Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Training & Awareness

Using Cyber War Games to Improve Incident Response

As teams work to shore up their incident response procedures, both sophisticated cyber war games and simple rehearsals will be essential tools for their security operations.  

Cyber War Games Map

When the financial services industry undertook a cyber attack simulation called Quantum Dawn in 2013, the exercise shined a spotlight on the importance of cyber war games in helping organizations improve incident response.

Quantum Dawn is an example of how complex cyber war games can be. But not all cyber attack simulations need be so involved. Even a simple rehearsal can help organizations identify gaps in their incident response processes, key decision makers (and blockers of key decisions), and other issues they need to address to properly prepare for a real-world incident. Simple rehearsals allow even small security teams to benefit from the concept of cyber war games.

A simple rehearsal might consist of a “paper drill,” where a security leader asks a threat analyst, for example, to create a “run book” documenting the steps the analyst would take to investigate a malware infection on the network. The run book outlines the processes and tools the analyst would use to investigate and remove the malware. It also identifies other individuals, such as systems administrators, who may be instrumental in helping to resolve the incident. Once the initial draft of the run book is complete, the rest of the response team walks through it to identify gaps and alternatives.

A complex rehearsal might consist of a full-scale, live exercise involving multiple functions across an organization, where a malware incident is simulated and the processes for investigating and remediating it are put to the test. This particular type of rehearsal is most effective when participants believe the incident is real, and thus, aren’t tempted to take shortcuts.

Whether you undertake a simple rehearsal or a complex simulation (or both), you’ll want to identify backup systems and processes for incident response, in the event primary systems and processes are unavailable. To help you identify where you may need backups, ask yourself:

• If I were not able to access this particular person/process/tool, to what extent would that impair incident response?

• Is there a suitable or partially suitable backup person/process/tool that could stand in for the primary?

Professionals in fields as diverse as sports and the performing arts use rehearsals to great benefit. I saw the value of rehearsals first hand in the U.S. Army, during my officer training course, when I used simple visual tools to meticulously map out operations. Now, as a cybersecurity professional leading a team of threat researchers at RSA, my team and I use run books to investigate threats.

Advertisement. Scroll to continue reading.

Many organizations have allocated the bulk of their cybersecurity budget toward traditional defensive technologies designed to prevent attacks. But with cyber attacks getting harder and harder to prevent, industry-leading CISOs now realize their incident response capability is just as important as traditional defensive tactics. As organizations across industries work to shore up their cyber incident response procedures, both sophisticated cyber war games and simple rehearsals will be essential tools for their security operations.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights