At the X-Force Command Cyber Range in Cambridge, Massachusetts, we’ve seen hundreds of companies practice their response to a simulated cybersecurity attack. Teams from some of the world’s top intelligence and law enforcement agencies and financial institutions, and from a variety of industries from energy to technology, have trained in various scenarios in our range, which is modeled after a fusion team security operations center (SOC). These are all highly competent people, but many of them struggle in our breach challenges.

When we opened the Cyber Range, we knew our experts would be training security professionals in technical skills with hands-on-keyboard exercises. What we didn’t anticipate was the massive demand for the type of training we offer for those outside of the SOC. That’s why we strive to teach business leaders how the whole organization should respond to an event that affects every level of the business.

A Different Kind of Decision-Making Process

What we’ve learned from watching these teams of executives, board members and other leaders is that people need the most help when dealing with what comes after a breach — what we call “right of boom.” Many leaders come out of business school having studied a decision-making process that is slow, deliberate and based on mountains of data. But you don’t have that luxury after a breach — you are working against a ticking clock and with incomplete information. You have to learn a more military-style decision-making process, where you stand up an incident command team, designate a commander who is in charge, start walking down a runbook that’s been predetermined, and make hard decisions without hesitation.

Classroom-style learning, tabletop exercises and even talking to security leaders who’ve been through the experience of a breach aren’t enough to prepare you for the intensity of a rapidly changing situation where the survival of your business is on the line. You need to experience it yourself. That’s where the X-Force Command experience is different from other kinds of preparation, and even the other cyber ranges out there.

Our technical advisors and gamification experts have mastered the art and science of creating an experience that feels like a real breach. When the phones start ringing and you’re forced to react when the action is coming at you fast, there is a palpable sense of pressure. Going through this experience shows people what they’re made of, helps them learn how to respond in a stressful situation, and highlights where they need to improve their decision-making capacity.

In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan.

3 Takeaways From the X-Force Command Cyber Range

In the past couple of years, my team has learned a lot, too, about how to build the X-Force Command experience into a laboratory of cyber best practices. With more than 2,000 customers that have come through the range, we can share what some of the world’s most mature customers are doing to stay one step ahead of threats. We help teams conduct a gap analysis based on business key performance indicators (KPIs), and we teach you what a full business response looks like, both before and after an incident.

Below are three common themes we’ve noticed that tend to have a big impact on whether teams are successful in the range.

1. Culture Counts

Your company culture makes a big difference in how well you perform in a crisis. Some cultures are more inclined to run toward a problem, and those that do tend to fare better. It takes a cohesive unit and a common understanding in which people know their roles, but aren’t afraid to speak up or take charge when the time is right.

2. Playbooks Crack Under Pressure

Having a playbook is just the beginning. In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.

3. Leadership Matters

Last but not least, you need leaders. Sometimes those leaders are not your executives. More often it’s someone who has done a tour in Iraq or Afghanistan or has spent time as an EMT. Some kinds of leadership can be taught in a classroom, but the true test of leadership happens in the arena. Leaders thrive in tough situations, and every tough situation needs leaders. If you’re like many organizations struggling to find qualified talent to fill empty cybersecurity chairs, you might need to look beyond the traditional places. Recruit and train leaders.

What’s Next: The X-Force Command Cyber Tactical Operations Center

There has been such tremendous demand to visit our X-Force Command Cyber Range that we decided pretty early on that we would need to expand our operations. But rather than trying to choose a location for customers to come to us, we want to bring the X-Force Command experience to you. This week, we reached the culmination of a months-long project to do just that, and I’m so excited to launch our new IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The X-Force Command C-TOC is a mobile command center, modeled after the tactical operation centers used by the military and first responders, but with a singular focus on cybersecurity. It’s the industry’s first mobile cyber range and watch floor — and it’s a technical wonder. To fit all the equipment necessary for an X-Force Command experience, the 23-ton trailer expands to more than twice its width. The whole thing is powered by a 47 kilowatt generator, allowing us to create an entire IT environment on a 100 TB VMware solid-state disk array. It’s easy to be impressed by the C-TOC’s size and appearance — like something straight out of a “Transformers” movie — but form really follows function.

Building on the mission of the Cyber Range, the primary goal of the C-TOC is to give more customers access to the cutting-edge simulations and response training we’ve developed from our experiences in Cambridge. However, the mobility of the C-TOC opens up many additional possibilities, such as education with students and the public, and even helping with cybersecurity efforts on-site at major events.

Check out the X-Force Command C-TOC website to learn more about why we built it and what it can do.

Take a closer look

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…