Getty Images

Cyber-war gaming: A cybersecurity tabletop exercise

Based off military war games, cyber-war gaming examines a company's security posture. Learn how it works, the readiness needed, who should be involved and more.

Attackers will inevitably penetrate your defenses. The question is how effectively and quickly your current security and response strategies will perform under attack.

One preparation option is to adapt military war games into cybersecurity tabletop exercises. While cyber-war gaming isn't a new concept, it's not widely adopted -- yet.

What is a cybersecurity tabletop exercise?

Cyber-war games are designed to provide a real-time look into how a company would defend against and respond to an attack. Red teams use the same tools as attackers to identify weaknesses in a company's security strategy. The blue team, meanwhile, works to prevent any successful penetration by the red team from getting far into a system.

These tabletop exercises are about more than just penetration testing and trying out attack methodologies, however.

"Because the goal isn't the same as with a vulnerability scanner or a pen test, it's not going to be the same; you're not going to get the same type of results you would get from there," said Ken Smith, national lead for cyber testing at consulting firm RSM US.

Rather, cyber-war games provide insight into the state of readiness of a company's cybersecurity strategy and how well security teams would respond to an attack.

Successful cyber-war games also involve the security team and members of a company. They are much more encompassing than red teaming or other security exercises. Companies should involve all key stakeholders, from the CEO down to security teams.

"It's not only attack and incident response; it's crisis management," said Jon Oltsik, analyst at Enterprise Strategy Group, a division of TechTarget. "What would the CEO say if a reporter called? What would you say to customers, to regulators, etc.?" Buy-in from the C-suite is key. Plus, executives need to determine the goal of the assessment beforehand.

How long a war game exercise takes depends on how thorough it's intended to be. The scope can stretch from a month to six weeks. Each test includes a follow-up report that expands on the results for security teams.

Cyber-war games framework

For interested companies, Mitre released its cyber-war gaming framework in 2018. It is designed to be tailored to an organization's security setup to accurately review its specific strategies.

How cyber-war gaming works

Unless the cyber-war game is about testing one specific tactic or aspect of a system, let the red team try whatever they want during the attack.

"Realism is the goal," Oltsik said. "Use the tactics, techniques and procedures that an adversary might use."

It's also important to have a goal for the cyber-war game exercise before putting it into action. "Are you testing new controls that have just been put in place?" Smith said. "Or has your process been entrenched for a while, and you're looking for a refresher?"

In an exercise, the security teams use a clone of the company's live environment to get a real-world result. The red team initiates an attack, while the blue team follows existing security strategies to see if it can detect the initial attack. From there, it becomes about which side can employ more creative and effective methods to either further or stop the attack.

Another option is to have IT create a preconfigured environment that neither the red nor blue team know about beforehand, such as occurs at events held by the National Collegiate Cyber Defense Competition. In its events, blue teams try to discern the system and how to secure it before red teams start their attacks, Smith said.

Consider an organization's maturity level, resources

Businesses of all sizes conduct cyber-war games, but don't test just for testing's sake. Companies must assess their maturity level before attempting one and know what they want out of the exercise.

Companies that do annual pen tests and have two years of solid results indicate readiness, Smith said, especially "if you're doing quarterly vulnerability scans, both internal and external, and you're not seeing any canary-in-the-coal-mine-type situations."

Before considering cyber-war gaming, it is also important to take into account if there are infrastructure and personnel in place to conduct, detect and respond to attacks. "If you're missing any one of those pillars, it doesn't end up being worth the time and effort," Smith said.

In this instance, outsourcing is an option. Companies don't have to handle all aspects of cyber-war gaming internally -- and it can, in fact, be beneficial to outsource at least a portion of the exercise.

If your company only has a blue team, for example, it could hire a third party to conduct the attack. Even if your company has the staff and resources to conduct the exercise, consider hiring an outside red and blue team to test against the opposite internal team. Your red team may know how the internal blue team would respond and vice versa, which a third-party attacker probably wouldn't. This could impact the test and its results.

Challenges of cyber-war gaming

Cyber-war gaming isn't all roses. Be aware of these potential downsides before conducting an exercise.

Cyber-war gaming isn't cheap

Conducting an assessment can be expensive. It takes time to devise the situation, determine the end goal and carry out the exercise. In some instances, the end result might not be worth the time and cost. If the blue team prevents the red team from penetrating the perimeter, you just conducted a costly pen test. On the other hand, if the red team easily makes it into the system and experiences next to no resistance, it expensively shows your cybersecurity defense needs an overhaul.

"You always run the risk it's not worth the cost because you're testing unknowns," Smith said. "You might not get enough bang for your buck from the exercise. But, if your program is at the right maturity level, you've done your due diligence, you have your controls in place and you're doing regular testing, this is kind of that next step to give you the reassurance of whether or not your processes are working as intended."

Poor C-suite communications could hurt security teams

The C-suite should be included in cyber-war games, but unfortunately, that's not always going to happen. Keep the board and C-suite apprised of how tabletop exercises perform, however, and always ensure they understand the purpose of the exercise. Remind them that a successful attack doesn't mean the blue team failed or people should lose their jobs.

Turning it into a competition

Another concern is that tabletop exercises can become overly competitive. The red team wins more often than not, said Jeff Pollard, analyst at Forrester Research, but that isn't meant to be an indication of failure by the blue team. Don't hurt future cooperation by making the exercise a competition between red and blue teams.

"This is when it turns contentious and toxic," Pollard said.

Purple teaming as an alternative

Organizations may consider using purple teaming instead of cyber-war gaming. This methodology encourages collaboration over competition. Purple teaming involves red teams working alongside blue teams to explain what they would do if they were an attacker. This helps blue teams understand potential attacks and know what to look for in the future.

"Purple teaming is a collaborative effort," Pollard said. "War gaming can be competitive; there's a clear 'winner.' With purple teaming, you can put the red team next to the blue team and show them what they would do next in an attack."

Overall, the goal of both exercises is to improve an organization's defenses, but cyber-war gaming is much more encompassing. In cyber-war gaming, successful red teaming helps inform a company where current processes or technology falls short and where work needs to be done and gives the blue team more experience about what a real attack looks like.

Next Steps

8 cybersecurity conferences to attend in 2022

Inside the PEIR purple teaming model

Dig Deeper on Security operations and management