Using Cyber War Games to Improve Incident Response

When the financial services industry undertook a cyber attack simulation called Quantum Dawn in 2013, the exercise shined a spotlight on the importance of cyber war games in helping organizations improve incident response. Quantum Dawn is an example of how complex cyber war games can be. But not all cyber attack simulations need be so involved. Even a simple rehearsal can help organizations identify gaps in their incident response processes, key decision makers (and blockers of key decisions), and other issues they need to address to properly prepare for a real-world incident. Simple rehearsals allow even small security teams to benefit from the concept of cyber war games. A simple rehearsal might consist of a “paper drill,” where a security leader asks a threat analyst, for example, to create a “run book” documenting the steps the analyst would take to investigate a malware infection on the network. The run book outlines the processes and tools the analyst would use to investigate and remove the malware. It also identifies other individuals, such as systems administrators, who may be instrumental in helping to resolve the incident. Once the initial draft of the run book is complete, the rest of the response team walks through it to identify gaps and alternatives.  A complex rehearsal might consist of a full-scale, live exercise involving multiple functions across an organization, where a malware incident is simulated and the processes for investigating and remediating it are put to the test. This particular type of rehearsal is most effective when participants believe the incident is real, and thus, aren't tempted to take shortcuts.  Whether you undertake a simple rehearsal or a complex simulation (or both), you'll want to identify backup systems and processes for incident response, in the event primary systems and processes are unavailable. To help you identify where you may need backups, ask yourself:
  • If I were not able to access this particular person/process/tool, to what extent would that impair incident response?
  • Is there a suitable or partially suitable backup person/process/tool that could stand in for the primary?   
Professionals in fields as diverse as sports and the performing arts use rehearsals to great benefit. I saw the value of rehearsals first hand in the U.S. Army, during my officer training course, when I used simple visual tools to meticulously map out operations. Now, as a cybersecurity professional leading a team of threat researchers at RSA, my team and I use run books to investigate threats. Many organizations have allocated the bulk of their cybersecurity budget toward traditional defensive technologies designed to prevent attacks. But with cyber attacks getting harder and harder to prevent, industry-leading CISOs now realize their incident response capability is just as important as traditional defensive tactics. As organizations across industries work to shore up their cyber incident response procedures, both sophisticated cyber war games and simple rehearsals will be essential tools for their security operations. 

Alex Cox is the director of RSA's Threat Intelligence function and a former U.S. Army Captain.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.