There are two questions that keep security personnel up at night: How will the next attacker breach our organization? And how well will we perform when it happens?
Usually, you find out the answers only after an incident happens. So how do you answer these questions before any damage is done, and how do you ensure that your incident response team can provide their best possible answer when called upon?
The answer is to gain what Matthew B. Caffrey, coordinator of wargaming at the Air Force Material Command, calls "synthetic experience." By this he means simulating attacks within the context of a wargame. Running through scenarios that are expected to occur in the future and then going through the processes and practices to deal with them allows you and your staff to gain experience in how to respond to a crisis. When a real incident happens, they’ve already been through it many times before.
Here's how to use wargames to gain the most experience possible, and be ready for the next big security incident.
What is a wargame?
Most people have some conception of what a wargame is, but they are likely to either be thinking of figure-based military games such as Warhammer or board games such as Risk. While both are technically wargames, I've got a much more wide-ranging definition in mind.
I follow the lead of the British Ministry of Defence's Wargaming Handbook, which describes wargaming as "a scenario-based warfare model in which the outcome and sequence of events affect, and are affected by, the decisions made by the players."
That's a usefully vague definition. A wargame is an exercise where a scenario is put forward; say you are the security team for a small power company, and the outcome is affected by the players. So, for instance, there's an alert on a management network's PC; what do you do?. This can be supported by a board, pieces, or a whiteboard, or it can just be a structured discussion.
The wargame is usually designed and run by an umpire, which might be you or someone you hire.
However if you're advocating for a wargame to be used, you'll want to be more specific, and maybe use a different term. The secret here is to use whatever designation works for you to get your participants interested, and your budget approved. "Immersive training" is a good term if you're applying for training budget, or "scenario planning" could work if the money is coming out of business continuity planning. Otherwise, "tabletop exercise" works, or "TTX" if military acronyms would be favorably received.
Simpler is better
When you do this, run the simplest game you can. Especially with modern developments in gaming, from the virtual reality of Half-Life Alyx to the weighty board game Gloomhaven, you might think you need high production values. This is especially true when modeling cyber threats; a high-tech environment feels as though it needs a similarly high-tech representation. But the simpler the wargame format and mechanics, the easier it is to illustrate key points about decision making.
And better decision making is key. For an example of a simple but effective game, use a simple Lego model of a power plant to play the wonderful Decisions and Disruptions.
In this game, players walk through the decision-making process about what security products to buy with a limited budget, with the umpire representing the attackers and explaining to the players the results of their choices. Players will gain a much greater understanding of the choices that they have to make and will make better choices when they have to make them themselves.
I've been involved in games with multimedia presentations, either pre-planned or written during the exercise, to give the participants an immersive experience of what it feels like to be the center of media attention. And I've sat around a table with no more than a few printed sheets of paper and some counters to represent staff and budget, as C-level executives practice how to respond to a crisis and how to communicate to internal and external stakeholders effectively.
With the right preparation, the right umpires running the game, and the right attitude from all the participants, you can achieve great results for very little outlay.
Why would you run this kind of exercise?
When the British Ministry of Defence opened the Defence Wargaming Centre (DWC), Mike Larner, head of the DWC, said, "Wargaming enables commanders to anticipate and rehearse future conflicts." Those are the two key benefits of wargaming in the face of any crisis you and your organization might face in the future: to anticipate and to rehearse.
To anticipate
Whatever event befalls your organization, the question you want to answer is "Are you are ready?" But the question that's sometimes missed is, "Ready for what?"
Normal processes and mindsets from business continuity planning can help you evaluate the typical risks to your organization, such as the environmental risk from fire or flood. Also, in many industries, regulations are in place for you to obtain the necessary funding and support if you need to appeal for budget.
But against an unpredictable and sentient adversary, such as the variety of cyber-criminals your organization faces, how will they attack you? Where do you have a weakness that you didn't expect?
Part of what I brought to my customers when I was a penetration tester was a malicious mindset, to see an organization just as a set of weaknesses to be probed or assumptions to be exploited. A wargame creates a "magic circle" where outsiders and your staff have permission to work together, to think maliciously and aggressively about your organization, and highlight issues, before the genuine criminals do the same.
But regardless of your preparation, maybe a security control won't work as expected, or there will be an attack vector you didn't predict. In this case you'll need your staff to react as efficiently and confidently as possible, which brings us to the other benefit of wargames.
To rehearse
When dealing with any kind of incident, the worst time for an organization to learn that it is not prepared is during the incident. You may have your incident response playbooks ready, and you dust them off once a year when the annual audit takes place. But do they still provide the correct guidance when they're truly needed?
So run through an elementary wargame. Gather your staff for half a day in a dedicated meeting room. Have the umpire generate a scenario, and act as the opponent. Or randomly choose one of many scenarios from a pre-prepared list—possibly inspired by recent news stories, or use something like Black Hills Security's Backdoors and Breaches game for the attacks and the mechanics.
Or call in a third party to act as the malicious adversary, and have them available in another room or on the other end of a videoconference, to brainstorm about how they'd attack the organization and respond to the players' actions.
Once the wargame starts, explain the initial scenario to your staff, and give them a time limit for their response. Proof is required that their response is possible by your organization.
Then use your knowledge to assign a probability of success, roll the appropriate dice, make a decision on the outcome—and then it's up to your players to respond again within this turn's time limit. By making players explain how they would act, with support from existing documentation or capabilities, you can run through how an incident would play out, with the engagement that comes from having an active adversary, but in a "safe to fail" environment that allows issues to be fixed.
In a more formal event, and with appropriate senior executive buy-in, you can answer the bigger questions. For example, is your CEO up to facing media scrutiny at short notice? Maybe he says he is, and maybe he's been in all the right courses, but involve him in the game, and at the appropriate time, put him in the spotlight.
If you can hire a freelance journalist for the day, asking appropriately aggressive questions, it's much better for the CEO to realize he's not as good as he thought in front of a few peers than it would be for all your customers and shareholders to realize the same thing as the CEO stumbles on international media.
While also ironing out any issues between the theory and practice of dealing with a crisis, running through a task within a wargame environment can help organizations and their staff build up a kind of muscle memory. When a real event happens, they're relaxed and ready.
To anticipate and rehearse
As you read this you may be thinking about trying to anticipate your adversaries' attacks and practicing your response by using more traditional methods. It is possible to anticipate and rehearse for a crisis in many ways: through meetings and discussions, reading through your plans and playbooks, or undergoing regular audits.
But those exercises don't give you the experience you need and don't encourage the kind of innovative environment that lets you find new methods.
Back at the start of this piece I said, "play wargames." "Play" is usually portrayed as the opposite of "work"—but arguably the most important aspect of a successful wargame is that it's engaging and fun.
Think back to what you've learned throughout your life, from technical skills to sporting prowess, from an academic discipline to your favorite hobby. I expect you've learned most effectively when you've enjoyed the process of learning, and you've gained the most knowledge when you were interacting with the subject and your peers.
If you and your players are engaged in the learning process, through some kind of wargame, you will all get so much more out of it than you would by learning through more traditional methods. And you will deal with any forthcoming incident much more effectively.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.