CYBER War gaming

The emerging concept in cyber defence is war gaming, which is still in its infancy in the realm of critical infrastructure, and sectors where IT infrastructure is critical or fundamental to an operation. The increasing realisation that penetration testing does not address the holistic weaknesses in an organisation’s ability to detect, and respond to a sophisticate attack, as well as its ability to manage a cyber crisis and take the timely decisions to enact continuity plans, is driving the need for more sophisticated exercises.

Cyber war games are unique in their ability to derive more significant learning across multiple levels of decision-makers, and are structured specifically to bring together CISO and the security leadership team, security operations centre, incident response team, forensics, Risk, and Crisis Management teams. In fact war gaming is the only effective way for the largest corporations and organisations of identifying the weaknesses in communications and coordination between these groups. In times of crisis, the cascading effects of an attack and the impacts are often exacerbated by the decisions taken and the process of decision-making by these groups.

Cyber war games are new, and slowly being adopted because there are few bodies that can provide the scope of capabilities required to conduct such an exercise. The set up of both internal and external directorates takes a number of weeks, as does the preparation of the red team and any required custom tools; blue teams with the appropriate pre-exercise training & education. In fact the exercise may require a review of all of the following, depending on the objectives set: policies and procedures – the gap is measured against p&p and best practices, employed methodologies, deployed technologies, organizational memory, past lessons learned, social media analysis, and even the “insertion” of evidence or stealth attacks.

A well crafted war game will incorporate both a ‘fundamental surprise’ that the organisation had not anticipated [typically a type of APT] and a number of ‘situational surprises’ which were known cyber risks for which the organisation has little or no advanced warning. Much of the pre-exercise planning will aim at developing appropriate knowledge & intelligence in order to define the exercise in a manner that can be controlled and developed over time, and tests the different capabilities.

The ‘storyline’ might commence with practical or theoretical events or both, to kick off the assessment of initial implications, and the event is developed through live feeds, and other feeds from the directorate. The initial objectives are to test detection: by the systems; by the IR Team; and what is the analysis of the forensic team. More is then provided by the directorate including Intelligence, such as analysis the threat community, IP of the C&C, and pieces of a malware. The exercise examines the fundamentals of communication and decision-making, specifically who is taking decisions & upon what basis; and what is the process of taking alerts/indications and deriving useful information from then: and then transforming that information into knowledge.

At this point there may be introduced a major new event may, or the original event may be taken in a new direction to trigger a new cycle of detection and decision-making under duress. Hence the next phase evaluation might focus on how it affect the decisions previously taken; the need in additional resources, and whether a new risk assessment should take place. The basic risk elements might be examined against: Who is assessing the risk throughout the event; Who is involved in the process; What indicators are in place; and how they conduct a timely assessment of the possible implications from the new event. This is all designed to escalate towards the involvement of the crisis management team, and an examination of: Who is on the team; At what stage they were involved; How did they receive the relevant information, and the effectiveness of further communication; and which executives are involved & how can they support the team.

The more significant element in the learning process is the incorporation of observation, decision-logging, and mentoring as part of the war game process, and a full de-brief & post-exercise workshop to establish lessons learnt, identify weaknesses and capability gaps, and prioritise changes and modifications in technology and processes. A full day is the allocated to analyse all events, and outcomes of the exercise, reviewing performance of the different groups, and the effectiveness of deployed the technology. The teams involved are encouraged to appraise the effectiveness of work process, and develop lessons to be learned with the observers and mentors.

The choice of mentor is typically the area where nearly all red teams will struggle to enlist the expertise of mentor that is appropriate to the task, with the experience, seniority, and the correct mix of knowledge specific to the latest cyber-defence scenarios. However identifying the right mentor who may have the niche military or security background is critical to deriving the right lessons at both organisational and technical levels.

Posted: 5 April 2013 by Optimal Risk Administrator | with 0 comments
Filed under: cyber