5 Common Questions About Cybersecurity Exercises, Answered

In this article, we look at what cybersecurity training is, how it works, and what benefits cybersecurity exercises may bring to organizations. Do cybersecurity exercises really help in repelling targeted attacks? Read on to learn more.

Read more: Best Server Security Tools for 2021

5 Common Questions About Cybersecurity Exercises

What Are the Types of Cybersecurity Exercises?

Cybersecurity exercises can be defined as any activity that increases the readiness of personnel to counter cyber threats.

Today, the concepts of cybersecurity training, cyber drills, and cyber polygons do not have clear boundaries. Historically, cybersecurity exercises were paper, command, and staff exercises. Such events, which bring together representatives of different departments, were aimed at identifying individual skills. However, today cybersecurity drills are primarily utilized to train teamwork.

Sometimes cybersecurity exercises can be conducted as CTF, or capture the flag competitions. However, these are most often aimed at acquiring new knowledge and skills in the field of information security, as opposed to practicing actions in case of a cyberattack on an organization.

The most advanced versions of cybersecurity exercises emulate a real attack on an infrastructure that is similar to the one owned by the company. Such exercises are challenging to run, requiring a lot of financial and technical resources, as well as specialized software and hardware platforms. In the process of repelling a test attack, employees of the organization can learn new skills and practice collaborative incident response.

There are two types of exercises: theoretical and functional. Theoretical exercises, also called tabletop exercises, are designed around discussing organizational tasks and practicing to make managerial decisions.

Conversely, functional drills involve technicians using a simulated environment to practice actions in the event of an incident. There are also hybrid cybersecurity exercises that affect both management and technical personnel.

Cybersecurity exercises can also be classified by scale:

• Objective: Simulates an attack on a specific enterprise to improve individual security posture
• Industry-specific: Simulates attacks against multiple companies in the same industry
• Cross-industry: Also known as cross-sector exercises, these simulate attacks against multiple related industries or businesses
• Regional/International: Simulates a localized or international attack, often involving government as well as enterprise personnel

There are no bad forms of cybersecurity exercises. Any activity where an employee gains new knowledge or hones skills in the field of information security will benefit the company.

Is Red Teaming a Cybersecurity Exercise?

A red team is an outside organization that is brought in to test an organization’s personnel, processes, and technology in a scenario that closely models a real-world attack. According to Synopsys, in a red teaming assessment, the “attacker” attempts to gain access to assets through a variety of methodologies, such social engineering, network service exploitation, physical facility exploitation, and application layer exploitation.

In this way, red teaming should be considered a type of cybersecurity exercise. This is a planned event that has all the hallmarks of other cybersecurity exercises — it involves learning and practicing skills, entails an assessment of the results, and also involves the interaction of teams.

Can I Conduct Cybersecurity Training Without a Third Party?

On the one hand, self-testing your security posture entails the risk of obtaining biased results, as not all managers are ready to adequately assess the level of work of their subordinates. The evaluation provided by third parties in most cases will be more indicative of vulnerabilities.

On the other hand, you can try to carry out some types of cybersecurity drills on your own. Large, mature organizations regularly undergo various internal audits. Cybersecurity exercises can be included in the standard procedures of IT and security departments in order to provide a view on potential problems from the outside.

The maturity of the company and its readiness for such a step are of critical importance in deciding whether to conduct cybersecurity exercises on your own. Here are the key questions that may arise along the way:

• Is the company able to deploy a copy of the infrastructure on which the exercise can be conducted?
• Is the company ready to conduct drills on a live business system?
• Who will attack? Do personnel have the skills and tools to carry out an attack?
• How will the team simulate the “creativity” typical of real hackers during the test attack?
• Is it possible to simulate an attack by contracting white hat hackers? Is this safe?

It should be noted that conducting an attack on a real infrastructure is associated with significant risks, especially when possible disruptions may threaten human lives and safety. For this reason, in some cases such testing on the operation of critical systems is simply prohibited.

How Can I Carry Out Cybersecurity Exercises More Affordably?

It is not always clear how an organization can conduct cybersecurity exercises without a large budget. It is especially difficult to do this for small organizations. A small or immature company first needs to answer the questions:

• Why does it need cybersecurity exercises?
• What goals does the organization plan to achieve through them?
• What areas of activity should be improved?

The answers will largely determine the ways of implementing the test attack or scenario, and will help create tasks for a specialized outside company.

There is a special methodology for identifying the goals of a planned test. In some cases, before running cyber drills in an organization, it is helpful to conduct a security audit in order to identify weaknesses. Protection against these weaknesses can be worked out later during exercises and training.

As noted above, a lot depends on the size and maturity of the company. If an organization does not have information security specialists at all, then it is unlikely that it would benefit from cybersecurity exercises. If there are only one or two such people, it is better to just order a pentest.

Companies with small budgets can use a combination of tabletop exercises and practicing basic threat response skills on typical infrastructures. Notably, it is vital to test existing incident response plans regularly.

The cyber quest format, where employees take part in a step-by-step analysis of the cyberattack scenario, may also provide good results for a smaller business. Even if your organization lacks a dedicated InfoSec team, if you explain everything to personnel in detail, and show them ways to obtain new knowledge and skills, then the results will be immediately visible.

How Can I Prepare for Unknown Attacks?

Cyber polygons and services for running cybersecurity exercises most often involve the development of standard, albeit customized, attack scenarios. These scenarios are typically analogous to a school test. But how can you prepare an organization for the non-standard actions of hackers?

First, it is worth trying exercises in the “stand-off” format — where targets are attacked by real people, as opposed to algorithms. In this case, unexpected situations that were not included in the original plan always arise.

Ultimately, it is impossible to foresee all emergency situations. Still, it is possible to help a specialist to develop skills around responding to “expected unknown” information security events.

Much depends on the approach. Most platforms are aimed at training technical skills. Practicing organizational interactions and executive decisions is often given less attention.

Read more: Top Static Application Security Testing (SAST) Tools

6 Key Tips for Conducting Cybersecurity Exercises

Here are some key tips for companies that are thinking about conducting cybersecurity exercises:

• Before conducting cybersecurity exercises, your company should understand why such training is needed and how regularly it should be performed, as well as establishing standard incident response processes.
• When ordering cybersecurity exercises from a third party, your organization needs to convey complete information about your infrastructure to the service provider. Knowing all critical points, possible security vulnerabilities, and anticipated attack scenarios will help improve the quality of upcoming exercises.
• It is important to carefully consider your choice of a platform for conducting cybersecurity exercises. You must choose a service provider you can trust, understanding that this partner will adequately assess the results and formulate competent recommendations.
• Try to soberly assess your strengths and opportunities in terms of time and money. Start slowly, choosing a narrow area for improvement and then moving in clear and concrete steps.
• Learn from the experience of other industries, such as those of software development and testing. Many of your methodological may have been worked out by others.
• Do not forget that there is no “bad” way to develop cybersecurity skills — use all the methods available to you.

Read next: How Does an SQL Injection Attack Work? Examples & Types