Cyber war games simulate the experience of a real cyber-attack, enabling organisations to test their cyber response procedures, capabilities and governance in a safe and controlled environment.
Cyber war games differ from traditional penetration testing, which typically looks for vulnerabilities in IT systems, networks and websites. Cyber war games are a much more involved exercise, aimed at testing an organisation’s overall response to a cyber incident, including the decision making of senior managers and the effectiveness of communications.
War games use specially developed scenarios – like a malware or spear phishing attack – to simulate an attack. Simulations can be a simple ‘table top’ exercise or a full-blown simulation. The former would see participants briefed on the attack scenario, whereas participants in a simulation are given very little information and have to work through problems as they arise.
The exercise should, however, be cross functional, involving IT, risk management, business continuity, legal, corporate communications, marketing and customer care. This helps build relationships in advance of a cyber incident and tests the flow of information, including an organisation’s ability to share information effectively and quickly, both internally and externally.
Companies can employ a third party to design and run the war game on their behalf. War games can involve an organisation’s key business partners, suppliers and contractors; while incorporating third party services, including breach response, crisis management and even insurance.
Why does it matter?
Cyber war games have been of growing interest to governments and companies.
In Australia, banks and energy companies were among 12 large businesses that joined a government-led cyber war gaming exercise in September - the companies and government agencies had to defend a ‘Lego smart city’ model against attack in a three-day simulation. Last year the US extended its cyber war games for the utility sector GridEx to include banks and telecoms companies, while the EU staged its first ever cyber-attack simulation to test the cyber defences of member states.
Boeing recently joined with other defence contractors to run its first cyber war game. The day-long exercise comprised of two scenarios, based on real-world events, encompassing large-scale ransomware and destructive attacks. The scenarios included; spear phishing, the compromise of a supplier, a rogue employee, an infected update patch, and the theft of sensitive printed documents. Adding to the realism, the exercise was modelled on the current geo-political environment and included social media, news reporting and mounting customer queries.
The company said that the exercise highlighted the future focus on executive-level response planning, as well as the integration of data to reduce response times. According to Boeing, the war game exercise illustrated the importance of understanding when to report an incident and how this can reduce liability.
Cyber war games give organisations the opportunity to test out and hone their response to a cyber incident, as well as identify potential gaps in response plans. In particular, war games allow management to practice decision making in a high pressured environment and help build confidence. They can, for example, highlight unexpected decisions, as well as the consequences and realities of making certain decisions – such as shutting down a system.