IBM X-Force has seen an extraordinary spike in requests to create cyber ranges during the last six months. By cyber ranges, we define buildings or online areas that allow teams to practice responding to cyberattacks. Companies recognize the importance of practicing their strategies under real-world situations with simple tools, assaults, and procedures.
What's causing this surge in demand? First, we believe that the all-remote work environment caused by the COVID-19 epidemic has increased the importance of collaborating and training as a team to be prepared for any incidents.
Another factor boosting demand for cyber ranges is the rise in high-profile breaches with seven-figure losses and public exposure of intrusions, both of which hurt reputation and financial outcomes. In addition, data breaches and ransomware have highlighted the importance of competent incident response in preventing worst-case scenarios and quickly containing those that do occur.
The economics for a dedicated cyber range is persuasive once you decide that your cybersecurity team and other actors in your cyberattack response processes need to train together. In addition, a dedicated cyber range allows a business to train much more personnel in a shorter amount of time.
However, before you order a cyber range, you should weigh all of the advantages and disadvantages. The main disadvantage is that a specialized cyber range may be overkill for the organization's long-term requirements. It's possible that you won't utilize it enough to warrant the expenditures of constructing and managing a natural range.
This article will provide you with a crash course on how to do a progressive cyber range review and set up protocols to consider what type of drilling grounds would be appropriate for your team.
Why Build a Cyber Range? Mandatory Training, Certifications and Compliance
The most compelling rationale for constructing a cyber range is that it is one of the most effective ways to improve your team's coordination and experience. Experience and practice improve teamwork and offer the required context for making informed decisions during a real-world cyberattack. One of the most acceptable ways to conduct real assault scenarios and immerse the team in a live response exercise is to use cyber ranges.
Another reason to have access to a cyber range is that many compliance certifications and insurance plans need varying levels of cyber training. In addition, the National Institute of Standards and Technology and the International Organization for Standardization has mandated and set compliance standards for these (ISO). Organizations are obligated to free up budgets for relevant cyber training as a result of these obligations.
These training needs can be met in a variety of ways. For example, employees may be required to obtain certificates from organizations such as the SANS Institute, depending on their position in the company. In addition, Micro-certifications and online coursework employing remote learning and certification platforms like Coursera can also be used to meet training requirements. Thus, a company's decision to hire a cyber range does not always imply that one is being built in-house.
A Cyber Training Progression in Stages: From Self-Study to Fully Operational Cyber Ranges
When we talk to our customers about cyber range settings, we provide them with various options and urge them to do it in stages. Each stage is suited to a particular amount of dedication, activity, and desire to experience a completely immersive cyber range.
Stage 1: Self-Training, Certifications, and Labs
Blocking and tackling is stage one, and it's the bare minimum for professional cybersecurity training. This course covers the fundamentals of continuing education and meeting cyber training requirements. Stage 1 may include the following:
-SANS training course in desired expertise areas
Specific class topics, such as reverse engineering malware or network forensics, explain how attackers transit networks without being noticed, etc.
-Completion of Coursera online self-paced or Massive Open Online Course programs with required certification of completion
Holding hands-on laboratories where participants perform tasks or imitate blue team or red team activities is an added Stage 1. As much as they should focus on completion, labs should also focus on results and analytics. Participants should be able to determine whether they can discover indicators of compromise and neutralize assaults swiftly and effectively, as well as map the significant tactics, methods, and procedures (TTPs) connected with those attack simulations.
Stage 2: Team and Wider-Scale Corporate Exercises
Stage 2 organizations might progress to joint group exercises that are designed and adhere to a curriculum. This necessitates the use of specialized computing infrastructure or hardware (some organizations choose to do it all from their existing workstations). In these drills, all stakeholders pool their knowledge and develop a plan to respond in a coordinated manner. For example, you might have red teams infiltrate and go up against blue teams, using threat intelligence teams and other security personnel in the security operations center.
You might even choose to involve other teams, such as marketing if you want to make this step more immersive and realistic. At this point, bringing in operational technology (OT) teams is strongly recommended. Many of the most recent ransomware attacks have targeted OT devices and laptops, and other IT devices.
Witnessing and participating in intensive synchronized exercises has proven to be highly beneficial to business executives. Giving them insight into what other teams are going through and how they should respond provides vital context for a crisis. The most advanced team cyber response exercises can span several days and involve dozens or hundreds of team members.
