Defenses are in place, and a cybersecurity strategy has been designed. But how does your organization know they work? Conducting a cyber-war game can expose any shortcomings a real attacker may uncover.
Most cybersecurity professionals are aware they need to conduct cyber-war gaming exercises to ensure overall cybersecurity readiness. But questions remain about how to conduct this exercise, including the following:
- What should the cyber-war games include?
- How often should they be conducted?
- Who should participate?
- What documentation is required?
- What should the end results and deliverables look like?
Let’s look at what’s needed for successful cyber-war game exercises, starting with what they are and why businesses should conduct them.
Characteristics of an effective cyber-war game
Cyber-war games are creative exercises in which an incident response team reacts to a hypothetical set of scenarios.
The military has long conducted war games, also known as tactical decision games, because they work. Participants learn to understand the unintended consequences of decisions in the context of the chaos of warfare. As the military adage attributed to Prussian Field Marshal Helmuth von Moltke the Elder goes, “No plan survives first contact with the enemy.”
Now, take those lessons, and adopt them for cyber-war gaming. One important element to conduct effective cyber-war games is to develop scenarios that incorporate multiple unplanned events and generate perfect-storm scenarios. For instance, what if the attack vector is an IoT network and an attack on the connected HVAC system brought the data center down? Or what if a Session Initiation Protocol man-in-the-middle attack compromised sensitive voice calls, while a DDoS attack took down the email server? Or what if a key person is out with the flu?
Another important element is how often the exercises are held. Conducting cyber-war gaming on a regular basis is key — ideally, quarterly but minimally annually. It’s less important to craft the perfect game than it is to conduct cyber-war gaming early and often, learning and improving as you go.
Critical cyber-war gaming roles
The two most important roles in cyber-war gaming are the scenario creator and the referee, sometimes called the facilitator. These can be the same individual and often come from outside the firm, e.g., a third-party consulting company.
The scenario creator’s job is to craft the exercise and explain it to the participants. The scenario is often determined at a high level by senior leadership, which may be particularly concerned about a specific incident, such as ransomware. The scenario creator’s job is to turn a high-level concern, such as “What if we get hit by ransomware?” into a real-world scenario, such as “Jody arrives at work and can’t log in to her computer, so what does she do?”
The referee’s job is to keep everyone on the same page and moving through the exercises — ideally, under a time constraint. Once the scenario creator explains the scenario, the referee gives participants a limited amount of time to determine their next actions and then provides them with feedback to take subsequent actions.
Additional cyber-war gaming roles
The biggest mistake most cybersecurity organizations make with cyber-war gaming is assuming participation should be limited to security practitioners. This couldn’t be more wrong.
For a cyber-war game to be truly effective, it’s all hands on deck — everyone in the organization should play a part, including senior management, legal, HR, support services and administrative staff, as well as the PR and investor relations teams to communicate the incident to customers and shareholders.
Organizations should have an incident response plan detailing how every role in the company responds to a significant incident. The specific part each participant plays should be outlined in the incident response plan. Start with NIST Special Publication (SP) 800-61 Revision 2 (Rev. 2), which describes key roles and responsibilities.
Within IT and cybersecurity, system owners typically report incidents to incident response teams. These teams take over the incident response process from that point and work with the system owners and cybersecurity teams, as well as other stakeholders.
Other roles and responsibilities in a cyber-war game depend on the nature of the breach. An extortion request, for example, might require early participation from legal and finance, while a more technical breach may be handled entirely by the infosec team.
Specify how incidents should be communicated to teams outside of technology, including legal, risk and compliance teams, as well as HR and PR. For public companies, investor relations is usually on the list. Don’t forget about customers, either. Teams responsible for customer relationships, which may be a separate department or a group within the sales team, should also stay informed.
As the incident response teams learn more about the breach, they should clearly communicate who is potentially affected, whether it’s customers, employees, etc., and what action, if any, these groups should take, including reaching out to law enforcement. This is as true in a cyber-war gaming exercise as it is in the case of a real incident.
Finally, the teams need to pay close attention to the need for auditable logging and chains of evidence. For many classes of security incidents, it’s critical to maintain records for law enforcement and regulatory bodies to review. In the heat of the moment, documentation may be the last thing on participants’ minds, but it’s critical to ensure evidence is maintained and documentation kept up to date. It’s also important to review this documentation during the after-action review.
Cyber-war gaming takeaways and deliverables
Security teams often neglect the most important part of a cyber-war game: the after-action review. As NIST wrote in SP 800-61 Rev. 2: “Holding a ‘lessons learned’ meeting with all involved parties … can be extremely helpful in improving security measures and the incident handling process itself.”
NIST also suggested in its guidance holding an interactive meeting to answer the following questions:
- Exactly what happened, and at what times?
- How well did staff and management perform in dealing with the incident?
- Were the documented procedures followed?
- Were they adequate?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- What would the staff and management do differently the next time a similar incident occurs?
- How could information sharing with other organizations have been improved?
- What corrective actions can prevent similar incidents in the future?
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What additional tools or resources are needed to detect, analyze and mitigate future incidents?
It’s critical to rely on the five-whys approach to root cause analysis when answering these questions. Participants should continue digging to find why specific issues arose, rather than simply apportioning blame and moving on without making changes. For example, the question, “Why did Bob not inform Mary of a particular situation?” might have answers such as, “He was not aware of the situation,” “He was not aware Mary’s role required her to be informed,” “He did not have her contact information readily accessible,” etc. This transforms the after-action review from an unproductive and uncomfortable blamefest into a true opportunity for improvement.
The incident response team should also have an explicit goal of using the output of the cyber-war game to update the incident response plan. This ensures the incident response plan is a living document, capturing insight from responses to both real and simulated breaches.
Other after-action review deliverables might include a list of action items, such as updating contact information for key participants. After-action reviews should also generate a detailed report containing a chronology and defined action plan so future participants are aware of what happened during the exercise.