Leveraging Wargaming Principles for Cyberdefense Exercises
Militaries have been using wargaming since the early 1800s when a Prussian officer first developed Kriegsspiel, which has continually evolved and is the basis for today’s computer-based simulations. The primary purpose of a wargame is to validate a plan. Wargaming can also be used as a training tool, but wargames need to have specific learning objectives. While militaries still use them today, you will now also find them as board games, embedded in computer games and leveraged by commercial companies to test strategies like cybersecurity.
A wargame should play the devil’s advocate role—someone trying to prove a plan has gaps or weaknesses. They should leverage techniques like those used by Israeli intelligence during the Yom Kippur War in 1973 called the ‘10th Man,’ which holds one person accountable to provide alternative views to the proposed solution to prevent conformity and groupthink. Similarly, you need a person/team who will push back on your risk portfolio and force a careful examination of where you have accepted potential impacts.
Best Practices
A good wargame needs an unfettered, thinking and motivated adversary. When I hear about penetration testers/Red Teams restricted from attacking some critical systems or limited to approved commercial tools, it makes me think they are not conducting a validate exercise. The enemy will not follow rules, and neither should your exercises. Additionally, if the attack is announced ahead of time, it is not a valid test of your detection capabilities. The attackers should be encouraged to use lateral thinking, follow real-world attack methodologies and have an attackers’ mindset. That said, there should be clear rules of engagement (ROE) to avoid collateral damage. But if you want real-world results, you need a realistic exercise.
Common wargaming terminology you might hear will include: Opposing Forces (OPFOR), Blue Team, Red Team and controllers, or White Team, which forms a Purple Team exercise. The exercise is built using a master scenario event list (MSEL) or exercise injects/events to drive the scenario. They can be based on techniques like Tabletop, Capture the Flag, Live or Technical Exercise, Staff Ride (where you talk through a historical example) or a Simulation. These exercises should result in lessons learned or after-action reviews. All of these terms originated with the military, but today can be found in commercial teams running cyberdefense exercises. They form the foundation of how forces are organized, the modeling technique used to drive the exercise and the method used to capture insights from the event.
For cyberdefense, one of the best templates we have is the ‘Cyber Kill Chain.’ While the original idea came from defense contractor Lockheed Martin, a better model was built by MITRE. The Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework contains 14 steps the attacker must get right to be successful (see diagram below from https://mitre-attack.github.io/attack-navigator/). This has been developed for standard networks, industrial control systems and mobile devices with special focus areas like cloud or containers. They then take known advanced persistent threat (APT) or adversary group methodologies and map them to the tactics within each step (see blue boxes in the diagram below). This provides a template to drive the technical MSEL for a scenario or a template for technical exercise like a Red Team/Blue Team exercise.
Realistic scenarios are critical, but with limited resources that can be devoted to wargaming, you will need to prioritize what plans you want to validate. Without knowing your individual business model or risk portfolio, here is a generic set:
- Loss of operational capability: I.e., ransomware has encrypted key systems or DDoS has prevented access to capabilities
- Data loss or breach: Sensitive data is actively being exfiltrated or data was stolen and being held hostage (will be released if extortion demands are not paid)
- Ecosystem: A third party has been breached
Pick one plan to validate and produce a scenario with simple injects/events to drive the timeline. If the plan you’re validating has a responsible, accountable, consulted and informed (RACI) chart, that can be used to determine the perfect list of participants. Finally, determine who will play the oversight and OPFOR roles. This can be as simple as a four-hour exercise but can still pay huge dividends in both training and lessons learned.
Next Steps
If you don’t have a wargaming/exercise program, you can build one. You will need leadership support, so start with a business plan to show the value of a wargame to validate your program or a specific plan. Starting with a tabletop exercise would be a good balance of resources and potential lessons learned. A second option is to keep it internal to the InfoSec team and conduct a Purple Team exercise.
Wargames are an excellent way to ensure your cyberdefense plans are solid and your processes are current. Depending on the complexity of your enterprise and the level of resources, annual or quarterly exercises should be scheduled. Finally, remember that these can actually be fun and engaging for everyone involved.
