Cyberattack simulations get real

Cyber defense training for businesses is evolving to create immersive scenarios putting board members and C-level executives in the crosshairs of simulated attacks.

The big picture: As ransomware attacks and nation-state cyber espionage campaigns ramp up, more executives and board members find themselves making key decisions about how their companies respond to cybersecurity incidents.

Driving the news: Israeli cybersecurity company Cyberbit released a new training module last month that allows security teams and C-level executives to operate a full-scale simulation together against some of the most popular cyberthreats.

• Similar products cater more to training security teams, rather than executives and board members.

Details: Hours-long simulations include attacks that exploit the Log4j vulnerability and recent Microsoft critical vulnerabilities, as well as a North Korean nation-state hack.

• Cyberbit chief marketing officer Sharon Rosenman tells Axios the company typically adds new simulations each week based on the findings of its in-house threat intelligence team.
• But in high-risk situations, it can have a new simulation up in one day. The training for the Log4j vulnerability, which impacted millions of devices, was live within one day, Rosenman says.

How it works: We participated in a recent Cyberbit product demo to get a sense of what training looks like now.

• Each simulation operates on live cloud networks from Amazon Web Services and Microsoft Azure to make the experience as close to reality as possible.
• Once the scenario starts, people are taken through a tabletop simulation where they see signs of an attack on a network and answer a series of questions about what they should do and whom they want to contact at what point.
• The trainings are hours long to mirror the real thing.

• Team managers are able to compile findings from all trainings in one dashboard as well.

The intrigue: Cyberbit’s customers include FS-ISAC, a nonprofit that shares cyberthreat intel among major financial institutions, and a few major retail and higher-education institutions, said CEO Adi Dar.

Between the lines: Regulators have been pushing executives and board members to take a more proactive role in cybersecurity strategies.

• The Securities and Exchange Commission is considering rules that would require public companies to file reports documenting cyber incidents as well as their strategies for protecting themselves.
• Other organizations, including RangeForce and CISA's National Initiative for Cybersecurity Careers and Studies, also offer training for boards and C-level executives.

Yes, but: Because Cyberbit wants the simulations to be as close to real life as possible, the training can take hours to complete.

• This means it’s still a huge investment for some companies that are low staffed or struggling to implement basic security measures like multifactor authentication.