Insights

Is Your Company Ready For A Cyberattack?

Many companies are putting themselves through military-inspired games to beef up their cyber resilience

By Paul Mee and James Cummings
This article first appeared in MIT Sloan management Review on December 4, 2018.

The U.S. military views cyberspace as a critical domain it must protect — similar to air, sea, and land. It regularly conducts war games to expose and eliminate risks to data and networks and to test its cyber defense tactics and strategies. As part of that effort, the military and other government agencies, including the U.S. Department of Homeland Security, have launched “bug bounty” programs that reward so-called ethical hackers (people hired by organizations to hack into their computer systems) for identifying and repairing potential vulnerabilities

Companies face many of the same cyber risks as military and government agencies, and many of them are investing in similar capabilities to protect themselves. Goldman Sachs, for example, plans to put more than 8,000 developers through a gamified cybersecurity training program to help them gain a deeper understanding of attacker psychology and the range of countermeasures they might take. During this program, teams will compete against one another in games that feature more than 300 risk scenarios to develop and hone skills in malware analysis, digital forensics, and ethical hacking. Other companies, such as Intel, are taking steps to identify problems early — for example, offering rewards as high as $250,000 to security experts who identify vulnerabilities in their products. Such open invitations to engage hackers have helped organizations uncover and address real risks.

Increasingly, cyber exercises are becoming standard elements of corporate risk mitigation and resiliency efforts. In this article, we will describe some of the exercises companies are employing. They include “tabletop exercises,” which are designed to help executives envision how they would handle different risk scenarios; “red team exercises,” which are designed to ferret out weaknesses through contained attacks conducted internally to see how cybersecurity teams respond; as well as engaging ethical hackers to test an organization’s cybersecurity defenses.

Increasingly, cyber exercises are becoming standard elements of corporate risk mitigation and resiliency efforts.

In this article, we will describe some of the exercises companies are employing. They include “tabletop exercises,” which are designed to help executives envision how they would handle different risk scenarios; “red team exercises,” which are designed to ferret out weaknesses through contained attacks conducted internally to see how cybersecurity teams respond; as well as engaging ethical hackers to test an organization’s cybersecurity defenses.

Tabletop Exercises

Tabletop exercises are carefully planned events that simulate actual cyberattacks, thereby helping organizations identify specific vulnerabilities and define processes, procedures, and individual responsibilities needed to make systems secure. However, it’s important to note that tabletop exercises aren’t just about “defending the castle” against attacks; they can also teach a company’s leaders to manage through the attack and after the attack to remediate damage. In a way, the exercises serve as an X-ray into the organization’s cyber weaknesses. They can help companies accelerate their reaction time and build resilience by testing their preparedness for different types of scenarios, including external attacks and internal data breaches.

Typically, companies establish teams of people from different levels and areas of the business (including security specialists). The teams are asked to react to scenarios and puzzle through a series of questions. For instance: If data security is breached and sensitive customer data is stolen, what would the company need to do? How would the company detect an attack? How rapidly could it respond? Could the attack actually be a smoke screen to divert attention from another (perhaps even larger) attack on another flank? On a practical level, the tabletop exercises are designed to help companies figure out who is accountable for carrying out what actions — and what information needs to be communicated to customers, staff, the media, regulators, police, and government officials.

The right response may vary depending on the day, the time, or the time of year. For example, an attack on a financial firm on a weekend or holiday may call for a different response than what’s required during a normal trading day when more security experts and managers are immediately on hand to deal with the problems. Other types of risks arise when companies are preparing to announce quarterly financial results. Attacks during these periods can lead to corrupted data and may prevent IT systems from generating the necessary information. In such cases, the best response is usually to suspend service and redirect users to centers where the digital services have not been compromised.

Because many day-to-day processes regarding data and privacy rely on human judgment rather than controls that are coded into systems, tabletop exercises can also uncover vulnerabilities unrelated to networks or software. Indeed, in any organization, people and devices are the weakest security link. For example, one company we worked with discovered through a tabletop exercise that its backup customer relationship management and order system provided relatively easy access to a variety of corporate systems and databases; among other weaknesses, it used non-expiring passwords. This meant that any hacker who broke into the system would have potential access to personal information on employees. Another company found that would-be hackers could see pending trades that were being shared internally by email in unencrypted Excel spreadsheets.

Although tabletop exercises typically focus on how individual companies should prepare for a cyber crisis, some industry organizations have undertaken the exercises industry-wide. For example, the Financial Systemic Analysis and Resilience Center, a group formed in 2016 by eight large U.S. banks, conducts massive-scale tabletop exercises in which it explores and analyzes cyber strategies for the entire North American financial services sector.

Red Team Exercises

The U.S. military has turned building defensive capabilities and reducing vulnerabilities into a regular training activity. The idea is to test force readiness, with one group of security experts (the red team) focused on exploiting weaknesses in a second group (the blue team). The blue team’s job is to test its defenses and protect the security of its “crown jewels,” which include everything from customer data and R&D reports to control codes and technical specifications. In advanced organizations, the goal is to conduct realistic tests of the responsiveness of a company’s core security operations while taking care to prevent damage to people, live data, or equipment.

Staging red team attacks can help companies test their cybersecurity preparedness and their abilities to defend against actual or potential threats to their customers, the organization, or the broader system they operate in. For example, drawing on what’s known about the latest machinations of bad actors and publicly available information about a company, a red team might attempt to gain access to the company’s network and then try to blend into the normal data traffic. Depending on how red team exercises are structured, defenders may or may not know about the exercise in advance. Some companies keep score between the two teams to foster competition.

Engaging Ethical Hackers

Finally, companies can hire ethical hackers to conduct surprise attacks on their products and networks. They can follow the example of the Pentagon, which has been able to identify and remediate some 4,000 security vulnerabilities through its bug-bounty program. Among other things, the hackers found security gaps that enabled people to bypass authentication procedures or to inject bugs into the system.

Automakers Fiat Chrysler and General Motors, for instance, are taking this approach, offering bounties to individuals who uncover weaknesses in software related to their cars. In the world of cryptocurrencies, Coinbase, a digital currency exchange, has positioned itself as a trailblazer in hacker-powered security; it works with HackerOne, a bug-bounty platform, to engage some of the most persistent ethical hackers.

Mounting concerns over cyber threats have prompted some companies to develop their own cybersecurity tools to essentially crowdsource ethical hacking. In the past few years, Netflix, for example, has developed more than a dozen applications to analyze security threats to its data and systems. It has released the applications, many of which are geared toward distributed software development organizations, as “open source,” which permits other companies to use or modify them for their own purposes without paying a licensing fee. The added benefit is that the original tools are improved in the process. For its part, IBM has a practical and proven approach to ethical hacking, with standards, training, and certifications to enable it to deploy proficient hackers in large numbers.

Security experts often say there are two categories of companies: those that have been attacked and those that don’t know they’ve been attacked. In today’s environment, learning what it takes to fortify your cybersecurity team and business from cyberattacks needs to be an ongoing activity. If — or when — an attack occurs, your company’s ability to aggressively isolate the problem, and then mitigate and restore normal activities in a timely manner, could define the future of the business. Cyber games can help you understand where to focus resources to improve your readiness and resilience.