No one would knowingly fly with a pilot that’s never practiced an emergency landing, yet the equivalent scenario is the norm in Security Operations Centers (SOCs) worldwide. Widespread access to cyber ranges – the cybersecurity version of a flight simulator – is helping to change that by enabling incident responders to practice dealing with cyber emergencies before they encounter one on the job. As we help our corporate and university partners build and launch cyber ranges, one of the most important lessons we’ve learned is that cyber defense is a team sport, yet few SOC teams are trained to work as a cohesive team.
The good news is it’s a fixable problem. For a variety of reasons, teamwork isn’t yet ingrained in the culture of incident response, but it needs to be. Responding to major cyber incident requires the combined knowledge and skill sets of multiple people in a variety of roles to work together, operating multiple cyber tools and working off of the same organizational playbooks. When it comes to cyberattacks, practice will never make perfect, but it does make ‘prepared,’ and teaches people to work together. Cyber range training is still new, but here’s what we’re seeing as emerging best practices for team training – who should be trained, on what, why, and how often:
- Executive Leadership: The CEO, CFO, COO, head of communications and general counsel are a sampling of top decision makers that have to make tough calls during a cyber crisis - such as whether to shut down business critical systems, if and when to pay a ransom, when to disclose a breach, to whom, what to say, and why. They don’t need to know their way around a SOC, but they do need to know how to gauge their organization’s security posture before, during and after an attack.
Executive managers usually have well-developed soft skills, but cyberattacks are unique and rare scenario. We suggest senior executives practice responding to a cyber crisis with the entire team for a full day, at least once a year. Possible situations include ransomware scenarios, creating and approving public statements regarding breaches as well as sharing breach information with law enforcement agencies, customers and partners.
2) The CISO/SOC Manager: During a cyber crisis, the SOC manager is the incident response team captain, tasked with assessing real-time information while communicating with the CISO, and other internal stakeholders. Depending on the size of the company, one of them will be the point person with law enforcement, customers, the press and others. Both require competence managing multi-tier response teams, ensuring cyber preparedness and prevention, aligning security efforts with business goals and handling cyber crises through their full lifecycle. Being the lead incident responder, SOC managers and CISOs should have at least one full day of hands-on training per quarter.
Training should include drills for all the most pertinent types of cyberattack. For CISOs, range training also yields critical insights into organizational and procedural weaknesses and allows time to address them before the real crisis begins.
3) Tier 2 and 3 Analysts: Tier 2 and 3 analysts tackle difficult situations that tier 1 analysts escalate to them, such as analyzing complex, fileless and multi-pronged malware attacks. They handle complicated procedures such as deep incident analysis, root cause analysis, determining if and which assets have been affected, forensics and reverse engineering.
As such, they need to keep their skills sharp and up to date so that they can deal with the complicated, ever-shifting threats that come their way. Training should be diverse and test their ability to handle multiple systems and alerts during crisis, test their knowledge of procedures, and practice dealing with unforeseen obstacles or extenuating circumstances using the tools that they use on a daily basis in the SOC. Like SOC managers, senior analysts need at least one full day of day of range training per quarter, augmented by additional team building and leadership training is recommended.
4) Tier 1 Security Analysts: Tier 1 analysts have a tough job -- they respond to all incoming alerts, perform preliminary incident investigations, identify high risk situations and escalate events to tier 2 analysts as needed. Being junior staff, they often lack experience in crisis and breach management. Junior analysts also struggle with mastering the large number of security tools they are expected to use. Two full days of hands-on training and practice, twice a year, augmented by technical learning labs and regular trainings on specific SOC tools is suggested to bring them up to speed and accelerate their competence.
Training scenarios for tier 1 analysts should cast a wide net and model both routine and emergency situations. Simulated training can be extremely valuable for relatively new, inexperienced analysts. It enables them to gain practical experience quickly, to build confidence and quickly develop proficiency across a wide set of duties, increasing their value to their peers and the organization.
Teamwork is not the only skill needed in the SOC, but it’s one of the least prevalent, and a little focused training can have a lasting impact., Cyber range training is no silver bullet, but it does enable SOC staff to work on specific skills while jump starting a team-oriented culture – quick wins which in the SOC, can be few and far between.
Take the win.