From: Financial Times

By James Kaplan, Tucker Bailey & Allen Weinberg

“Can it happen to us?” All over the world technology executives have been fielding this question from boards of directors and CEOs in the wake of highly publicised cyber-attacks on large, well-respected companies and public institutions.

In a world where ever more value is migrating online, where business strategies require more open and interconnected technology environments, where attackers have ever-more impressive capabilities and where attacks exploit human vulnerabilities in the form of employee and customer behavior, the only honest answer is: “Yes.”

In fact, in many places it may have already happened. Yes, political “hacktivists” like Anonymous and Lulzsec delight in announcing their exploits to the world and causing embarrassment to their targets. Other sophisticated attackers seek to cover their tracks. Organised crime rings engaging in cyber-fraud or national intelligence agencies exfiltrating valuable intellectual property for economic advantage have no interest in letting their targets know they’ve been attacked.

We believe there’s a slightly different question that boards and senior business leaders should be asking the technology team about cyber-security: “Are we ready?”

An ill-thought-out response to an attack can be far more damaging than the attack itself. Whether customers cancel their accounts in the wake of a successful cyber-attack depends as much on the quality of a company’s communications as on the seriousness of the breach. How much value the loss of sensitive business plans destroys depends on the ability to adjust tactics quickly.

Cyber-war games test readiness

Just as the armed forces have long conducted war games to test capabilities, reveal gaps in plans and build their leaders’ ability to make decisions in real time, many companies are conducting cyber-war games to help them make sure they have an acceptable answer to the question; “are we ready?” In fact, many corporate cyber-war gaming efforts have been directly inspired by national defense oriented cyber-war games.

A cyber-war game is very different from traditional penetration testing, in which companies employ or contract with “white hat” hackers to identify technical vulnerabilities like unsecured network ports or externally facing programs that share too much information in the browser bar.

A cyber-war game…

…is organised around a business scenario (for example, cyber-criminals using spear-phishing attacks to target high net worth customers for fraud or sophisticated attacker pays corporate insider to install malware that facilities theft of critical intellectual property)

…tests for flaws in company’s ability to react to an attack, particular communications and decision-making processes

…is structured to simulate the experience of a real attack: participants receive incomplete information, and objectives among the participants may not be 100 per cent aligned

…is cross-functional, involving participants from not only information security, but also application development, technology infrastructure, customer care, operations, marketing, legal, government affairs and corporate communications

…occurs over a few days, but requires up-front analysis of business information assets and potential security vulnerabilities to make the scenario is relevant and the game play realistic

…does not touch live production systems — many cyber-war games are “tabletop” exercises

Insights from cyber-war games

Cyber-war games yield insights into information assets that require protection, security vulnerabilities that attackers can exploit and flaws (or “failure modes”) in a company’s ability to respond to an attack.

The analysis required to develop relevant scenarios for the war game facilitates a discussion between business and security managers about which types of information assets are most important, who would want to compromise them and what the implications of an attack could be in terms of loss of intellectual property, loss of reputation, business disruption of fraud.

For example, one public jurisdiction found out that most of their IT security processes were oriented to preventing online fraud even though their biggest risk was the loss of confidence associated with a public breach.

Likewise, the analysis required to ensure that scenarios used in the game are realistic highlights important security vulnerabilities. For example, one retail brokerage found out that much of its most sensitive information assets were hosted on applications that had not undergone security reviews and used out-of-date controls for authenticating users.

Most importantly, the war game itself exposes flaws in an organisation’s ability to respond to an attack:

■Identifying and assessing the breach quickly: One organisation found out that the processes its security professionals used to address a breach were entirely dependent on email and instant messaging; and they would have limited ability to respond to an attack that compromised those systems

■Will it make effective decisions to contain the breach: One corporation discovered that it did not have usable guidelines for deciding when to shut down parts of its technology environment – it found out that that senior executives would order the technology team to sever external connectivity when it wasn’t required, an action that would have prevented customers from accessing their accounts

■Will it communicate effectively about the breach to the full set of stakeholders? At one financial institution, a war game demonstrated that the firm didn’t have guidelines on how to communicate with customers whose data had been breached – so high net worth customers would have received an impersonal email.

■Can it adjust business strategies and tactics in the light of a breach? At one manufacturer, a war game revealed that business managers had never thought through what they would do if competitors or counter-parties got access to sensitive information, so they wouldn’t be able to change negotiation strategies quickly after the disclosure of proprietary information about their cost structure.

Conducting a cyber-war game

Most companies can plan and conduct a game in six to 12 weeks, with a manageable impact on security, technology and business managers. Aligning on scope and objectives of the war game is the first step – this includes deciding how many scenarios to incorporate into the game, how sophisticated scenarios will be and how much participation will be required from each business function, especially the “trusted agents” who will design and run the war game.

Once named, the trusted agents develop potential scenarios that take into account critical information assets, attackers who would want to compromise them and existing security vulnerabilities they might exploit. After selecting the scenarios to be used in the game, they identify the “failure modes” they need to test for and create the step-by-step script that facilitators use in the game itself.

The simulation or game itself can last anywhere from a day to a week or more, depending on the complexity of the scenarios. Throughout the course of the simulation, the facilitator will provide participants with “injects” of information and what actions they will take. At each stage, the information that players representing functions like security operations, marketing and legal services receive depends on the actions they have just taken.

The last and most important phase of a cyber-war game takes the insights generated by the simulation and converts them into actionable steps that will improve an organisation’s ability to respond to an attack. These steps typically include implementing tools that increase visibility into attacks, clarifying responsibilities, developing guidelines for making high-stakes decisions under pressure and creating communications protocols that can be pulled “off the shelf” when required.

Conclusion

Conducting a war game to test a corporation’s ability to manage a cyber-attack requires real effort and planning. However, it is one of the most effective mechanisms for prioritising assets to protect, surfacing vulnerabilities, identifying flaws in the ability to respond and build the type of “muscle memory” required to make appropriate decisions in real time with limited information.