-war gaming. By going through the exercise, security teams can flag areas for improvement.
The CISO said the cyber-war game exercise delivered the intended results. The primary gap the company found was -- not surprisingly -- in the area of communication. "Even though we emphasized improving our communications aspect, there still are communication gaps," he said.
In this company's case, however, the issue had more to do with how to communicate effectively than knowing who to communicate with or how to reach them. In an unrelated episode, there was an urgent need to reach IT and cybersecurity staff. The CISO found that emailing employees after hours didn't work; they weren't reading emails. But the leaders who called or texted their teams were able to reach them right away.
The lesson? "In an incident, you have to be calling people," the CISO said.
In Nemertes' experience, all of this is typical. Communications is almost always the greatest gap in any IRP. Knowing how to communicate effectively with different individuals creates a real challenge in today's multichannel world. Some people -- like this CISO's team -- read texts but not email. Others respond to phone calls but not text or email, while still others may respond primarily via enterprise collaboration tools, such as Slack or Teams.
The bottom line? To be effective, an IRP must specify not just who to reach but how to reach them. The channel also needs to match the proclivities of the team. Don't try to tell a text-centric team it needs to take phone calls or answer email.
"It was done virtually. But the fact is: We're a virtual organization," the CISO said, noting that the virtual exercise was about as effective as its previous in-person one before the COVID-19 pandemic.
This aligns with Nemertes' experience. We conduct cyber-war games virtually, and our clients report a high degree of satisfaction with the outcome.
This particular exercise involved only the technical team, the CISO said, but the company is planning a broader exercise later in the year that includes management.
In Nemertes' experience, this is the right strategy. If an organization has never done a cyber-war game before, do the first one with the technical team. Once confident all obvious gaps have been identified and addressed, extend the exercise to the broader organization.
Even a successful exercise can be improved upon, and this one was no exception.
"A tabletop exercise requires a good deal of planning and coordination," the CISO said. "There are a variety of scenarios. There should have been more planning on different kinds of scenarios to stress different components of the IRP."
This is a key point. Focus cyber-war gaming exercises on areas that require emphasis. If communication is a weak link in your organization, for example, make sure the cyber-war game addresses communication. Or, if the tooling or automation to successfully contain a type of breach is lacking, make sure the cyber-war game includes that specific type of breach.
"Tabletop exercises really are valuable. We don't do them often enough," the CISO said. "We can send documents; people can read things. But it's not until everyone's virtually in the room where you really learn what everybody's responsibility is. It's like any other war gaming -- the best learning happens when you're trying to practice what happens in real life."
Nemertes concurs. We recommend cyber-war gaming at least twice per year, which is this CISO's recommendation as well. That said, quarterly cyber-war gaming is optimal, but the CISO feels that might be too much overhead.
The bottom line? Cyber-war gaming is an effective tool in any threat mitigation portfolio. If your organization has never held one before, there's no time like the present. And, if you have tried cyber-war gaming in the past, it's time to take it to the next level.
Juniper has added three features to its AIOps networking assistant to improve troubleshooting and give more insights into the ...
A Florida man has been charged with running a counterfeit operation that duped hospitals, schools, government agencies and the ...
Vendors are pushing heavily on the benefits of predictive analysis to automatically identify and remediate network issues. But ...
Inflation is affecting the CIO market basket, influencing purchasing. Government data showed a sharp increase in cost for servers...
During a nomination hearing for Arati Prabhakar, U.S. senators focused on her experience and what she would bring to the White ...
With customers, employees and investors pressuring companies to go green, IT needs to take a lead on sustainability. Learn some ...
While there are plenty of similarities across web browsers, the processes that they consume RAM with can greatly differ. This may...
Organizations that take on a PCaaS agreement will have to pay monthly costs, but the benefits they receive, including lifecycle ...
PC manufacturers shipped fewer than 80 million computers for the first time in seven quarters as low demand and supply chain ...
Logs can reveal important information about your systems, such as patterns and errors. Learn how to search logs with CloudWatch ...
SaaS licensing can be tricky to navigate, and a wrong choice could cost you. To get it right, examine the different types of ...
Walmart built its own cloud platform and tied it to two public cloud providers, creating a multi-cloud architecture that saved ...
The UK’s tech sector has been steadily growing over the past five years, and research by CompTIA suggests this year could see ...
The rise in public cloud usage across the UK and EU will speed up new cloud-specific regulations
Ian Levy, technical director of the NCSC, and Crispin Robinson, technical director of GCHQ, back client-side scanning software on...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info