Military leaders have long recognized the importance of war games in modern combat -- to test their battle-readiness, to make sure their strategies are sound and to give top commanders practice with high-stress decision-making. When conducted properly, a war game can expose a strategic weakness in time for it to be remedied, rather than have it surface too late, as a battlefield catastrophe. War games achieve this goal by "putting key scenarios together," making sure that all parts of the system do the job they are supposed to do. A landing by the Marines, all by itself, might go off flawlessly, but could end up as a massive tactical failure in the absence of effective cover by the Air Force. Gaming pokes and prods for these sorts of potential failure points.
It's no surprise then that war games are now being utilized in organizations to deal with modern security issues, since hackers are, after all, conducting what amounts to open warfare, with networks, endpoints and the cloud as their battlefield and with billions of dollars at stake.
If designed correctly, cyberwar games will:
For a war game to be effective in an organization, though, it must accurately reflect the challenges that chief information security officers (CISOs) actually face. Here are three tips:
CISOs think about security in a time-honored manner-- as an interlocking set of strategies involving people, processes and technology. To better secure an organization, each of these security components needs to be tested and validated. In a recent Peer2Peer session at RSA, attendees shared various options to test people process and technology. They ranged from security awareness training and information-sharing about attacks to incorporating human approvals withing automated processes. What you want to challenge is the following:
The most important consideration to keep in mind when designing a cyberwar game is to think like a hacker. The fundamental premise behind this is simple. Putting yourself in the mindset of a hacker helps you understand how you are viewed as a target, and their behavior and motivations. When designing a war game, there are several things to keep in mind:
If you don't know what information to protect, you don't know how to protect it. If you don't know your threat, you don't know which information to protect.
Both key points above are equally important. It's important to have an understanding of your business objectives and align your security strategy to them. You should also understand which threat actors you're most vulnerable to because their motivations determine their behavior and attack techniques.
This helps you focus your war games on actual scenarios tied to "business objectives" and validate how well-protected the most important assets in the organization are.
For more information about playing cyberwar games for better security, download our whitepaper here.