Preparing for a CyberAttack:

Playing CyberWar Games

Varun Kukreja
Senior Program Manager,
Cyber Security
Middle East, Turkey and Africa
GIAC GSTRT, CISSP, CCSP, CISA, ITIL, ISO 27LA, ISO 20LA
Top Security Challenges META

55% 71% 40%

Of CIOs and Security Of Organizations do
Executives lack the Of IT Leaders feel
not have the
security expertise of external hacking and
capability of threat
advanced threats or malware as the
intelligence and
their security staff is biggest threat to their
perform continuous
understaffed data and security
incident response

29% 54%
Of Organizations feel Of Security and IT
that their reactive Leaders have very
approach to security limited visibility of
is a major threat to their organizational
their security program data, making data
security difficult

Source: IDC META CIO Survey, Jan 2020 N=1091

 War Games

• Traditionally used in
military to prepare for battle

• Theories of warfare can be

tested and refined without
the need for actual
hostilities

• Done to develop tactical

and strategical solutions

• Sometimes extended to test

political and social
situations as well
What are Cyber War Games

• Method of exercising and

examining human
performance and
decision making
characteristics in a cyber
attack scenario

• Used for preparation and

assessment of attacks

• Uses
• Assessing
capabilities
• Planning
• Training
• Systematic Risk
Identification
 Tabletop Exercise

• Much like conducting

tabletop business
continuity plan

• Played like a board game

• Participants presented with

predetermined scenario
events to react to

• Usually done only with the

defending teams

• Adversary is represented
through the scripted
scenario events
 Red and Blue Teams
Red Team
• More offensive
• Emulate the behavior and
capabilities of the
adversary
• Constantly relies on
Vulnerability assessment
and Penetration Testing
• Goal is to either attack
while evading detection or
intimidate
• Endgame is to either
compromise the system or
to spy and exfiltrate
information
Blue Team
• More defensive
• Perform the environments
cyber defenses
• Monitor the alerts from
detection systems and
threat intelligence and take
actions
• Diagnose and interpret the
associated attack activities,
investigate incidents and
response when needed
• Endgame is to stop the
attack
 Key Elements

Scenarios
Scope

Business Threat
functions

Defensive
Define
Cyber
System
Technologies
environment
and posture
 Asset Vs Sample Threats
APT – Advanced
Customer data Persistent Threats

Employee Credentials Insider developer

uses unsecured
Employee Personal Open source plug in
Data to cause breach
Individual
Data
Hacktivists launch
DDoS
Confidential Corporate
information Customer data sold
on Darkweb
Stakeholder
information Confidential
information
Corporate Intellectual property compromised
Information
Marketing assets Insider sells IP data
 Why are they Important
• Today it’s a war between Tired defender vs relentless attackers,
hence important for organizations to strategize

• Increases the ability to foresee attacks, clarify responsibilities

and develop guidelines

• Effective for prioritizing which assets to protect, surfacing

vulnerabilities, identifying flaws in a company’s ability to
response

• Offers a better visibility to the changing threat landscape and the

shift in TTPs

• Identifies threat vectors that could have been potentially missed

when designing threat model
 Summary
• A tabletop plan is better than no plan at all

• Meticulous planning is key

• Start with tabletop exercise and eventually

move to complicated scenarios of testing

• A blend of technology and expertise is

essential

• Leverage Threat modeling into identifying

threat vectors and assets important for your
organization

• Prepare detailed incident response plans

• Involve Sr management team from different

business verticals to increase engagement