Critical Infrastructure Security, Incident Response, Network Security, TDR, Vulnerability Management

Acting out: Cyber simulation exercises


In the common parlance of child psychologists, role-playing – particularly acting out scenarios – is good practice for real life, helping kids develop the skills and tools they need to face, navigate and solve the issues and problems encountered on the vast terrain of growing up. The same holds true in cybersecurity – playing out likely scenarios can yield the kind of preparedness that organizations in the private and public sectors can't master in training seminars, classes and email advisories alone.

While participants don't get to dress up in cool super hero costumes or leap tall buildings in a single bound, they do take part in cyber exercises that, if properly executed, can sharpen and strengthen an organization's response, making it more competent and resilient in the face of a real, live cyberattack.

“They learn their strengths as well as weaknesses that can be improved so they're ready for an attack,” says Sara Hall (left), deputy chief information security officer at the U.S. Department of Health and Human Services, of the groups participating in CyberRX simulation exercises supported by HHS and coordinated by HITRUST, an alliance of health care industry organizations that has essentially developed a playbook, or set of best practices, for conducting cyberattack simulation exercises.

“Organizations should be doing this sort of exercise for preparedness,” stresses Daniel Nutkis, CEO of HITRUST. The alliance recently released a “CyberRX 2.0 Exercise Playbook,” driven by the recommendations spawned from its spring 2014 simulation event. 

Preparing for cyber attacks is especially important in the health care industry, charged with safeguarding personally identifiable information (PII) and medical data, and whose ranks includes pharmacists, hospitals, private practitioners and medical device providers. 

“We don't want citizens not trusting information with IT and that interfering with their ability receive medical and health care,” says Hall.

But that public trust has been shaken after security incidents rocked health care organizations, including a significant data breach at Community Health Systems (CHS) that affected 4.5 million patients. 

  • Sara Hall, deputy chief information security officer at the U.S. Department of Health and Human Services Daniel Nutkis, CEO, HITRUST 
  • Ed Powers, national managing partner of Deloitte & Touche's Cyber Risk Services practice 
  • Karl Schimmeck, vice president of financial services operations at SIFMA 
  • Sharon Wallis, member, Bank of England's Sector Resilience Team

While one observer noted that health care is “about a decade behind” other sectors, it's playing catch up. Fast. And it's certainly not the only industry vulnerable to security lapses, as demonstrated by even higher profile breaches at Target, eBay, Home Depot and JPMorgan Chase, and revelations that vulnerabilities, like Heartbleed and ShellShock, can lurk in code, ripe for exploitation by miscreants.

The fumbles that occurred during and after those incidents – as well as the successes, like the thwarting of DDoS attacks on banks in 2012 and 2013 – underscore the difference that preparedness can make in mitigating cyberattacks.

Fueled by criminal intent, political unrest and just plain mischief-making, cyberattacks are, by and large, on the rise. And a growing reliance on electronic devices – within the Internet of Things even home appliances could be marshaled into botnets – combined with a surge in malware virtually guarantees attackers an unprecedented and ongoing reach into networks and systems once believed to be relatively untouchable. 

Ain't nothing like the real thing

Since real-life cyberevents unfold quickly – and often leave organizations scrambling – cyberexercises can help organizations build “muscle memory” around problems that they have to solve, according to Ed Powers, national managing partner of Deloitte & Touche's Cyber Risk Services practice, which served as the independent observer of the Quantum Dawn II cybersecurity exercise held in July 2013 by the Securities Industry and Financial Markets Association (SIFMA). “Muscle memory reduces the ambiguity when you have a real event,” Powers says.

Quantum Dawn, says SIFMA, was designed to “test incident response, resolution and coordination processes for the financial services sector and the individual member firms to a streetwide cyberattack.”

Highly engaging, says Karl Schimmeck, vice president of financial services operations at SIFMA, the simulation served to create a game-like feel rather than a discussion around a PowerPoint. “Coordinated exercises, or war games, that simulate cyberattacks give organizations and industry groups the opportunity to launch an ‘incident' that mirrors real life and tests the mettle of carefully crafted plans that heretofore may have gone untested,” he says.

“Testing your plan is already an important part of preparedness,” adds Hall (left). Through simulations, organizations can, she says, flag problems before an emergency happens.

Hall notes that there are outcomes people may have assumed were all squared away, but that was before testing plan. Simulation exercises can validate outcomes or illuminate weaknesses. “It will make people more confident than before they tested their plan,” says Hall.

By mimicking real life and encouraging the exchange of information in a “safe” environment, simulations help organizations see where their plans hold strong and where they need improvement. That latter often proves to be in communications and the flow of information among different stakeholders. “The flow of information creates a lot of stress in an organization,” says Powers. “People are eager to receive information and they are eager to provide information.” Time and again, cyberexercises prove there is no portal for information flow and, in fact, it creeps out in all directions.

