IT Chronicles reached out to executives, thought leaders, experts, practitioners, and writers about a unique initiative. ITC would donate to Second Harvest for every article submitted in December by our past contributors. Thank you to all who contribute to this food drive. We appreciate your knowledge and leadership.
Let us look at what cybersecurity training is, how cyber polygons work, and what benefits such events may bring to organizations. Do cybersecurity exercises really help in repelling targeted attacks or does the interest here only have to do with possible actions of state regulators?
What are the types of cybersecurity exercises?
Today, the concepts of cybersecurity training, cyber drills, cyber polygon do not have clear boundaries. Historically, cybersecurity exercises were paper, command and staff exercises. Such events, which bring together representatives of different departments, were aimed at identifying individual skills. However, today cybersecurity drills are primarily needed to train teamwork.
Sometimes cybersecurity exercises can be conducted as CTF competitions. These are team competitions in the Capture the Flag format. However, they are more likely aimed at acquiring new knowledge and skills in the field of information security, but not at practicing actions in case of a cyber-attack on an organization.
The most advanced version of cybersecurity exercises is to emulate a real attack aimed at an infrastructure that is close to the one owned by the company. Such exercises are challenging to run. They require a lot of financial and technical resources, specialized software and hardware platforms. In the process of repelling a test attack, employees of the organization can learn new skills and practice collaborative work in responding to an incident.
There are two types of exercises – theoretical and functional. Theoretical that also called tabletop exercises are aimed at discussing organizational tasks and practicing to make managerial decisions.
The functional drills involve technicians who use a simulated environment to practice actions in the event of an incident. There are also hybrid cybersecurity exercises that affect both management and technical personnel.
Cybersecurity exercises can also be classified by scale:
- Objective – an attack on a specific enterprise is being practiced.
- Industry-specific – simulating attacks against multiple companies in the same industry.
- Cross-industry.
- Regional, international.
There are no bad forms of cybersecurity exercises. Any activity where an employee gains new knowledge or hones skills in the field of information security will benefit the company.
Cybersecurity exercises can be defined as any activity that increases the readiness of personnel to counter new cyber threats.
Сan Red Teaming be considered cybersecurity exercises?
I think yes. This is a planned event that has all the hallmarks of cybersecurity exercises. It involves learning and practicing skills, entails an assessment of the results, and also involves the interaction of teams.
Is it possible to carry out cybersecurity training on your own without inviting third-party experts?
On the one hand, self-testing your security posture entails the risk of obtaining biased results as not all managers are ready to adequately assess the level of work of their subordinates. The evaluation provided by third parties in most cases will be more indicative.
On the other hand, you can try to carry out some types of cybersecurity drills on your own. Large, mature organizations regularly undergo various internal audits. Cybersecurity exercises can be included in the standard procedures of such departments in order to provide a view on potential problems from the outside.
The maturity of the company and its readiness for such a step are of critical importance in deciding whether to conduct cybersecurity exercises on your own or not. Here are the key questions that may arise along the way:
- Is the company able to deploy a copy of the infrastructure on which the exercise will be conducted?
- Is the company ready to conduct drills on a live business system?
- Who will attack? Is it necessary to attract specialized companies?
- How to simulate the “creativity” typical of real hackers during a test attack?
- Is it possible to simulate an attack by attracting white hat hackers? Is it safe?
It should be noted that conducting an attack on a real infrastructure is associated with significant risks, especially when possible temporal disruptions may threaten human lives and health. In some cases, such intervention in the operation of critical systems is simply prohibited.
How to carry out cybersecurity exercises at a minimum cost?
It is not always clear how to conduct cybersecurity exerciseswithout a large budget. It is especially difficult to do it for small organizations.
A small or immature company first needs to answer the questions:
- Why does it need cybersecurity exercises?
- What goals does the organization plan to achieve through them?
- What areas of activity should be improved?
The answers will largely determine the ways of implementation and will help to set tasks for a specialized company.
There is a special methodology for identifying goals. In some cases, before running cyber drills in an organization, it is helpful to conduct a security audit in order to identify weaknesses, the protection of which can be worked out later during exercises and training.
As noted above, a lot depends on the size and “level of maturity” of the company. If an organization does not have information security specialists at all, then it is unlikely that it needs to think about cybersecurity exercises. If there are only one or two such people, it is better just to order a pentest.
Companies with small budgets can use a combination of tabletop exercises and practicing basic threat response skills on typical infrastructures. Actually, it is vital to test existing incident response plans regularly.
The cyber-quest format may also provide good results where employees take part in a step-by-step analysis of the cyber-attack scenario. If you explain everything to people in detail, show the ways to obtain new knowledge and skills, tell what books \ websites can be studied, then the results will be immediately visible.
What do customers usually order from companies that help carry out cybersecurity exercises?
According to companies that help with cybersecurity exercises, most customers who have sufficient budgets prefer to host a ready-made platform with a set of scenarios. About 30% of customers need a thick manual and detailed instructions on how to conduct cybersecurity exercises without the involvement of third-party specialists. A set of scenarios for self-training is interesting for 20% of customers. Finally, 15% of customers would choose to rent a cloud-based training platform.
How to prepare for unknown attacks?
Cyber polygons and services for running cybersecurity exercises most often involve the development of standard, albeit customized, attack scenarios. The solution of typical scenarios is an analog of a school test. But how to prepare an organization for the non-standard actions of hackers? For example, spear phishing is on the rise these days.
First, it is worth trying exercises in the “stand-off” format – when targets are attacked by real people and not by algorithms. In this case, unexpected situations that were not included in the original plan always arise.
It is impossible to foresee all emergency situations. Still, it is possible to prepare a specialist to respond to them – to develop skills in responding to “expected unknown” information security events.
Much depends on the approach. Most platforms are aimed at training technical skills. Practicing organizational interactions and executive decisions is often given less attention.
A suitable method of practicing actions in emergency situations can be running a long pentest. It will help create additional pressure on the information security department and teach how to act correctly during real attacks.
Governments and cybersecurity exercises
Many organizations expect practical recommendations from state authorities and are ready to comply with them. It is desirable to have a balanced document since too detailed guidance will quickly become outdated, and too general wording will reduce the practical significance of the regulation.
Conclusion
I would like to reiterate the key tips for companies that are thinking about conducting cybersecurity exercises:
- Before conducting cybersecurity exercises, the company should understand why such training is needed and how regularly it is required, as well as establish typical incident response processes.
- The customer ordering cybersecurity exercises needs to convey to the service provider all information about the infrastructure. Knowing all critical points, possible security vulnerabilities, and anticipated attack scenarios will help improve the quality of upcoming exercises.
- It is important to carefully consider the choice of a platform for conducting cybersecurity exercises. The customer must trust the service provider, understand that the partner will adequately assess the results and formulate competent recommendations.
- Try to soberly assess your strengths, opportunities in terms of time and money. I would advise you to start slowly, choose a narrow area and move consistently, in clear and concrete steps.
- Learn from the experience of other industries, for example, software development and testing. Many methodological issues are worked out there in sufficient detail.
- Do not forget that there are no bad forms of developing cybersecurity skills – use all available methods.
