Today’s Security Operations Centers (SOCs) are being stress-tested as never before. As the heart of any organization’s cybersecurity apparatus, SOCs are the first line of defense, running 24/7 operations to watch for alerts of attacks and appropriately address those alerts before they become all-out crises. Yet with ransomware attacks maintaining first place as the top attack type X-Force incident response remediates, those crises are becoming uncomfortably commonplace.
The best way to prepare for a crisis is to live through one. Ideally, this experience would come through a simulated crisis rather than a real one, although both can deliver valuable lessons. Being forced to address challenges you never fully anticipated, experiencing rushes of adrenaline that challenge your cognitive thinking skills, and racing against the clock to uncover evidence of an attack within mountains of data can provide valuable insight — and experience — that can make all the difference when a major cyber incident arrives. In other words, there is great value in putting your SOC team into the hot seat and allowing them to fully experience a crisis.
Having a plan for a cyber attack is crucial. But actually testing that plan, ideally in an immersive, realistic environment, can make the critical difference between effective response and quick containment, or a downward spiral into a complete cyber catastrophe, based on X-Force experience and observation working with hundreds of clients. As we have noted previously on SecurityIntelligence, “Tabletop exercises and technical training are important, but they can’t replicate the heart-pounding, real-world impact of a cyber range.” Indeed, cyber range exercises can put playbooks, teamwork, and technical skills to the test and take them to the next level by identifying potential gaps that can refine a response plan to be most effective when addressed early and tested again.
The Cyber War Game
In the IBM Security X-Force Cyber Range, Cyber War Game exercises are aimed at testing SOC analysts, SOC leaders, incident response investigators and other technical security defenders alongside business executives in a simulated crisis scenario. These are hands-on keyboard exercises where analysts use real-world security tools to investigate a cyber incident and then effectively communicate their evolving findings to C-level executives and members of the business response team. These exercises test not only a team’s technical ability but their skill at communicating within their team as well as with high-level executives when details are scarce and the stakes are high.
The Cyber War Game generates data from security incident and event management (SIEM) systems and endpoint detection and response (EDR) tools, which participants can then organize through Security Orchestration, Automation and Response (SOAR) tools. The tools available for incorporation into a Cyber War Game are constantly expanding and include not only IBM products but tools available elsewhere in the market, allowing participants to customize the experience to match most closely what they would encounter on their own networks.
Built on Incident Response Expertise
IBM Security X-Force Incident Response (IR) team assists clients with hundreds of cybersecurity incidents every year, providing extensive insight into on-the-ground threats as forensic investigators observe threat actors at work from the front lines, every day. This insight is then fed into the Cyber War Game, embedding as much reality as possible into these scenarios.
For example, X-Force IR has observed hundreds of ransomware attacks, allowing our teams to map out the most common behaviors of ransomware attackers and the techniques these threat actors have found to be most effective. Chief among these are exploitation of Active Directory, deploying ransomware from domain controllers and using professional phishing groups to gain the initial access into networks of compromise. These techniques and others are woven into the scenarios created for Cyber War Games.
Additionally, our IR teams frequently identify several different lines of threat activity ongoing within the same network and are then tasked to identify whether the activity is originating from the same threat group or from different threat actors. These scenarios are a challenge, as seemingly conflicting information, attack flows that appear similar but then diverge and a massive volume of data create a level of chaos that can be difficult to sift through. Cyber War Game participants have noted the realistic element these multiple lines of activity embed into the exercises, mimicking many real-life incidents that have required extensive follow-up activity. This realism is a natural outcome of relying on information gathered from X-Force’s on-the-ground incident response team.
Informed by Threat Intelligence
X-Force threat intelligence indicates that, in addition to ransomware being the top attack type over the past three years, several other attack types are plaguing organizations and their SOC teams. Data theft is tied as the third-most common attack type in the 2022 X-Force Threat Intelligence Index, and credential harvesting, remote access trojans (RATs), misconfigurations and malicious insiders are also relatively common attack types, according to data from X-Force IR. The Cyber War Game seeks to test SOC responders by presenting them with a range of attack types to work through and investigate. Some of the threats and effects experienced in the Cyber War Game are especially applicable to organizations with operational technology (OT) environments or sensitive processes and equipment.
In addition to the above, X-Force threat intelligence indicates that threats to cloud environments are growing and that threat actors are spending an increasing amount of time exploring various options for penetrating and gaining persistence in cloud environments. By embedding threats to cloud environments into Cyber War Game exercises, informed by the methods X-Force is observing threat actors empirically using in this space, participants can gain a better sense of the reality of the threat to cloud environments — which is likely to grow over time.
The Time to Prepare is Now
World events are demanding increased vigilance from SOC teams and security defenders as ransomware, destructive malware and DDoS attacks are occurring at a high tempo. To effectively address a security incident or crisis, SOC teams must not only be able to sift through significant amounts of data and make the right call on whether an alert should be escalated and addressed, but must communicate effectively with top-level leadership and know-how to answer tough questions at the critical moment. Testing a response plan under pressure with all stakeholders — business leaders, human resources, public relations teams, SOCs and incident responders — can help both sides develop the technical and communication skills to respond appropriately in a crisis. For most organizations, it is less a matter of whether a cyber attack will happen and more of when — and if the business will be ready to respond appropriately in the face of crisis.
Getting in on the Action
If your organization is interested in participating in an X-Force Range Cyber War Game experience, you can learn more and request a consultation. In addition to Cyber War Game experiences, a Response Challenge focused on effective decision making for high-level executives, a Mind of a Hacker webinar to enhance security awareness and consulting services to build your own in-house cyber range are available from IBM Security.