That's a sentiment echoed by HITRUST's Nutkis, who says a big lesson learned during CyberRX was that communication faltered. Organizations struggle with a security incident and sometimes don't respond right away, he says.

The takeaway, he says, is that simulations help them understand how to funnel through information.

They also serve to raise awareness, a factor that cybersecurity pros say is the first and strongest line of defense against attack. In the same vein as New York's post 9/11 mantra, “See Something, Say Something,” if employees know what to look for and understand their responsibilities when an event occurs, they can catch it before it does too much damage. 

That adds up to boosting an organization's – and the country's – cyberresilience, a goal advocated by both the Department of Homeland Security (DHS) and private sector cybersecurity experts.

The art of war games 

While there's no downside to conducting wargames, Hall warns that organizations can't slap an event together and expect to get the needed results. “Exercises need to be organized and need to be close in reality to an [actual] event,” she says. 

According to Sharon Wallis, a member of the Sector Resilience Team at Bank of England, which organized the widescale Market-wide Exercise Programme (MWE), as well as smaller-scale, more targeted Waking Shark simulation events, large exercises require extensive preparation. For example, the 2011 Market-wide Exercise took 12 months to plan with 87 firms participating, she says. 

Start with clear objectives. Understanding and clarifying objectives before the games begin will ensure that participants will glean the information they need to strengthen their cybersecurity muscle. Establish a steering committee to solicit contributions from all stakeholders to create an objective set of goals that can serve as a neutral set of metrics to gauge how an organization is doing when it comes to cybersecurity and how well it performs in a cyberattack simulation. 

Be inclusive. When it comes to cybergames, the who is as important as the what. “The biggest challenge is really getting a good cross-section of stakeholders and [determining] how you scale it,” says HHS's Hall.

“Stakeholders should include what's unique to company, not just IT,” she says. Participants should representative every department that a cyberattack might effect, which, in reality, is practically all of them, including legal, IT, security, human resources, compliance, executive management and public affairs. Anyone who thinks those last two aren't as critical as the others, has to look no further than Target to see that, increasingly, at least partial responsibility for security misfires is being placed on executives – and boards of directors. The retailer's CIO and CEO stepped down after its stunning breach it was called out by at least one shareholder and an independent group.

Organizations, too, must ensure that participants chosen for a simulation aren't just stand-ins for the real players during a cyberattack. “They need to send people who would be responsible – they'd be [the ones] pulled away if there was a real emergency, too,” says Hall.

Remember all organizations – and all departments – are not created equal. “There are hundreds of organizations, and they vary in maturity,” says Nutkis, about the health care industry. War games should be designed to target organizations of different sizes and types, including “an ample number of scenarios,” he says.

Those scenarios should be challenging enough that they engage the players and offer clear benefits. Organizations have made it clear that they need management challenges, says Wallis.

Sector-specific, targeted exercises can yield more specific results and recommendations. While the MWEs helped to improve the sector response framework – e.g., communication, coordination and information-sharing arrangements – organizers found a need for a more targeted approach with a suite of options (desktops, simulations and testing) to help deliver greater assurance of the financial system's resilience, she says.

The new strategy, then, has been a “shift in focus from the large set-piece exercises every two years to smaller, more targeted exercises led by the sector to assess impacts and resilience capabilities,” Wallis explains. “Testing involves putting plans and procedures into practice as a means of validating and gaining assurances that they work as anticipated.”

For example, Investment Banks organized the Waking Shark II cyber exercise “in response to the continued evolution of cyberthreats against the U.K.,” she says.

The targeted approach requires less planning and can keep a simulation program more fluid. The annual MWE initiative took about a year to plan and by the time the exercises were completed and the results amassed and reported, it was time to plan the next one.

Improve communications. Since information flow is typically a sticking point in most organizations, it's critical to bolster the underlying communications infrastructure, establishing a pecking order and reporting framework, complete with triggers that alert participants to pass information along, get in touch with a superior or even speak to the press. “They're siloed and have no experience making decisions in an ambiguous situation,” says Ed Powers, national managing partner of Deloitte & Touche's Cyber Risk Services practice. Exercises with a communications component can remove the ambiguity and open channels for information flow.

Put the results in action. Simulated attacks are an exercise in futility if recommendations based on the results aren't heeded and applied. By incorporating them into a cybersecurity strategy, companies can test them during the next simulation event to see if the fixes work and hold up under fire. 

Done right, cyberattack simulations can help organizations and industries stay, if not a step ahead, then on top of cyberthreats and build a resilience, or what Wallis recalled hearing defined in the simplest terms as “the ability to withstand shock.”

And “war-gaming is more interesting than sitting at a desk,” says Powers. Now, who wants to play?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.