How Would an Assistant Groundskeeper Win a Cyberwar?

By Danelle Au

As rapidly as the threat landscape has evolved over the last few years it’s reasonable to predict that the level of effort and innovation being invested by the hacker community will continue to increase. The techniques that are—and will be—used by the black hats are targeted, sophisticated and even collaborative. The market for new and cleverer ways to defeat enterprise security is lucrative and driven by the spirit of the free market.

The only way to close the gap between the current state of IT security and the capabilities of the enemy is to outflank them; to beat them at their own game; to rip a page from the hacker’s playbook and out-innovate them.

I have to laugh, because I’ve outsmarted even myself. My enemy, my foe, is an animal. In order to conquer the animal, I have to learn to think like an animal and, whenever possible, to look like one. I’ve gotta get inside this guy’s pelt and crawl around for a few days.
— Carl Spackler, assistant groundskeeper, Bushwood Country Club

Quote Source: CaddyShack


One way to get ahead of the threat is through cyberwar gaming. By using the latest threat intelligence, applying that information to the methods that hackers are actually using in actual attacks.

To be effective, however, cyberwar games must be structured in such a way that the outcomes translate into useful information that shapes a security program based on and supported by fact, not theories that may be de rigueur, but have no application in your environment. Validating security by simulating actual attacks gives defenders a clear understanding of what they are doing right, what they are doing wrong, and how to take preventative action to close holes and disrupt the attacker’s kill chain before an attack occurs.

How does an enterprise achieve this end? The first step is to understand what true cyberwar gaming is in order to avoid falling into the trap of basing your security strategy on the results of a relabeled process. Cyberwar games are broad, sophisticated exercises based on actual data breach scenarios carried out in a production environment. Cyberwar games use an active, innovative Red Team (attacker) vs. Blue Team (defender) format that encourage the “enemy” to find ways to succeed by probing the entire network kill chain, using comprehensive breach methods and known hacker attack patterns. Cyberwar games are not penetration tests or “table top” exercises.

Before engaging in cyberwar gaming, it’s important to set clear objectives for both Red and Blue teams based on the types of attacks known to be targeting an organization along with a realistic outcome. For the Blue Team the objective tends to be straightforward: disrupt the hacker’s kill chain and prevent them from doing damage. For the Red Team the objective may be the theft of financial assets, exfiltration of valuable intellectual property, or the exposing of information that could lead to scandal for the company or its executives.

These may be hacks

Using this combination of people, process and technology approach in conjunction with an automated security validation platform yields up-to-the-minute information about what security measures are working in your network and, more importantly, what measures aren’t working. It challenges security assumptions and allows the CISO to make necessary changes to shift resources from what isn’t working to what is working. It also heightens awareness of the risks faced by the enterprise and the responsibilities of the security team.

Once begun, cyberwar games should not stop. Your enemy is innovative and motivated, looking for new ways to get inside your network to achieve their objective and so the results of last week’s exercise may not be applicable today. The threat environment is constantly evolving as is your network’s configuration. Have you added new equipment or applications? Have you hired new employees or have staff moved on? Did your vendor make any updates or find any new vulnerabilities in the products you’re running? Answering “yes” to any of the above means previous security assumptions have changed, putting you at greater risk.

War games are a tried and tested approach to understanding and responding to threats and have been used by professional military organizations for centuries. For today’s enterprise, true cyberwar gaming is a relatively new approach made possible by advances in threat intelligence and automated validation platforms. As such there may be resistance to the adoption of a new idea, but the benefits for organizations that wish to secure their valuable data assets are clear. By challenging longstanding security assumptions, cyberwar games can help forward-thinking CISO to find and fix weaknesses before they are exploited by the enemy and, in the process, develop threat response “muscle memory” within the security team, allowing them to think like the hacker and react quickly and effectively when an attack occurs.

And an attack will occur.