Cybersecurity crisis management exercises
June 2022: Lina Kolesnikova
looks at new crisis management training strategies to stay ahead in the constantly changing cyber threat landscape.
Prompted by concerns that its country’s digital resilience is lagging, the Dutch Government is aiming to introduce a framework of standards for security tests. On May 19, the government announced its intention to include the testing of digital security of systems, process and people (also known as ‘red teaming’) in all its governmental organisations’ test planning and budgeting by 2025 at the latest.
We live in a time of constant cyberattacks making the cyber threat landscape more treacherous than ever. This concerns all players, whether from public and private organisations or individual Internet users. There are many motives behind cyberattacks, including cybercrime, cyber warfare, cyber terrorism and even hacktivism. These fall into three main categories: criminal, political and personal. Cybercrime-as-a-service is becoming a standard business model and attack tactics are evolving almost by the minute, putting organisations at financial, logistical or intellectual risks.
Cybersecurity comprises all the technologies and practices that keep computer systems and electronic data safe. Companies and state bodies are seeking more proactive preparedness techniques to help them pre-empt cyberattacks. To this end, crisis management exercises involving red, blue and purple teams have become increasingly popular and in increasing demand.
Red vs blue team exercises offer an innovative security strategy that simulates real-life cyberattacks in order to identify weaknesses, improve information security and maximise defence effectiveness.
Red teaming is the practice of rigorously challenging plans, policies, systems and assumptions by adopting an adversarial approach. A red team may be an externally contracted or internal group that uses strategies to encourage an outsider perspective. The team consists of skilled ethical hackers whose objective is to identify and exploit vulnerabilities in the target's cybersecurity or physical perimeters safely. A red team may deploy hacking tools and techniques designed to infiltrate systems and premises. Or they could extend to writing their own malware and devising new methodologies, just as hackers do. Red team exercises allow us to identify and analyse threats before they occur and to test possible solutions. One important red team characteristic is maximum flexibility and out-of-the-box individual reflections.
Group think is the red team’s main enemy. Members of the red team are discouraged from agreeing on approaches and actions on a group basis. Rather, they are encouraged to try out any kinds of relevant ideas which may develop. Alignment and agreement between red team members would have a negative effect on the flexibility and the variety of the team’s actions.
Blue team members are defenders, usually drawn from the company’s own cybersecurity personnel.
Where a blue and a red team unite, this is known as a purple team; such teams are successful when two groups of people collaborate on a common goal to improve cybersecurity. One of the objectives of the purple team is to oversee and optimise these cybersecurity exercises.
However, testing systems and operations with red-blue teams exercises should not be the only goal. Such exercises should lead to sharing lessons and following up on identified weaknesses. Importantly, if these strategies are to have real value, we must be able disseminate without fear of reputational loss, while continuing to safeguard confidential information.