Military leaders have long recognized the importance of war games in modern combat -- to test their battle-readiness, to make sure their strategies are sound and to give top commanders practice with high-stress decision-making. When conducted properly, a war game can expose a strategic weakness in time for it to be remedied, rather than have it surface too late, as a battlefield catastrophe. War games achieve this goal by "putting key scenarios together," making sure that all parts of the system do the job they are supposed to do. A landing by the Marines, all by itself, might go off flawlessly, but could end up as a massive tactical failure in the absence of effective cover by the Air Force. Gaming pokes and prods for these sorts of potential failure points.
It's no surprise then that war games are now being utilized in organizations to deal with modern security issues, since hackers are, after all, conducting what amounts to open warfare, with networks, endpoints and the cloud as their battlefield and with billions of dollars at stake.
If designed correctly, cyberwar games will:
- Unearth people, process and technology issues
- Answer the question of “Are we secure?”
- Challenge assumptions about whether security controls are working as expected
- Practice and refine proper process/procedure for when a breach does happen.
For a war game to be effective in an organization, though, it must accurately reflect the challenges that chief information security officers (CISOs) actually face. Here are three tips:
Tip #1 -Think about people, process, technology
CISOs think about security in a time-honored manner-- as an interlocking set of strategies involving people, processes and technology. To better secure an organization, each of these security components needs to be tested and validated. In a recent Peer2Peer session at RSA, attendees shared various options to test people process and technology. They ranged from security awareness training and information-sharing about attacks to incorporating human approvals withing automated processes. What you want to challenge is the following:
- People - Are the security awareness programs and training working as expected? Do employees think about security as their individual responsibilities, similar to the situational awareness that we have in airports?
- Process - What are the processes that will break down in a cyber attack? Similar to how we architect data center systems to be resilient, are there specific automated processes, like billing processes that need to be resilient in the event of a cyber attack?
- Technology - The goal here is to challenge your assumptions about your security defenses that you've put in place. Have they been configured correctly, are they doing what you expect them to do and will they perform as expected in the event of a cyber attack?
Tip # 2 - Think like your adversary
The most important consideration to keep in mind when designing a cyberwar game is to think like a hacker. The fundamental premise behind this is simple. Putting yourself in the mindset of a hacker helps you understand how you are viewed as a target, and their behavior and motivations. When designing a war game, there are several things to keep in mind:
- Design the wargame within the context of your environment - a hacker has strict adherence to the rules and protocols of the system/network in which they are work. For example, when exfiltrating data, they can take advantage of a protocol with unlimited access to the Internet, but won't be able to enable a completely different protocol for fear of discovery.
- Validate the entire cyber kill chain - the majority of breach scenarios will follow the cyber kill chain model, as defined by Lockheed Martin. To properly understand risks, it is important to validate risks across the entire kill chain.
- Incorporate comprehensive hacker breach methods - hackers have developed a very comprehensive set of breach methods, and have the skills to tailor and fine-tune any one of them to deal with the peculiarities of the specific system they are trying to breach. When designing cyberwar games, it is critical to address not only common breach methods but also keep up-to-date with new techniques.
Tip #3 - Be clear on your objectives
If you don't know what information to protect, you don't know how to protect it. If you don't know your threat, you don't know which information to protect.
Both key points above are equally important. It's important to have an understanding of your business objectives and align your security strategy to them. You should also understand which threat actors you're most vulnerable to because their motivations determine their behavior and attack techniques.
This helps you focus your war games on actual scenarios tied to "business objectives" and validate how well-protected the most important assets in the organization are.
For more information about playing cyberwar games for better security, download our whitepaper here.