Cyber ranges

How to improve incident response speed and efficiency with cyber ranges

December 3, 2020 by Patrick Mallory

Introduction

Eventually, your organization will find itself the target of a cyberattack. When that happens, you will quickly discover if your incident response plan holds its own or cracks under pressure.

While there are so many factors that are out of your control when it comes to responding to a cyberattack, fortunately, there are plenty that are. It is for this reason that you want to make sure your organization is doing everything that it can to prepare your security team and your network defenses for the attack. In fact, according to a 2019 IBM Security and the Ponemon Institute report, only 23 percent of organizations were able to consistently apply their cybersecurity response plan in the face of a real challenge. 

One of the best methods is to utilize a hyper-realistic, flexible and highly-configurable cyber range, which can simulate real-world cyberattacks to dramatically improve your team’s performance, speed up their response and make each team member more efficient and effective when seconds matter. Not only does this preparation pay off in limiting the damage of an attack, but also in helping to protect your company’s bottom line. 

According to the same IBM report, “companies who can respond quickly and efficiently to contain a cyberattack within 30 days save over $1 million on the total cost of a data breach on average.”

So what is it about cyber ranges that can take your organization from ill-prepared to industry-leading? This article will explore just a few of their key features to help prepare your security team for the cyber threats that lie ahead. 

Take advantage of completely customizable environments

Whether your organization needs to test new tools, rules, staff or specific scenarios, cyber ranges can be customized to meet your organization’s needs. Begin with your current network environment and stress-test how your defenses do or build on your setup with minor modifications or major changes to test how differently your attack surface changes. Before you invest money in new resources or time to implement changes, test them out in a cyber range to see if they make a difference.

Cyber ranges also allow your organization to simulate any cyberattack scenario. This allows security professionals to fully practice their incident response playbooks. As different scenarios play out, improvements to notifications, communications, mitigations and actions can be made until your incident response team is as ready as it can be.

Either situation proves that simulations conducted in a cyber range are low-risk and low-cost ways to test out ideas and tools before they enter your production environment. After security policies and tools are configured and refined, they can then be scaled into the enterprise while your security team is also armed with complete understanding of how it will perform.

Comprehensively test with simulations

Like in any other training environment, there is a stark difference between hands-on, realistic training and, well, everything else. In place of traditional table-top exercises, facilitated discussions, meetings, lectures and even reading, cyber ranges provide immersive training that provides valuable on-the-ground experience to apply new skills, test performance and identify development areas. 

This can be especially important as organizations onboard new employees into cybersecurity positions. For example, according to one ISACA study, 61 percent of cybersecurity leaders that represent their organization believe that fewer than half of all their applicants for security roles are actually qualified for the job. Put another way, a 2018 ISACA study notes that just 2 percent of new employees hired from universities are “well-prepared for cybersecurity challenges.” This is because, as ISACA continues, most cybersecurity training is “based in theory” with “very little hands-on training.”

With this as the reality that security professionals and business leaders are facing, cyber ranges provide both the required training experiences that new and junior staff need on the job as well as opportunities to cross-train existing staff for backup support and career development. With only 30% of respondents, according to an IBM report, claiming that they have sufficient staff in place to achieve, cyber ranges can help fill these key gaps in the short and long term.

Deliver flexible training and test scenarios

Modern cyber range platforms, with highly configurable virtual environments, can also support the delivery of simulations and training no matter where your team is located or when they need to be conducted. Supported by secure connections, your team can log into the cloud-based virtualized environment and instantly have access to simulated attacks that leverage sophisticated machine learning, replicated advanced persistent threats (APTs), and artificial intelligence to demonstrate the variability of a real attack. Once in place, logistics should no longer be a reason why your organization should be one of the 56 percent of organizations that do not regularly test their incident response plan.

Outside consultants, more experienced team members and other stakeholders can also remotely provide real-time feedback to assess how the simulations are playing out. As needed, specific aspects of a simulation can be stopped, restarted or modified using the built-in features of the cyber range to enhance the learning opportunity — all without touching your production systems. 

Finally, use the data produced by these simulations to track your team’s performance over time so improvements can be noted, comparisons against benchmarks can be made and gaps and next steps can be identified.

Broaden and improve your security culture

Every day, your organization can face a cybersecurity threat. And it may not be your trained security professionals or an automated tool that is the first to notice and respond. Similarly, once detected, any incident response is going to require the coordinated efforts of many parts of your organization — from communications professionals to legal representatives, executives and functional specialists such as those in finance or human resources — to understand the scope and impact of a cyberattack event.

As simulations conducted in cyber ranges can be tailored to fit any industry and level of complexity, they can also be used as part of larger organizational training exercises. In addition to providing hands-on experience to less technical staff, the lessons learned from the simulation can allow your organization to assess how your business units, managers and security teams respond to an attack in a coordinated way. For example, driven by the scenario in the cyber range, executives can be tested on how they handle media relations, interactions with law enforcement, internal communications, key technical decisions and how they balance business risks. 

While your organization may have an incident response or a business continuity plan in place, running a simulation in a cyber lab can reveal just how ready your business culture is. Can cross-functional teams communicate effectively? Are alternate communications methods in place? Are backups of key technical components and databases available? Can your leadership keep calm under pressure? Are the right reports and data available to make the necessary decisions?

A cyber range can be a great way to test your organizational readiness and cohesion across these domains, ultimately revealing which gaps need to be filled in order to be better prepared for the real thing.

Bringing it all together

While no incident response plan can be fully bulletproof in the face of an overwhelming cyberattack or an insider event, utilizing a cyber range to consistently run through scenarios, drills and testing situations allows your organization to have a much stronger chance of limiting damage and lowering your attack surface. 

By using a cyber range to test new tools, make modifications to existing technology, assess new staff or incident response protocols or run through drills, your security and management teams can also have a much stronger and more confident understanding of if your organization is prepared to respond when it matters. You do not want the first time your organization is put to the test to be in a real-world, heart-pounding situation with the potential for wide-ranging negative impacts on your brand and customers.

 

Sources

IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them, IBM

Preparing Cybersecurity Professionals to Make an Impact Today and in the Future, nist.gov

Posted: December 3, 2020
Articles Author
Patrick Mallory
View Profile

Patrick’s background includes Strategy and Cyber Risk Services consulting experience with Deloitte Consulting with both States and large Federal transportation and security agencies. He also served 3 years as a Deputy CIO for the City of Raleigh, where he assisted with the implementation of security policies, tools, and employee education initiatives as well as PCI, CJIS, and HIPAA compliance. He currently supports the IT infrastructure for the U.S. State Department.

Patrick also holds CISSP, CISM, and Security+ certifications as well as a PMP. He holds an MS in Information Technology – Cybersecurity and MS Public Policy from Carnegie Mellon University, where he assisted with graduate level teaching in the information security program.


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117