How to design and deliver an effective cybersecurity exercise

Armed forces have always utilized war-gaming exercises for battlefield training to prepare for times of conflict. With today’s digital transformation, the same concept is being applied in the form of cybersecurity exercises – tests and simulations based on plausible cyber-attack scenarios and incident response.

Cyber exercises press an organization’s ability to detect, investigate, and respond to threats in a timely and secure manner. Well-designed cybersecurity exercises help organizations proactively identify and address vulnerabilities in their people, processes, and technology, mitigating the blow should a real-life incident occur.

Types of cybersecurity exercises

Cybersecurity exercises can assume various forms including:

1. Table-top simulations: Typically paper-based exercises, table-tops run without the use of live infrastructure or the requirement for a simulated environment. They can be performed in many different facilities, from specially designed war rooms to a large conference room.

2. Digital simulations: These are group exercises run in simulated or test environments, which can be more realistic than table-top simulations. However, fully simulating a cyber-attack can be challenging as organizations may lack the facilities, technologies and skills to simulate a cyber-attack internally.

3. Red and blue teaming: Red and blue teaming tests the organization’s ability to defend against a group of determined attackers. It involves two teams – red teams, a team that plays the role of the hacker, and blue teams, an internal team that plays the role of the defender.

4. Penetration testing: Penetration testing focuses on breaking into systems by exploiting technical vulnerabilities, rather than assessing the organization’s ability to defend itself.

5. Phishing exercises: Phishing exercises test employees’ ability to detect fraudulent communications (email, text, phone, web), social engineering attempts, and their ability to respond to successful attacks.

How to design a good cybersecurity exercise

Following the steps below, organizations can make the planning and execution of cyber exercises more effective.

1. Develop a playbook

Playbooks come in a variety of styles, including action plans, flow charts and storylines. They are based on cyber-attack scenarios and are used by facilitators to guide participants throughout the cybersecurity exercise. They include pieces of information for participants (e.g., indicators of compromise, a customer complaint, a help desk report, a piece of threat intelligence or a SOC alert), as well as key stages of the exercise.

2.Identify the audience

An appropriate target audience must be identified before considering the type of cyber exercise to perform. Audiences can consist of different functions, levels and areas of an organization such as executives, crisis management, incident response or operational teams (among others). The audience will shape the objectives, injects, discussion areas and storyline of the scenario. Tailoring these specifically to an audience is paramount to conducting a successful exercise.

3. Select the target of the exercise

The organization must select suitable targets for cybersecurity exercises. Targets can comprise one or more types of assets, such as critical business applications, technical infrastructure, physical devices, people, or office/factory locations.

4. Define success criteria

Success criteria should be defined and agreed before the exercise. Success criteria should be based on things such as the organization’s employees’ ability to identify the weapons in their armory, such as processes, technology, third party support. It’s further necessary for the employees to be evaluated on their decision making and understanding of responsibilities in a crisis situation.

5. Amateurs talk strategy, professionals talk logistics

Before designing a cyber exercise scenario, the controller should assess any potential constraints on resources, skills or budget for running certain types of exercises. For instance, the right people not being available to facilitate or participate in the exercise, and the absence of the right environment to run a simulated exercise.

Facilitating a cyber exercise correctly is a critical factor in ensuring success, experienced facilitators will ensure key objectives are met, the audience is managed correctly and should be able to provide immediate coaching alongside relevant insights from real life events.

6. Design a cybersecurity exercise

During a cybersecurity exercise, many forms of cyber-attacks, ranging from simple to highly sophisticated, can be simulated. The choice of attack vector will influence the design of the exercise and the resources required to run it. Organizations can leverage tools to determine which type of attack is most suitable given the audience or industry.

7. Setting the stage

Participants should be briefed on the objectives of the exercise. Outline the goals, schedule, and estimated timeframe. Inform participants of the test’s boundaries, applicable protocols, and any crucial organizational processes (like incident response procedures) they might need to reference.

8. Make an impact

A successful cyber exercise is interactive, immersive, and ultimately memorable. Experienced facilitators, alongside a valuable and realistic scenario that includes specially tailored injects, enable the audience to fully engage with the exercise and achieve the desired objectives.

An exercise is run to prepare individuals for potential future crises, ensuring the exercise is run professionally with a realistic scenario will allow participants to think back in times of genuine crisis and build upon the success they had or mitigate the mistakes they made in what was a safe learning environment.

9. Diversify exercising

Depending on constraints such as timescale, budget, resourcing, or the availability of a technical environment, organizations should conduct multiple types of exercises to gain versatile experience.

For example, a phishing exercise, which can be conducted at any time, has a low resourcing requirement; while red and blue team exercises require one to eight weeks to run, dedicated teams, and access to a live or a test environment.

Cyber simulation exercises can be run over a few hours to enhance the resilience of an organization’s crisis management team or raise awareness of key cyber issues to a board.

10. Gather immediate feedback

Once the cybersecurity exercise is complete, the facilitator should ask participants to discuss the strengths and weaknesses of the exercise. Feedback should be collected regarding the content, format, environment, and overall experience of the security exercise. Examine participants’ ability to detect, investigate, and respond to threats securely and on time, whether the exercise has prepared them for a real-life incident, and whether threat-handling procedures were provided with sufficient guidance.

11. Follow up actions

After gathering immediate insights and feedback, a report should be produced to act on any identified gaps, build on successes, and ensure that objectives are tracked. A roadmap of follow-up initiatives produced alongside a report allow actions to be carried out in a structured manner and not leave the target organization overwhelmed with findings that otherwise might not be acted on.