Putting your SOC in the hot seat

Today’s security operations centers (SOCs) are stress-tested like never before. As the heart of any organization’s cybersecurity apparatus, SOCs are the first line of defense, running 24/7 operations to monitor attack alerts and address those alerts appropriately before they happen. they do not become total crises. Yet, with ransomware attacks retaining the top spot as a response to X-Force-like incidents, these crises are unfortunately becoming commonplace.

The best way to prepare for a crisis is to experience one. Ideally, this experience would go through a simulated crisis rather than an actual crisis, although both can provide valuable lessons. Being forced to take on challenges you never fully anticipated, experiencing adrenaline rushes that test your cognitive thinking skills, and racing against time to uncover evidence of an attack in mountains of data can provide valuable insight – and experience – that can make all the difference when a major cyber incident occurs. In other words, it is very useful to put your SOC team on the hot seat and allow them to live fully through a crisis.

Having a plan for a cyberattack is crucial. But actually testing that plan, ideally in an immersive, realistic environment, can be the critical difference between an effective response and rapid containment, or a downward spiral into full cyber disaster, based on X-Force’s experience and observation. working with hundreds of clients. As we previously noted on SecurityIntelligence, “tabletop drills and technical training are important, but they can’t replicate the thrilling, real-world impact of a cyber range.” Indeed, cyber range exercises can test playbooks, teamwork and technical skills and take them to the next level by identifying potential gaps that can refine a response plan so that it is most effective when treated early and retested.

cyberwar game

In the IBM Security X-Force Cyber ​​Range, Cyber ​​War Game exercises aim to test SOC analysts, SOC managers, incident response investigators and other technical security advocates alongside executives business in a simulated crisis scenario. These are hands-on, hands-on exercises where analysts use real-world security tools to investigate a cyber incident, then effectively communicate their evolving findings to C-level executives and business response team members. These drills not only test a team’s technical abilities, but also their ability to communicate within their team as well as with senior executives when details are scarce and the stakes are high.

The Cyber ​​War Game generates data from Security Incident and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools, which participants can then organize through the security orchestration, automation and response (SOAR). The tools available for integration into a Cyber ​​War Game are constantly expanding and include not only IBM products, but also tools available elsewhere in the market, allowing participants to customize the experience to match the better than what they would encounter on their own networks.

Leverages incident response expertise

The IBM Security X-Force Incident Response (IR) team assists clients with hundreds of cybersecurity incidents each year, providing detailed threat intelligence in the field, while forensic investigators observe every threat actors at work from the front lines. This idea is then integrated into the Cyber ​​War Game, integrating as much reality as possible into these scenarios.

For example, X-Force IR has observed hundreds of ransomware attacks, allowing our teams to map the most common behaviors of ransomware attackers and the techniques these hackers have found to be most effective. Chief among them are the exploitation of Active Directory, the deployment of ransomware from domain controllers, and the use of professional phishing groups to gain initial access to compromised networks. These and other techniques are incorporated into the scenarios created for Cyber ​​War Games.

Additionally, our IR teams frequently identify multiple different lines of threat activity occurring within the same network and are then tasked with identifying whether the activity originates from the same threat group or from different threat actors. These scenarios are challenging because seemingly conflicting information, attack streams that seem similar but then diverge, and a massive volume of data create a level of chaos that can be difficult to sift through. Participants in the cyber war game noted the realistic element that these multiple lines of activity incorporate into the exercises, mimicking many real-life incidents that required extensive follow-up activity. This realism is a natural result of using information gathered from X-Force’s field incident response team.

Informed by Threat Intelligence

X-Force threat intelligence indicates that in addition to ransomware being the top attack type over the past three years, several other attack types plague organizations and their SOC teams. Data theft is the third most common attack type in the 2022 X-Force Threat Intelligence Index, and credential harvesting, remote access Trojans (RATs), bad Malicious setups and insiders are also relatively common types of attacks, according to data from X-Force. Force infrared. The Cyber ​​War Game seeks to test SOC responders by presenting them with a range of attack types to resolve and investigate. Some of the threats and effects encountered in the Cyber ​​War Game are particularly applicable to organizations with operational technology (OT) environments or sensitive processes and equipment.

In addition to the above, X-Force Threat Intelligence indicates that threats against cloud environments are increasing and threat actors are increasingly spending time exploring various options to penetrate and gain persistence in cloud environments. By integrating threats against cloud environments into Cyber ​​War Game exercises, informed by the methods that X-Force empirically observes threat actors use in this space, participants can get a better sense of the reality of the threat against cloud environments – which is likely to grow overtime.

Now is the time to prepare

Global events demand heightened vigilance from SOC teams and security advocates as ransomware, destructive malware, and DDoS attacks occur at a rapid pace. To effectively address a security incident or crisis, SOC teams must not only be able to sift through massive amounts of data and make the right decision about whether an alert should be escalated and addressed, but must also communicate effectively with senior leaders and acquaintances. how to answer difficult questions at the critical moment. Testing a pressure response plan with all stakeholders — business leaders, human resources, PR teams, SOCs, and incident responders — can help both parties develop the technical and communication skills needed to react appropriately in the event of a crisis. For most organizations, it’s less than whether a cyberattack will occur and more than when — and whether the company will be ready to respond appropriately to the crisis.

Get in on the action

If your organization is interested in participating in an X-Force Range Cyber ​​War Game experience, you can learn more and request a consultation. In addition to Cyber ​​War Game experiences, a Response Challenge focused on effective decision-making for high-level executives, a Mind of a Hacker webinar to improve security awareness, and consulting services to build your own line internal cyber are available from IBM Security.

Comments are closed.