Stage 3: The Collaborative Cyber Range With Vendors, Customers and Partners
Getting your organization's responses in order is a beautiful place to start. But what about others in your immediate vicinity, such as your customers, vendors, and partners? Because of the nature of your digital infrastructure, the pervasive access to application programming interfaces, the growth of connected devices, and the various types of connections, coordination of an attack response with your closest third parties are vital.
It's simple to see why a coordinated reaction is so important. The globe has become increasingly connected, and the number of digital connections between vendors, customers, and partners has increased. As a result, at any given time, a company may have hundreds of third-party links. Because supply chain attacks pass through a trusted intermediary, they can be difficult to detect. They're also a general-purpose exploit that can secure future access, traverse networks, and expand horizontally inside an organization.
Customers ask us to extend their cyber preparation and exercises to the ecosystem level as awareness of third-party risk management, software supply chain risk, and attacks in this arena become more complex than ever.
We've seen some organizations demand this engagement as a condition of a relationship or being a key vendor, so it's more than just an idea to think about. For example, chief information security officers (CISOs) and risk teams want to go beyond SOC2 or ISO 2700 certifications to verify their core partners' and vendors' actual capabilities and readiness.
If a company utilizes a bank, a payment processor, and then a clearinghouse, all three are likely intertwined and have formed certain playbooks on how to collaborate and identify when the chain of interactions faces a problem or when a breach has occurred. As a result, they should contain and stop a cyberattack involving one or more of the three entities at the end of the day. In the event of an attack, proactively building a risk-aware working relationship and identifying and presenting specific risks for each stakeholder can help to facilitate a more robust, thorough, and speedy response. Bringing multiple participants into a collaborative exercise is frequently for this reason: to establish the procedures and conventions for a coordinated response that is agile and precise.
Keeping Your Training and Range Lively With Fresh Content and Context
The fast pace of attack kinds and the scope of attacks is a key reason why we believe corporations are seeking to establish their cyber ranges. The threats that used to take months to appear now appear in weeks or days. CISOs and risk management leaders are aware of this and are aware that there are two main approaches to dealing with this shift:
-Increase the number of times you exercise.
-Improve the substance of exercises overtime to keep things fresh.
We can employ static, curriculum-driven content for stage 1 activities and push developing content with industry context for those progressing to more complicated tasks using cyber ranges. Lessons and exercises are frequently inserted in response to attacks that may be occurring at the same time as the exercise.SafeBreach is used to insert information about recent and current attacks that is contextually relevant to the industry and customers.
Because SafeBreach provides a 24-hour service-level agreement for adding new attacks and control validations, even assaults that have only been seen in the wild for a few days can be evaluated. This is why we recently revised the architecture of our ranges to allow for bespoke content that can be adjusted on the fly. This enables a corporation with a cyber range to set up an exercise based on a significant attack days after it is made public. Cyber fields become more relevant and valuable due to this capability, as it allows enterprises to accelerate their security metabolism and learn more quickly. In addition, SafeBreach's continuous risk assessment and security control validation technology offers the world's largest collection of attack playbooks, complete with TTPs for each attack.
Conclusion: Are You Ready for a Dedicated Cyber Range?
We strongly advise that you go through stage 1 and stage 2 capabilities before thinking about a specialized cyber range. At the very least, do a one-time cyber range exercise to see how it works for your team and company. Most importantly, when planning, consider what your cyber range's use rate will be. Finally, consider whether you can use your specialized cyber range as a pop-up or quick-start cyber operations command center in the event of an emergency as a mitigating factor.
Consider the advantages and disadvantages of the three types of cyber ranges or outsourcing exercises to a trusted vendor once you're satisfied with the concept of a cyber range and have validated its worth.
-Dedicated on-premise ranges are more expensive to install and maintain, but they can help teams build camaraderie in person. So this is becoming a more viable choice as the COVID risk fades.
-Many firms were not considering creating a virtual cyber range before the outbreak. Virtual versions are less expensive to set up and upgrade, and they provide greater flexibility. Face-to-face relationships, on the other hand, are critical for some businesses.
-Several customers have asked for hybrid versions that include both virtual and in-person components. Hybrid models are more versatile and can consist of vendors and partners, but they are also more expensive.
Having a cyber range on hand is a great way to improve your security metabolism and readiness. To guarantee you receive the proper kind for your business and needs, go through a thorough decision-making process. Visit the Command Center site to discover more about how IBM Security can assist your organization designs its response strategy and map strategies to help your teams practice cyber response.