Security Experts:

Connect with us

Hi, what are you looking for?


Training & Awareness

Using Cyber War Games to Improve Incident Response

As teams work to shore up their incident response procedures, both sophisticated cyber war games and simple rehearsals will be essential tools for their security operations.  

Cyber War Games Map

When the financial services industry undertook a cyber attack simulation called Quantum Dawn in 2013, the exercise shined a spotlight on the importance of cyber war games in helping organizations improve incident response.

Quantum Dawn is an example of how complex cyber war games can be. But not all cyber attack simulations need be so involved. Even a simple rehearsal can help organizations identify gaps in their incident response processes, key decision makers (and blockers of key decisions), and other issues they need to address to properly prepare for a real-world incident. Simple rehearsals allow even small security teams to benefit from the concept of cyber war games.

A simple rehearsal might consist of a “paper drill,” where a security leader asks a threat analyst, for example, to create a “run book” documenting the steps the analyst would take to investigate a malware infection on the network. The run book outlines the processes and tools the analyst would use to investigate and remove the malware. It also identifies other individuals, such as systems administrators, who may be instrumental in helping to resolve the incident. Once the initial draft of the run book is complete, the rest of the response team walks through it to identify gaps and alternatives.

A complex rehearsal might consist of a full-scale, live exercise involving multiple functions across an organization, where a malware incident is simulated and the processes for investigating and remediating it are put to the test. This particular type of rehearsal is most effective when participants believe the incident is real, and thus, aren’t tempted to take shortcuts.

Whether you undertake a simple rehearsal or a complex simulation (or both), you’ll want to identify backup systems and processes for incident response, in the event primary systems and processes are unavailable. To help you identify where you may need backups, ask yourself:

• If I were not able to access this particular person/process/tool, to what extent would that impair incident response?

• Is there a suitable or partially suitable backup person/process/tool that could stand in for the primary?

Professionals in fields as diverse as sports and the performing arts use rehearsals to great benefit. I saw the value of rehearsals first hand in the U.S. Army, during my officer training course, when I used simple visual tools to meticulously map out operations. Now, as a cybersecurity professional leading a team of threat researchers at RSA, my team and I use run books to investigate threats.

Many organizations have allocated the bulk of their cybersecurity budget toward traditional defensive technologies designed to prevent attacks. But with cyber attacks getting harder and harder to prevent, industry-leading CISOs now realize their incident response capability is just as important as traditional defensive tactics. As organizations across industries work to shore up their cyber incident response procedures, both sophisticated cyber war games and simple rehearsals will be essential tools for their security operations.

Written By

Click to comment

Expert Insights

Related Content

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Application Security

The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data...

Management & Strategy

Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can...

M&A Tracker

Security awareness training company KnowBe4 will go private after being acquired by Vista Equity Partners for roughly $4.6 billion in cash.KnowBe4 first announced receiving...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Management & Strategy

The US government’s 120-day Cybersecurity Apprenticeship Sprint has come to an end. The initiative has resulted in more than 190 new cybersecurity programs and...


Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous,...