The UK’s Cross Market Operation Resilience Group is offering free access to a cybersecurity ‘war game’ exercise to all UK-based financial services organisations. These exercises can help organisations benchmark their incident response procedures against their peers and expose areas for improvement. But some warn that they can be time consuming and, if they are too difficult, dispiriting for employees.
Every two years, the Bank of England co-ordinates a cybersecurity resilience test for the UK’s banking sector. Participating institutions must respond to a simulated cyberattack in order to test their incident response procedures. The last exercise, which was due to take place in November 2018, was postponed to allow banks to prepare for Brexit. A sector-wide cybersecurity stress test is planned for next year.
In the meantime, the Cross Market Operation Resilience Group, which is co-chaired by the Bank of England and trade body UK Finance, has created an online Cyber Response Exercise, based on UK start-up Immersive Labs’ Cyber Crisis Simulator. Immersive Labs was founded by James Hadley, a former GCHQ researcher, and former GCHQ director Robert Hannigan is the chairman of its advisory board. The company counts Goldman Sachs, Citibank and the NHS among its customers and raised $75m in investment earlier this year.
The Cyber Response Exercise is free and open to any UK financial services organisation. The browser-based system simulates the discovery of an advanced malware attack on a fictional organisation’s systems. It exposes employees to the technical and non-technical challenges that arise during and after a cyberattack, and allows participants to benchmark their response against peers. “This is being done with the broader intent of helping to build sector resilience,” says Hadley.
What is a cybersecurity war game?
A recent blog post by self-regulatory body the UK Cyber Security Council explains that cyberattack simulations range from simple desktop exercises, in which the organiser “presents scenarios and the response team describe what action they would take,” to “full simulations”.
In the latter, the simulation provider “is given access to SIEM tools, service desk ticketing systems, email servers and the like configured in a ‘sandbox’ environment with synthetic data, and the host company has staff who call the team masquerading as members of the Press or the police force and asking realistic questions at appropriate moments,” the Council explains.
Simulation exercises have two main benefits, the Council says. Firstly, they allow companies to compare their response procedures against their peers. “Second, and most importantly, no matter how effective (or ineffective) your response was, you will learn from it,” the Council says. “Even simple exercises bring masses of learnings.”
However, there can be drawbacks, says Robert Mason, vice president of crisis management and simulation company LECMgmt. Full ‘war game’ exercises can take a lot of preparation, he says, and can be dispiriting if they are too difficult. “I’ve found it tends to turn people off if the problems are too great in your game, and that’s not useful.” It can also lead to short-term security fixes that don’t offer long-term value to the organisation, he says.
Mason also warns that simulation exercises offered by cybersecurity vendors may be designed to promote their products and services. “We’ve got to have ethical standards and in some ways, a really ethical war game designer has got to be neutral,” he says.