No plan survives the first contact with the enemyDatum: 21.05.2023
Autor: Thomas Langthaler, Senior Defensive Security Consultant
The importance of exercises in IT security
While the saying “No plan survives first contact with the enemy” is certainly true, this fact rarely leads to resignation and surrender. Rather, attempts are made to keep the delta between plan and reality as small as possible, even after fine contact, through constant practice and training. Transferred to the preparation for IT security incidents (incident readiness), this means regularly and thoroughly practicing emergency plans, backup-restore processes, and the like. One way to do this is by conducting IT security exercises.
The various types of IT security exercises
There are three types of IT security exercises: Table Tops, Hybrid Exercises, and Live Exercises. Each exercise type has advantages and disadvantages and can be used in different ways to improve an organization’s IT security. All exercise types require an experienced team to lead the game (Exercise Control Group, ECG).
Table Top Exercises
Table top exercises are simulations that bring together IT and security experts to run through various scenarios and discuss potential responses. These exercises are structured and include detailed plans and scripts to ensure everyone has the same information. During this exercise, scenarios such as data leakage, phishing campaigns, or ransomware attacks can be simulated. Participants then discuss possible response strategies and work to create an effective plan to address the scenario. The advantage of table top exercises is that they are relatively quick to prepare, therefore cost-effective, and offer a high degree of flexibility. They can be tailored to specific threat scenarios and allow participants to improve their skills without having any actual impact on the organization. Depending on the type of exercise, it may also be useful to include non-IT areas in the exercise execution to put communication between different areas to the test.
Live Exercises
Live exercises include Red and Blue Team exercises. In a Red Team exercise, an independent team of ethical hackers is hired to hack a company and expose vulnerabilities. This team simulates a real-world cyber attack to test the company’s response and expose its security vulnerabilities. The Blue Team, made up of company employees, must then respond quickly to defend against the attack. This exercise allows the company to identify and address its vulnerabilities before a real attack occurs. The advantage of red-team exercises is that they are very realistic and help companies improve their defenses. However, these exercises can also be very expensive and often require a high level of (often external) expertise. In addition to the actions of the Red Team, fictional events can be inserted into the action by the game leader, similar to a table top exercise.
Hybrid Exercises
Hybrid exercises are an intermediate stage on the way from table top to live exercise. Here, the purely fictitious table top elements are supplemented by real attack attempts (e.g. external scans), which, however, have a lower depth of intervention compared to a full-fledged Red Team attack. These attack attempts do not necessarily have to be performed by an external Red Team but could also come from an internal security team. In terms of time and cost, hybrid exercises fall somewhere between table top and live.
The role of IT security exercises
Overall, IT security exercises are an important part of a company’s IT security strategy. By conducting these exercises, organizations can improve their ability to respond to cyber attacks and address their security vulnerabilities. Choosing the right type of exercise depends on the company’s goals, budget and available expertise. While table top exercises can be conducted with comparatively little effort, live exercises involving Red and Blue teams already require a higher level of maturity. Regardless of which exercise type an organization chooses, it is important that it conducts IT security exercises on a regular basis in order to continuously improve its IT security practices and be prepared for potential attacks.
Support through CERTAINITY
CERTAINITY is happy to assist in preparing for your (unfortunately inevitable) enemy encounter, whether it is creating a cyber readiness roadmap, designing contingency plans, or conducting IT security exercises as described. If the enemy is already ante portas, you can reach our specialists at the emergency number +43 664 88844686.
Title quote: Helmuth von Moltken