Continuous cyber exercising leads to high readiness
Our cyber security exercise programs
Crafted to meet objectives
Frequent and accessible
Remote or onsite delivery
The nation’s cyber incident response capabilities need to mature and adapt to ever-evolving cyber risks and threats. Cyber exercises like Cyber Storm allow the cyber incident response community to practice and measure the effectiveness of their capabilities and continuously improve.
Department of Homeland Security, United States Government
Frequently asked questions about exercises.
What are exercises?
Exercises (also referred to as sims) are scenario-driven simulations of a cyber incident. Participants respond to the incident and underlying threats by performing a variety of actions such as incident management, forensics, communication, and reporting. Parts of the scenario, known as injects, are released over the duration of the exercise. These injects usually provide more information about the threat and may change the actions or decisions made by the participants.
Exercises can take different forms (discussion based or functional, remote or onsite), represent different incident types (e.g. ransomware), and can be as long or as short as they need to be. Exercises are sometimes thought of as big events, involving lots of people, being complex, and taking lots of time and resources. It doesn't have to be this way and, if done correctly, are manageable and easily align with the organisation's normal business practice and security program.
Are they effective?
Extremely effective, but only if done correctly.
The key to an effective exercise is that the objectives are well defined, the exercise is crafted to meet those objectives, and that the right data is captured so factual findings and insights are possible. Most importantly however, exercises need to be as realistic as possible with participants acting as if they were responding to a real incident. This is why we always advocate our customers use their production network, invested capabilities, and existing processes when participating in an exercise - it's as close to being real as possible.
Who should participate?
Anyone who is involved in incident response should participate in exercises. Incident response involves many different capabilities across an organisation and so exercises should reflect this.
Teams that we commonly involve in our exercises have included security operations, crisis management, media and PR, executives, legal, and other technology teams.
How often should we do them?
As often as you can. Especially if you are consistently targeted, provide critical services, and/or have important data to protect. Exercising against common threat scenarios will ensure the organisation can respond effectively when those threats manifest.
Evolving threats, discovered vulnerabilities, churn in personnel, network rearchiteching, investment in new tooling, and other changes - these will always impact an organisation's readiness to respond to an incident. By frequently exercising, the impacts from these changes are neutralised.
What types of exercises are there?
There are two main types - tabletops and functional exercises.
Tabletop exercises involve discussing what actions one would perform based on the presented scenario. The action is not physically performed. Functional exercises do involve participants actually performing relevant actions, such as creating a ticket in their case management system, searching telemetry in their environment, or preparing a media statement to deliver at a news outlet. Both types of exercises meet different needs, but functional exercises are more realistic and therefore yield better findings and insights.