Today’s Security Operations Centers (SOCs) are being stress-tested as never before. As the heart of any organization’s cybersecurity apparatus, SOCs are the first line of defense, running 24/7 operations to watch for alerts of attacks and appropriately address those alerts before they become all-out crises. Yet with ransomware attacks maintaining first place as the top attack type X-Force incident response remediates, those crises are becoming uncomfortably commonplace.

The best way to prepare for a crisis is to live through one. Ideally, this experience would come through a simulated crisis rather than a real one, although both can deliver valuable lessons. Being forced to address challenges you never fully anticipated, experiencing rushes of adrenaline that challenge your cognitive thinking skills, and racing against the clock to uncover evidence of an attack within mountains of data can provide valuable insight — and experience — that can make all the difference when a major cyber incident arrives. In other words, there is great value in putting your SOC team into the hot seat and allowing them to fully experience a crisis.

Having a plan for a cyber attack is crucial. But actually testing that plan, ideally in an immersive, realistic environment, can make the critical difference between effective response and quick containment, or a downward spiral into a complete cyber catastrophe, based on X-Force experience and observation working with hundreds of clients. As we have noted previously on SecurityIntelligence, “Tabletop exercises and technical training are important, but they can’t replicate the heart-pounding, real-world impact of a cyber range.” Indeed, cyber range exercises can put playbooks, teamwork, and technical skills to the test and take them to the next level by identifying potential gaps that can refine a response plan to be most effective when addressed early and tested again.

The Cyber War Game

In the IBM Security X-Force Cyber Range, Cyber War Game exercises are aimed at testing SOC analysts, SOC leaders, incident response investigators and other technical security defenders alongside business executives in a simulated crisis scenario. These are hands-on keyboard exercises where analysts use real-world security tools to investigate a cyber incident and then effectively communicate their evolving findings to C-level executives and members of the business response team. These exercises test not only a team’s technical ability but their skill at communicating within their team as well as with high-level executives when details are scarce and the stakes are high.

The Cyber War Game generates data from security incident and event management (SIEM) systems and endpoint detection and response (EDR) tools, which participants can then organize through Security Orchestration, Automation and Response (SOAR) tools. The tools available for incorporation into a Cyber War Game are constantly expanding and include not only IBM products but tools available elsewhere in the market, allowing participants to customize the experience to match most closely what they would encounter on their own networks.

Built on Incident Response Expertise

IBM Security X-Force Incident Response (IR) team assists clients with hundreds of cybersecurity incidents every year, providing extensive insight into on-the-ground threats as forensic investigators observe threat actors at work from the front lines, every day. This insight is then fed into the Cyber War Game, embedding as much reality as possible into these scenarios.

For example, X-Force IR has observed hundreds of ransomware attacks, allowing our teams to map out the most common behaviors of ransomware attackers and the techniques these threat actors have found to be most effective. Chief among these are exploitation of Active Directory, deploying ransomware from domain controllers and using professional phishing groups to gain the initial access into networks of compromise. These techniques and others are woven into the scenarios created for Cyber War Games.

Additionally, our IR teams frequently identify several different lines of threat activity ongoing within the same network and are then tasked to identify whether the activity is originating from the same threat group or from different threat actors. These scenarios are a challenge, as seemingly conflicting information, attack flows that appear similar but then diverge and a massive volume of data create a level of chaos that can be difficult to sift through. Cyber War Game participants have noted the realistic element these multiple lines of activity embed into the exercises, mimicking many real-life incidents that have required extensive follow-up activity. This realism is a natural outcome of relying on information gathered from X-Force’s on-the-ground incident response team.

Informed by Threat Intelligence

X-Force threat intelligence indicates that, in addition to ransomware being the top attack type over the past three years, several other attack types are plaguing organizations and their SOC teams. Data theft is tied as the third-most common attack type in the 2022 X-Force Threat Intelligence Index, and credential harvesting, remote access trojans (RATs), misconfigurations and malicious insiders are also relatively common attack types, according to data from X-Force IR. The Cyber War Game seeks to test SOC responders by presenting them with a range of attack types to work through and investigate. Some of the threats and effects experienced in the Cyber War Game are especially applicable to organizations with operational technology (OT) environments or sensitive processes and equipment.

In addition to the above, X-Force threat intelligence indicates that threats to cloud environments are growing and that threat actors are spending an increasing amount of time exploring various options for penetrating and gaining persistence in cloud environments. By embedding threats to cloud environments into Cyber War Game exercises, informed by the methods X-Force is observing threat actors empirically using in this space, participants can gain a better sense of the reality of the threat to cloud environments — which is likely to grow over time.

The Time to Prepare is Now

World events are demanding increased vigilance from SOC teams and security defenders as ransomware, destructive malware and DDoS attacks are occurring at a high tempo. To effectively address a security incident or crisis, SOC teams must not only be able to sift through significant amounts of data and make the right call on whether an alert should be escalated and addressed, but must communicate effectively with top-level leadership and know-how to answer tough questions at the critical moment. Testing a response plan under pressure with all stakeholders — business leaders, human resources, public relations teams, SOCs and incident responders — can help both sides develop the technical and communication skills to respond appropriately in a crisis. For most organizations, it is less a matter of whether a cyber attack will happen and more of when — and if the business will be ready to respond appropriately in the face of crisis.

Getting in on the Action

If your organization is interested in participating in an X-Force Range Cyber War Game experience, you can learn more and request a consultation. In addition to Cyber War Game experiences, a Response Challenge focused on effective decision making for high-level executives, a Mind of a Hacker webinar to enhance security awareness and consulting services to build your own in-house cyber range are available from IBM Security.

More from Defensive Security

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…