Locked Shields, a NATO-organised cyber defence war game has been running technical live-fire cyber defence exercises annually since the start of the decade. Teams – blue teams – are tasked to maintain the defences of a fictional country while being subject to attack from a red team. War gaming today is not simply about protecting territory and physical infrastructure, but the ICT systems that underpin the critical national infrastructure including finance, power and health. As cyber threats have become a real and ever present danger to government and businesses alike. In fact, UK businesses experienced 188 high-level attacks in the last 6 months. In a major move by government, a National Cyber Security Centre (NCSC) has now been created to help make the UK one of the safest places in the world to do business.
The national ICT infrastructure has become the next frontier to guard, in the face of a growing and fast evolving cyber threat landscape. The modern adversary – hostile states, criminal groups and malicious hackers – is increasingly sophisticated in how networks are penetrated. And can then often lurk within a network for up to 200 days – the proverbial 200 day problem – before it carries out its mission of stealing commercial and state secrets and intellectual property, corrupting data or causing damage to systems. Understanding the mindset of potential attackers and testing an organisation’s vulnerabilities and cyber preparedness are vital and therefore driving more organisations to run red and blue team simulations.
Cyber defence war games
In a military setting, red and blue team simulations are intended to test physical defence capabilities and reveal any unknown vulnerabilities or blindspots. Such role play, which incorporates intelligence sharing, not only tests troops’ and their commanders’ ability to respond to a real emergency, but also identifies previously unknown weaknesses, and improves their ability to detect and oppose enemy forces.
In cyber security war-gaming, the red team is the fictitious threat actor simulating a cyber attack, in the hope of finding holes in and penetrating the defences of the blue team. Often, organisations bring in external expertise, companies such as The Exercise Group 7, who provide services to run these simulations and test management handling of the situation, including management of media and stakeholders in the market.
Such war gaming exercises test the strategies that organisations have prepared against attack. In the face of a cyber attack, does the blue team choose to completely lock down its systems? Or should they be kept running to lure the attacker but at the risk of a breach? This is where relevant, contextual threat intelligence comes into play – a core element of military strategy and planning. And this intelligence is not only important within the context of war gaming, it is also becoming an increasingly necessary ingredient in information security programmes.
Threat intelligence to the fore
However, the modern availability of large quantities of threat intelligence poses the problem of how security professionals sift out what is relevant. A Ponemon Institute study conducted in 2016 revealed that 70 percent of security professionals believe threat intelligence is often too voluminous and/or complex to provide actionable insights. There are too many tools that identify malicious, often automated, probing of company defences but with too little integration among them, making the job of identifying and contextualising a real cyber penetration akin to finding a needle in a haystack.
To manage the scale of the problem, automation is required. A threat intelligence platform (TIP) can provide this and more, it easily integrates with an organisation’s existing security stack — threat intelligence feeds, firewalls and IPS, endpoint products like Carbon Black and Tanium, and SIEMs. A TIP adds context to data and critically it helps weed out false positives and brings the most important observed threats in your environment to the foreground.
It also saves time, which may be critical to preventing damage, with data presented in one tab for analysis instead of having to dig up data from multiple tabs. Response time is improved as a TIP automates the tedious research and collection part of the process, performing an investigation and response in a minute or two rather than the typical 20 minutes. Most organisations simply do not have enough analysts to manage without such TIP tools, and they will be given too little time to analyse and decide which problems to focus on. The automation of simple, repetitive tasks of information security means humans can focus on the actionable tasks and apply human geo-political knowledge, thereby reducing analyst fatigue. As a result, organisations can save money, focusing existing resources instead of spending more.
We’re stronger in numbers
Where secret intelligence sharing was once the domain of governments and intelligence agencies, and related to national security interests, the role of cyber threat intelligence sharing has expanded, becoming more mainstream among the commercial sector in partnership with government cyber security agencies.
There are significant benefits to intelligence sharing, especially as hostile actors and groups learn to shift their tools and tactics across industries. Some sectors get hit harder by certain attacks than others and develop stronger “muscle memory” against those attacks. Spreading that knowledge and experience of breach details, hunting and defence techniques, pools resources for the ultimate defence. Information and Analysis Centres (ISACs) are “trusted circles” that share critical intelligence information with each other.
Certain industries such as financial services and healthcare are early adopters, realising the value in aggregating threat intelligence, enriching and deduping it, removing false positives and building clusters of relating information. ISACs help to streamline this threat information sharing and collaboration, and apply context to intelligence. And cases where breach details are shared quickly could mean the difference in preventing someone else from being attacked, which makes it harder for bad actors.
Threat intelligence is very necessary to keeping ahead of the modern cyber adversary. The value of a versatile and robust threat intelligence platform, coupled with intelligence sharing, is undeniable and can equip businesses to find and respond to cyber threats, even identifying suspicious or malicious activity before it reaches the network.
By Jamie Stone, Vice President, EMEA at Anomali
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.