When we started WraySec, we set out to fill a void seen in the Cyber Security community. Our team has spoken about some of those voids in previous blog posts (here, and here), and we’ll continue to write about these voids as time goes on. The fact of the matter is we live in a complex world, and our digital dependencies have brought about a whole new slew of problems. As technological innovations are created, malicious parties stand-by waiting to take advantage. To the point, as rapidly as our technology advances, our training and approaches do not.
Our team wants to change that. We want to put the power back in the hands of the network owners, not the network attackers. Thus we’re doubling down on Practical, Hands-On Training. One of the major voids we have witnessed in the Cyber Security field is the lack of accessible engines to allow organizations to run their own training. Don’t misunderstand, there is much value in a third-party providing your organization training (in fact, we offer just that), but training shouldn’t be something that’s a checkbox on a list and a week blocked off on the calendar. In addition to the training courses you consume from third-parities, you should be performing regular internal training.
While we’re certainly using the term training, it’s important to understand the implications of an exercise based on real-world scenarios. Take for example the following situation: your organization is under attack by a sophisticated adversary. This adversary is using tactics, techniques, and procedures your organization has never faced nor even seen before. The malware being used by the adversary isn’t detected by your corporate anti-virus, and the infrastructure the attacker is using is not on any of your watchlists. Given that situation, would your organization be able to respond to the attack properly? Would your organization even know the proper response? An even better question is, would your organization even be able to identify the attack?
Performing cyber exercises allows your team to practice in a safe environment, an environment where making a mistake can be a lesson instead of a costly failure. A perfect analogy to this is backups. What is the golden rule for backing up date, aside from, obviously, backing up your data? Testing. Just as you should test your data backups and procedures, you should test your cyber defense personnel and procedures.
Take the exact same scenario from above, the sophisticated adversary that your organization has never faced. How would your organization fare if you had trained against their tactics, techniques, and procedures in an exercise?
If you went back in time to the 1990’s and walked into any IT meeting, you’d hear a common theme: Firewalls. They were all the rage. Everyone knew they needed to secure their infrastructure and the magical firewall device would do just that. Fast-forward to the 2000’s and IDS was the cool kid on the block. Your dusty firewall might block some of the threats, but your sparkling new IDS would alert you to the ones that antiquated firewall let through. Today, security assessments are the hype, and for a good reason: what better way to prepare for an attack than to purposely plan one? Hire a team (like us) to come in and emulate an attacker, and in the end you get a detailed report telling you what needs to be fix.
But now there is a new shift, a new trend, in the assessment world. It’s gradual, but coming. Cyber Exercises. In the future your typical penetration test won’t just focus on capturing the crown jewels. Instead, your red team will be focused on capturing the crown jewels while emulating a known threat adversary. This is the new security assessment.
Not only do you get a report in the end that provides a list of things you’ll need to address, but you also get the chance to exercise your own personnel, tactics, techniques, and procedures. And we’re not just talking about red team engagements. We’re talking about full blown, real-world, scenarios. In a combination of your security assessment and cyber exercise you have the chance to setup realistic situations that your organization might face, and then practice responding to those scenarios.
It’s common practice today to have your security assessments performed both by internal personnel and third-parties. But just like security assessments, you shouldn’t rely solely on external vendors for your training and exercise needs. Make realistic exercises a part of your internal program. Get ahead of the curve, and start testing both your technology and people.
That is precisely what CyExNg was created to facilitate. Take your training into your own hands. Perform internal exercises often, and don’t make training a boring trip to a rainy city and a sub-par hotel.
You can read more about the CyExNg product, and signup for the closed beta, on our site here: https://www.wraysec.com/cyexng/
And don’t forget to checkout the live demo: http://cyexng-demo.wraysec.com/