Cyber War Games: Exercises to Improve Disaster Response

Threats against critical infrastructure and questions about election security have heightened cybersecurity concerns, raising the question of how businesses can better prepare themselves for the inevitability of a cyberattack. This increased focus on preparedness has given rise to a tactic long practiced by the government: cyber war game exercises.

A View From the Trenches

A survey conducted by Venafi at Black Hat 2018 asked more than 500 IT security professionals their opinion on whether we are in the middle of a cyber war. The results? An astounding 86 percemt said yes, with 37 percent of respondents stating they believe a nation-state cyber attack will directly lead to the loss of human life within the next couple years.

In addition, 88 percent of those surveyed believe that attacks targeting the disruption of election infrastructure constitute acts of cyber war. “The bottom line is that the notion of war is changing from something that you do with bullets and guns on the ground to something you do with bits and bytes. Essentially, this is a war about compromising and controlling information. Once you fully understand that, it’s pretty easy to see that we are in a full-on cyber war right now,” said Jeff Hudson, CEO of Venafi.

The Business Risk Perspective

For those in the trenches who are inundated with alerts and see the myriad types of attacks coming in, it might very well feel like we are at cyber war. But Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC), said the survey results should be used to inform our level of capability for responding to attacks—they indicate the broader feeling that we are unprepared.

“At a business level in assessing risk, we don’t have that same sense of urgency. It’s not as much a cyber war as much as this is the environment that organizations are operating in. They recognize that it is a noisy and damaging environment, and they are building the capabilities to defend themselves in this environment, to protect their assets. Businesses are responding to changes in the environment as the attacker is getting more sophisticated,” Figueroa said.

To that end, the private sector has been following in the footsteps of the government with cyber war game exercises. Cisco Systems’ Cyber War Games, for example, evaluate resilience by assessing how an organization responds to realistic crises and determining which conditions might result in a resiliency breakdown.

Many of these collaborative defense simulations are sector-specific and run as either tabletop exercises or within a cyber-range. One such example is Cyber Yankee, a computer network defense team exercise that is run annually by the Massachusetts National Guard.

In large part, which organizations participate in the exercises depends on both the intent of the exercise and whether an organization is part of a consortium or chapter group. The most recent ACSC event was a tabletop cyber drill run in conjunction with the Commonwealth of Massachusetts, the Department of Homeland Security and its members. The cybersimulation exercise focused on improving response and collaborative defense.

Collaboration is Trending

Although larger organizations have long staged their own cybersecurity simulation exercises, corporations of all sizes are now coming together with federal, state and local law enforcement to orchestrate “cyber war games” that help improve response capabilities and preparedness.

According to Figueroa, participating in a mock attack lets participants see potential vulnerabilities and avenues of attack so they can accelerate response times. More importantly, organizations learn to better respond in ways that keep the infrastructure going.

“It’s part of building a mental memory, which is incredibly important, so that if an incident does occur, you know who to call. You know who is going to be involved. You know who is responsible for what, and it’s generally based on disaster response,” Figueroa said.

What is emerging now is multi-organization exercises to enhance collaborative defense to learn how organizations can respond to community-level attacks, such as Mirai. When these attacks impact the broader community, the information that goes out can be chaotic and not always accurate. The cyber war games help organizations practice communication channels across multiple organizations to better understand how to respond to what is going on.

From a security perspective, organizations have begun conducting their own cybersecurity exercises to do very similar things. Given that response historically has gone poorly in the public domain, these exercises are intended to not just limit the damage but also “to help them with roles and responsibilities in the event that things become public. Based on the results of the exercises, they can best determine who is responsible for what—who is responsible for detecting and responding, for communicating in public, for communicating with board,” Figueroa said.

Kacy Zurkus

Featured eBook
How Your Vendor Access Management Tools Are Putting Your Company at Risk

How Your Vendor Access Management Tools Are Putting Your Company at Risk

If third parties are accessing your network, whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches. But you can’t manage risks that you don’t know you have. Vendor Privileged Access Management (VPAM) is ... Read More
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 60 posts and counting.See all posts by kacy-zurkus