Threat intelligence and response teams need to be ready to respond to an increasing barrage of risks and changes. To be exact, this is where breach-and-attack-simulation (BAS) comes in. Most groups use BAS platforms to validate security controls against various types of data breaches.

Meanwhile, IBM Security saw that it could also be very useful as a training platform. With this platform, training against real-world attacks is the best way to prepare. It lets analysts test themselves against spotting and countering data breaches and other threats in the wild.

One IBM analyst says BAS provides the “unique chance to be an attacker and defender at the same time. I can learn from new logs and new threat patterns that I didn’t observe on a daily basis.”

So how does this kind of training — based on a ‘see one, do one and teach one’ approach — make a difference?

Real-World Data Breach Events

In the past, ongoing training for cybersecurity teams and threat intelligence experts relied on classroom learning methods. A team member who wanted to improve might have taken courses on security best practices in order to gain certifications. They might have read reports coming out of various organizations (including IBM’s incident response team) to learn about the newest threats and how analysts should respond to those threats. They might have gone through quizzes and exercises to test their knowledge. But, rarely did they simulate the experience of an actual attack.

This is crucial because often security teams do not see the latest attacks or live alerts on a regular basis. Many client systems are well protected and block breaches. In other cases, breaches may occur and clients may not catch the breach or identify the indicators of compromise (IOCs). For teams to have relevant experience, they need to be tested against breaches and attacks they have not yet seen and may never see in the real world.

Building a Breach Attack Simulation

SafeBreach, a pioneer in the emerging field of BAS, brings tens of thousands of playbooks including attack patterns, actors, data breach replicas and other tests that allow teams to quickly simulate even the most recent attack types. SafeBreach is a flexible training tool because it contains all this attack prep, is easy to access and analysts can use it to quickly set up data breach tests. With SafeBreach, teams can quickly gain awareness and comfort with combatting data breaches and other attacks that are emerging or have happened only in the last few days or weeks.

To make this work, IBM built some custom integrations with other tooling, including the QRadar security analytics platform, logging and auditing tools and specially created virtual machines for Linux and Windows. During simulations, IBM’s cybersecurity teams could also include their own BAS simulation custom playbooks, written in Python (SafeBreach also allows for custom playbooks in Python). With this setup, team members can see and study the full life cycle of any attack type, including infiltration, lateral movement and ransom or exfiltration of data. They can execute a playbook, see what transpires and read through a detailed audit and report to understand what has happened while comparing specific actions and IOCs to actual log files.

Next, cohorts passing through this program can become curators and trainers for the next cohort. The trainers will pass on their wisdom, design playbooks and breach examples based on what they found most useful. In the future, developers could add machine learning to this process, so the exercises will not only train analysts but also train deep learning systems to better identify, analyze and prescribe remediations for attacks.

Learning from Building IBM’s Advanced Simulation Education Environment

The process of building these integrations was educational itself. IBM learned that the team needed to improve auditing policies to better capture and spot all threat activities in a breach simulation. Additionally, once alerts are created and sent to SIEM, the security analytics rules were often incomplete.

By providing this training as a hands-on mechanism to analysts, they can now educate themselves as part of their regular training curriculum on the latest and most relevant threats. This translates into meaningful knowledge they are applying on a day-to-day basis in their jobs. Further down the pipeline, clients get the benefits of this training directly through analysts’ improved skills.

In one instance, IBM’s team spotted an attack on a client system that looked as if a penetration test was underway. The analysts asked the client about it, and the client said, yes, it was a pen test and gave kudos for spotting it. And, more and more clients are testing teams to determine whether they can deliver on the promise of providing cutting edge analysis and insights.

IBM has already seen strong results from new data breach training programs. Of the first five program adopters, three have already gone on to become architects for this program. These architects are now trainers themselves, designing playbooks, training and mentoring the next class of 30 trainees. With the next cohort, the cycle will repeat.

See one, do one, teach one. It has worked for professionals, such as doctors, for over 100 years. Now, it’s working for cybersecurity training, too.

This type of ongoing training is crucial to stay ahead of the curve in cybersecurity. See why IBM Security is recognized as a leader in managed security services, threat intelligence and response.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today