Why you might need live cybersecurity exercises

When it comes to preparing for cyber attacks, there are a variety of tools and techniques that you should employ: firewalls and intrusion detection devices for sure. But some tools are less obvious, and involve more of the human organizational element. This is where a company called CyberGym comes into play.

In one of my favorite scenes from Jerzy Kosinski’s Cockpit, the secret agent protagonist is applying to become a spy. He is sitting in a room with his fellow recruits, waiting for the testing period to begin. What he and his compatriots don’t realize that is that the waiting room is actually under observation and part of the testing process to see how well the newbies will collaborate with each other. The recruits are subjected to a variety of temperature extremes and every so often an employee will come in to tell them that there will be additional delays before the tests will begin. The goal is figure out which of the recruits will get annoyed with the forced wait and how each one will endure these hardships. This is a lot like the CyberGym live fire exercise: you want to see how people do under pressure and how they will create allies. Who is going to crack and make things difficult with others? Who is going to demonstrate leadership?

CyberGym was co-founded by managers from the Israel Electric Corporation and has some specific facilities that relate to SCADA controls and power conditioning equipment that are found in the typical power plant. It has been used by global corporations from many different industries. The average engagement last several days as they run through a series of attacks and other malware intrusions.

IMG_2006I visited CyberGym‘s offices in Israel last month as part of a trip that was partially sponsored by the America-Israel Friendship League and the Israeli Foreign Ministry. Their operation is contained in a series of huts that are scattered around a historic eucalyptus grove about a half hour north of Tel Aviv. The notion is that nothing prepares a group of IT security workers better than having to be part of a live fire-fight exercise. One hut contains the attack team, a second contains the defending team, and a third is for judges and observers. Each team contains both security staff, IT and corporate management, and others from a specific company.

The idea is to replay a particular attack and see how the teams respond. Since its inception, CyberGym has conducted hundreds of these exercises, and they now have facilities in Portugal and the Czech Republic in addition to Israel. They look to see what the defenders do first, how they work together, and what things they fall down on. When I visited, the company’s founder Ofir Hason said that often the right response wasn’t anything technical, but coordinating what the team was going to do and how they actually worked together.

Fighting cyberthreats is a team effort, and involves a combination of technical and non-technical skills. Often convincing your management that you have to do something relies more on your power of persuasion than knowing how to block a remote shell executable or neutralize some malware. I like the name CyberGym too, because it implies that you need to condition your response “muscles” with real exercises, not just doing some academic threat management scenarios. Like a physical gym, you need to bulk up and do some resistance training to build your strength and add to your conditioning.

Sure, there are other teamwork-building exercises that can be done less expensively (everyone falling backwards or trying to climb through a ropes course) – but these aren’t specific to the cybersecurity realm and don’t really address this specific realm. If you want to see how your cyber team handles the next attack, you might want to book some time at the gym – the CyberGym that is.

One thought on “Why you might need live cybersecurity exercises

  1. “Real life” security is always more effective. I have often been asked to implement security measures so they will be “invisible” to everyone. Often, this is a poor way to do it. Let’s take configuring firewall rules. You may want to make sure that you block something you intend to block, but you also do not want to keep people from doing their job. The best way to do that is to have people actively working while you are installing the security. It also gives them a feeling of being involved when they become one of the testers and they come to understand why you are doing something and learn more about keeping themselves and the company safe.

    I’m writing a series of articles and posting them to my web site about how we do cyber security all wrong. It needs to be cyber safety and everyone has a place in making the cyber world safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s