Threat intelligence and response teams need to be ready to respond to an increasing barrage of risks and changes. To be exact, this is where breach-and-attack-simulation (BAS) comes in. Most groups use BAS platforms to validate security controls against various types of data breaches.

Meanwhile, IBM Security saw that it could also be very useful as a training platform. With this platform, training against real-world attacks is the best way to prepare. It lets analysts test themselves against spotting and countering data breaches and other threats in the wild.

One IBM analyst says BAS provides the “unique chance to be an attacker and defender at the same time. I can learn from new logs and new threat patterns that I didn’t observe on a daily basis.”

So how does this kind of training — based on a ‘see one, do one and teach one’ approach — make a difference?

Real-World Data Breach Events

In the past, ongoing training for cybersecurity teams and threat intelligence experts relied on classroom learning methods. A team member who wanted to improve might have taken courses on security best practices in order to gain certifications. They might have read reports coming out of various organizations (including IBM’s incident response team) to learn about the newest threats and how analysts should respond to those threats. They might have gone through quizzes and exercises to test their knowledge. But, rarely did they simulate the experience of an actual attack.

This is crucial because often security teams do not see the latest attacks or live alerts on a regular basis. Many client systems are well protected and block breaches. In other cases, breaches may occur and clients may not catch the breach or identify the indicators of compromise (IOCs). For teams to have relevant experience, they need to be tested against breaches and attacks they have not yet seen and may never see in the real world.

Building a Breach Attack Simulation

SafeBreach, a pioneer in the emerging field of BAS, brings tens of thousands of playbooks including attack patterns, actors, data breach replicas and other tests that allow teams to quickly simulate even the most recent attack types. SafeBreach is a flexible training tool because it contains all this attack prep, is easy to access and analysts can use it to quickly set up data breach tests. With SafeBreach, teams can quickly gain awareness and comfort with combatting data breaches and other attacks that are emerging or have happened only in the last few days or weeks.

To make this work, IBM built some custom integrations with other tooling, including the QRadar security analytics platform, logging and auditing tools and specially created virtual machines for Linux and Windows. During simulations, IBM’s cybersecurity teams could also include their own BAS simulation custom playbooks, written in Python (SafeBreach also allows for custom playbooks in Python). With this setup, team members can see and study the full life cycle of any attack type, including infiltration, lateral movement and ransom or exfiltration of data. They can execute a playbook, see what transpires and read through a detailed audit and report to understand what has happened while comparing specific actions and IOCs to actual log files.

Next, cohorts passing through this program can become curators and trainers for the next cohort. The trainers will pass on their wisdom, design playbooks and breach examples based on what they found most useful. In the future, developers could add machine learning to this process, so the exercises will not only train analysts but also train deep learning systems to better identify, analyze and prescribe remediations for attacks.

Learning from Building IBM’s Advanced Simulation Education Environment

The process of building these integrations was educational itself. IBM learned that the team needed to improve auditing policies to better capture and spot all threat activities in a breach simulation. Additionally, once alerts are created and sent to SIEM, the security analytics rules were often incomplete.

By providing this training as a hands-on mechanism to analysts, they can now educate themselves as part of their regular training curriculum on the latest and most relevant threats. This translates into meaningful knowledge they are applying on a day-to-day basis in their jobs. Further down the pipeline, clients get the benefits of this training directly through analysts’ improved skills.

In one instance, IBM’s team spotted an attack on a client system that looked as if a penetration test was underway. The analysts asked the client about it, and the client said, yes, it was a pen test and gave kudos for spotting it. And, more and more clients are testing teams to determine whether they can deliver on the promise of providing cutting edge analysis and insights.

IBM has already seen strong results from new data breach training programs. Of the first five program adopters, three have already gone on to become architects for this program. These architects are now trainers themselves, designing playbooks, training and mentoring the next class of 30 trainees. With the next cohort, the cycle will repeat.

See one, do one, teach one. It has worked for professionals, such as doctors, for over 100 years. Now, it’s working for cybersecurity training, too.

This type of ongoing training is crucial to stay ahead of the curve in cybersecurity. See why IBM Security is recognized as a leader in managed security services, threat intelligence and response.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…