Originally published at https://www.linkedin.com/pulse/preparing-your-big-game-cyber-range-jordan-wigley/
What an exciting game! Super Bowl LVII is officially over, seemingly without a hitch in terms of major cyber and/or physical security incidents. The NFL's cybersecurity team and their partners did a great job preparing to defend their physical and digital assets against heavy adversarial traffic during one of the country's most-viewed events of the year. In this article, I want to compare cybersecurity team preparation to that of the teams who were actually on the football field. Before I dive deeper into this topic, let me spend just a moment on my background so that you can decide for yourself whether or not my opinion is worth listening to.
I grew up geeking out on computers and taking apart every electronic gadget in our house to understand how they worked, and to see if I could make them "better." I developed a passion in high school for cybersecurity before it was cool... constantly dissecting every malware sample that I could get my hands on. After graduating from the University of Alabama MIS program, I landed a dream job of working on Walmart's cybersecurity team. I spent the next ~17 years of my career in a variety of technical and leadership positions, defending two of the biggest networks on earth while working for a Fortune 500 retailer and financial institution. My final 7+ years at those organizations were spent leading cyber incident response and threat hunting teams, truly working the front-lines of cyber defense at a massive scale. For the past couple of years, I have been working at SimSpace. We are helping customers prepare their cybersecurity teams for battle using cyber ranges and training content on the SimSpace Cyber Force Platform.
Alright, enough about me... let's shift the focus back to cybersecurity and football! I'm a HUGE football fan – Roll Tide! – and like to understand what all goes into preparing teams to contend at an elite level. When you look at the Chiefs and Eagles leading into this week's game, they have some of the best athletes in the world on both sides of the ball. Despite already being at an elite level, they still take the time to gather as much video footage and intelligence as they can about their opponent. They study this footage/intel in extreme depth, and then bring in players from their scout team to simulate the types of plays they expect their opponent to throw at them on game day. It's their scout team's job to ensure they emulate the opponent as closely as possible, while putting the starting team through the most difficult scenarios they can execute on the practice field. However, when game day comes around, the team is likely going to get different looks from the opponent than what they saw in practice. Having experience and familiarity with the opponent's known techniques during practice will hopefully give the coaches and players everything they need to adjust their own playbooks during the actual football game, and come out with a win.
Why should cybersecurity rehearsal and preparation be any different? If you practice against live-fire simulated attacks that are modeled after your expected adversaries, then you will be in a much better position when you're actually responding to a production cybersecurity incident. These practice exercises should include plenty of realistic user/host/network noise, possible with SimSpace's cutting-edge User Emulation capabilities, to ensure there is a giant haystack of legitimate activity for the malicious artifacts to hide in. In real life, your production network is not quiet enough for malicious activity to immediately stand out; so shouldn't the same be true on your digital practice field? Your defenders should be challenged to sift through this large haystack of realistic noise in order to identify anomalous activity, investigate the full attack chain, respond to identified threats, and recover from the simulated incident. Teams using this approach are able to not only identify gaps in their skillsets, controls, and monitoring capabilities; but also identify gaps in their best practices, procedures, and playbooks. Identifying and remediating those issues now, ensures that your team will not be surprised in the heat of battle during a production incident.
Threat actors will always adjust their techniques – at least a little bit – from one campaign to the next. Having familiarity with and experience detecting and responding to the adversary's tactics, techniques, and procedures (TTPs) – as well as any common indicators of compromise (IOCs) – will enable defenders to deviate from their playbooks during an active security incident as needed. It is also important to train like you fight, meaning you should utilize the same cybersecurity tools during practice that you depend on in your day-to-day security operations. This will ensure that your cyber defenders have familiarity with all of your production tools, so that when an incident occurs they are fully prepared to respond.
At SimSpace, we are working with some of the world's largest companies, governments, and militaries on our Cyber Force Platform. We are using our cyber ranges, user emulation, automated attacks, and on-demand training content to ensure their cybersecurity teams are prepared to defend their organizations – or even their entire countries – against advanced threat actors. We help customers create scaled-down replicas of their environments, to increase the realism of each event. Our platform makes it easy to bring in almost any tool/solution on the market – or even custom home-grown solutions – for use in a cyber range or training content, ensuring that your team is able to prepare using the same tools they have access to in production. If you have systems that are not easily virtualizable – OT/ICS, IoT, Mainframe, etc – then the SimSpace platform also offers hardware-in-the-loop (HWIL) capabilities to map physical assets into your cyber ranges. Our advanced cyber range features allow for many use cases, including but not limited to:
Whether your busiest time of year is Black Friday sales, income tax season, summer travel season, government elections, or something else – ask yourself the question, is your organization ready for your "Big Game"? Please reach out to see how the SimSpace Cyber Force Platform can ensure your cybersecurity team is ready for battle. We really look forward to working with you and your team!
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform