The ever-evolving cyber threat landscape demands that organizations equip their cybersecurity teams with the necessary skills to detect, respond and defend against malicious attacks. The most surprising thing to be discovered and continued to explore in research, however, is how easy it can be to fool the current cybersecurity defenses. Anti-virus programs are built on a massive signature database house of cards that can easily crumble with an action as simple as changing text within the program. The same applies for network signatures and endpoint detection and response. There are certain behaviors that defense technologies key in on, but at the end of the day, malware is just software — and the more it can blend into common software activity, the less likely it is will be detected.
To combat these threats in recent years, simulation exercises have emerged as a powerful tool to test the skill level of cybersecurity teams and prepare them for the challenges posed by cyber adversaries. Generally speaking, teams that are able to visualize how an engagement with an attacker will unfold and end in the organization’s victory will be prepared for when that engagement actually occurs. Simulation exercises allow security leaders to do this rapidly while monitoring tools, people and processes on an ongoing basis.
Adapting to the evolving threat landscape
Simulated exercises in cybersecurity resemble military training exercises, wherein one team (the red team, in cyber terms) assumes the role of the adversary to assess the capabilities of the defender (the blue team, representing the organization’s defenses) in detecting and protecting against attacks. These simulations generally cover the campaigns of threat actors developed in a given range at a specific point in time, and campaigns evolve as threat actors’ tactics, techniques and procedures (TTPs) do.
However, the problem with these enterprise simulations is twofold. First, they are generally performed on expensive cyber ranges that require significant time and effort to create and have limited accuracy in replicating real enterprise environments. Second, they require security teams to take several days off to play through the exercise.
To address these issues, the focus has shifted to developing simulations that enable defenders to rapidly test against new TTPs in real time within their actual environments, without the overhead of a full red team exercise. The objective is to assess the efficacy of monitoring tools, processes, and personnel in the face of current threats. By simulating specific TTPs such as phishing attacks with varying payloads or data exfiltration, cybersecurity teams can sharpen their skills and better prepare for real-world challenges.
Ideally, this should be a weekly exercise for individual TTPs, with full red team assessments occurring at least once per year. Removing the requirement to simulate full campaigns over the period of months increases ROI for the teams involved. By conducting simulations regularly, security leaders ensure their teams are fixing configurations and responding to new threats in real time. As security professionals know, attackers always operate in real time, so doing anything besides matching their frequency poses a serious threat.
Measuring response and identifying skills gaps
Even the most advanced cyberattacks leverage basic techniques that have been around for years. That makes mastering the basics vital to defense. Businesses need to focus on fully leveraging the existing tools in their technology stacks to detect even the most foundational techniques, and then level up to more advanced techniques from there. This allows teams to remove the most common threats from the equation first, granting them time to identify and build the expertise and infrastructure required to defend against the most dangerous threats.
When simulating various TTPs, security leaders can categorize them in two ways. First, by level of expertise required to perform the specific attack. Second, by the area or type of data in which the attack should be detected. To measure the success of a simulation, assess the time it takes for a team to detect and respond to a particular TTP once launched, depending on the category of the technique. They can then map critical skills, process and technology gaps that must be developed in order to reduce response times. To combat skills gaps, organizations can invest in hands-on cyber upskilling programs or certifications to tackle the problem at its root.
The recovery phase following an attack is also an important time to evaluate strengths and weaknesses and strategize for the future. Simulating techniques used in previous attacks should be part of this phase of incident response. The “lessons learned” need to not just be notional, but actionable. Make sure to test the changes you’ve made between simulations to ensure they actually work against the specific attacks used in the incident. Until you do that, you risk re-compromise.
Simulation exercises have emerged as indispensable tools in the arsenal of cybersecurity teams, enabling them to prepare for the relentless and ever-evolving cyber threats they face. By simulating real-world attack scenarios, organizations can identify and bridge skills gaps, fine-tune their defenses and improve incident response capabilities. Regularly updated exercises ensure that cybersecurity professionals stay abreast of the changing threat landscape and can adapt their strategies accordingly.
As the cyber industry continues its cat-and-mouse battle with threat actors, becoming the threat through simulation exercises is key to staying ahead and protecting critical assets in the digital age. Embracing these exercises as an ongoing practice will only fortify organizations against emerging cyber threats and create a safer digital future.