Cybersecurity exercises are designated for companies‘ IT staff, security teams, incident response teams, CSIRTs, CERTs, etc. The training aims to verify the team’s readiness to face a security incident and to teach the team members how to cooperate, distinguish normal and anomalous events and how to use several tools on their way. These trainings should raise the security awareness of the audience and introduce cybersecurity incidents, which are likely to happen in a specific company. They should result in adjusting (or sometimes creating) guidelines on how to react.
Cybersecurity exercises usually deal with realistic scenarios, like a data breach, ransomware attack, business email compromise, etc.
Types of Exercises
There are three levels of cybersecurity exercising and each one provides a more thorough approach and demands a longer preparation than the previous one.
These levels are:
- Tabletop exercise,
- Hybrid exercise, and
- Full live exercise.
Tabletop exercises are the most theoretical ones and their aim is to see participants‘ reactions to the incident and verify the procedures they use to detect, respond, and recover from it. They are based on communication and planning and are relatively easy to prepare. The incidents are not actually carried out by the exercise planners, they are just hypothetical, written down, and communicated to the participants.
Simulate cyber emergency incidents to evaluate your organization’s key personnel, and processes. During the simulation we provide your incident response team with the opportunity to hone the practical skills they will need to confront inevitable real-world threats.
Hybrid exercises are more interactive – on top of discussing an incident written down on paper, they include a red team executing some real events to stimulate the participants by seeing the actual malicious activity. This approach makes the whole exercise more believable and the participants can learn more from seeing a specific example.
Full live exercises include a high amount of red team cooperation and preparing a real-life incident to the audience. This is the most technical and detailed exercise out of the three. It usually includes more companies. Should the prepared incident take place in a live network, all affected parties must be acquainted with this fact.
There are various important international cybersecurity trainings taking place all over the world. The ones worth mentioning are, for example:
- Locked Shields,
- Cyber Europe,
- Cyber Coalition.
Locked Shields is an annual exercise organized by CCDCOE (The NATO Cooperative Cyber Defence Centre of Excellence) since 2010. Blue teams (the participants that should defend the system against red team attackers) consist of CCDCOE member nations. Further, the teams must maintain virtualized systems while experiencing attacks and they have to face legal consequences, media pressure, report incidents, solve forensics, and execute decisions.
Cyber Europe is organized by ENISA and it is held every two years since 2010. The exercise is for both public and private sectors from EU and EFTA (European Free Trade Association) member states. The participants deal with complex and realistic incidents that could evolve into a cyber crisis.
Cyber Coalition is held for the NATO allies since 2008. The exercises aim to strengthen cooperation and coordination between the nations, enhance the ability to protect the Alliance cyberspace, and conduct military operations in the cyber domain.