Today’s Security Operations Centers (SOCs) are being stress-tested as never before. As the heart of any organization’s cybersecurity apparatus, SOCs are the first line of defense, running 24/7 operations to watch for alerts of attacks and appropriately address those alerts before they become all-out crises. Yet with ransomware attacks maintaining first place as the top attack type X-Force incident response remediates, those crises are becoming uncomfortably commonplace.

The best way to prepare for a crisis is to live through one. Ideally, this experience would come through a simulated crisis rather than a real one, although both can deliver valuable lessons. Being forced to address challenges you never fully anticipated, experiencing rushes of adrenaline that challenge your cognitive thinking skills, and racing against the clock to uncover evidence of an attack within mountains of data can provide valuable insight — and experience — that can make all the difference when a major cyber incident arrives. In other words, there is great value in putting your SOC team into the hot seat and allowing them to fully experience a crisis.

Having a plan for a cyber attack is crucial. But actually testing that plan, ideally in an immersive, realistic environment, can make the critical difference between effective response and quick containment, or a downward spiral into a complete cyber catastrophe, based on X-Force experience and observation working with hundreds of clients. As we have noted previously on SecurityIntelligence, “Tabletop exercises and technical training are important, but they can’t replicate the heart-pounding, real-world impact of a cyber range.” Indeed, cyber range exercises can put playbooks, teamwork, and technical skills to the test and take them to the next level by identifying potential gaps that can refine a response plan to be most effective when addressed early and tested again.

The Cyber War Game

In the IBM Security X-Force Cyber Range, Cyber War Game exercises are aimed at testing SOC analysts, SOC leaders, incident response investigators and other technical security defenders alongside business executives in a simulated crisis scenario. These are hands-on keyboard exercises where analysts use real-world security tools to investigate a cyber incident and then effectively communicate their evolving findings to C-level executives and members of the business response team. These exercises test not only a team’s technical ability but their skill at communicating within their team as well as with high-level executives when details are scarce and the stakes are high.

The Cyber War Game generates data from security incident and event management (SIEM) systems and endpoint detection and response (EDR) tools, which participants can then organize through Security Orchestration, Automation and Response (SOAR) tools. The tools available for incorporation into a Cyber War Game are constantly expanding and include not only IBM products but tools available elsewhere in the market, allowing participants to customize the experience to match most closely what they would encounter on their own networks.

Built on Incident Response Expertise

IBM Security X-Force Incident Response (IR) team assists clients with hundreds of cybersecurity incidents every year, providing extensive insight into on-the-ground threats as forensic investigators observe threat actors at work from the front lines, every day. This insight is then fed into the Cyber War Game, embedding as much reality as possible into these scenarios.

For example, X-Force IR has observed hundreds of ransomware attacks, allowing our teams to map out the most common behaviors of ransomware attackers and the techniques these threat actors have found to be most effective. Chief among these are exploitation of Active Directory, deploying ransomware from domain controllers and using professional phishing groups to gain the initial access into networks of compromise. These techniques and others are woven into the scenarios created for Cyber War Games.

Additionally, our IR teams frequently identify several different lines of threat activity ongoing within the same network and are then tasked to identify whether the activity is originating from the same threat group or from different threat actors. These scenarios are a challenge, as seemingly conflicting information, attack flows that appear similar but then diverge and a massive volume of data create a level of chaos that can be difficult to sift through. Cyber War Game participants have noted the realistic element these multiple lines of activity embed into the exercises, mimicking many real-life incidents that have required extensive follow-up activity. This realism is a natural outcome of relying on information gathered from X-Force’s on-the-ground incident response team.

Informed by Threat Intelligence

X-Force threat intelligence indicates that, in addition to ransomware being the top attack type over the past three years, several other attack types are plaguing organizations and their SOC teams. Data theft is tied as the third-most common attack type in the 2022 X-Force Threat Intelligence Index, and credential harvesting, remote access trojans (RATs), misconfigurations and malicious insiders are also relatively common attack types, according to data from X-Force IR. The Cyber War Game seeks to test SOC responders by presenting them with a range of attack types to work through and investigate. Some of the threats and effects experienced in the Cyber War Game are especially applicable to organizations with operational technology (OT) environments or sensitive processes and equipment.

In addition to the above, X-Force threat intelligence indicates that threats to cloud environments are growing and that threat actors are spending an increasing amount of time exploring various options for penetrating and gaining persistence in cloud environments. By embedding threats to cloud environments into Cyber War Game exercises, informed by the methods X-Force is observing threat actors empirically using in this space, participants can gain a better sense of the reality of the threat to cloud environments — which is likely to grow over time.

The Time to Prepare is Now

World events are demanding increased vigilance from SOC teams and security defenders as ransomware, destructive malware and DDoS attacks are occurring at a high tempo. To effectively address a security incident or crisis, SOC teams must not only be able to sift through significant amounts of data and make the right call on whether an alert should be escalated and addressed, but must communicate effectively with top-level leadership and know-how to answer tough questions at the critical moment. Testing a response plan under pressure with all stakeholders — business leaders, human resources, public relations teams, SOCs and incident responders — can help both sides develop the technical and communication skills to respond appropriately in a crisis. For most organizations, it is less a matter of whether a cyber attack will happen and more of when — and if the business will be ready to respond appropriately in the face of crisis.

Getting in on the Action

If your organization is interested in participating in an X-Force Range Cyber War Game experience, you can learn more and request a consultation. In addition to Cyber War Game experiences, a Response Challenge focused on effective decision making for high-level executives, a Mind of a Hacker webinar to enhance security awareness and consulting services to build your own in-house cyber range are available from IBM Security.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…