Cyberattack simulations get real
Cyber defense training for businesses is evolving to create immersive scenarios putting board members and C-level executives in the crosshairs of simulated attacks.
The big picture: As ransomware attacks and nation-state cyber espionage campaigns ramp up, more executives and board members find themselves making key decisions about how their companies respond to cybersecurity incidents.
Driving the news: Israeli cybersecurity company Cyberbit released a new training module last month that allows security teams and C-level executives to operate a full-scale simulation together against some of the most popular cyberthreats.
- Similar products cater more to training security teams, rather than executives and board members.
Details: Hours-long simulations include attacks that exploit the Log4j vulnerability and recent Microsoft critical vulnerabilities, as well as a North Korean nation-state hack.
- Cyberbit chief marketing officer Sharon Rosenman tells Axios the company typically adds new simulations each week based on the findings of its in-house threat intelligence team.
- But in high-risk situations, it can have a new simulation up in one day. The training for the Log4j vulnerability, which impacted millions of devices, was live within one day, Rosenman says.
How it works: We participated in a recent Cyberbit product demo to get a sense of what training looks like now.
- Each simulation operates on live cloud networks from Amazon Web Services and Microsoft Azure to make the experience as close to reality as possible.
- Once the scenario starts, people are taken through a tabletop simulation where they see signs of an attack on a network and answer a series of questions about what they should do and whom they want to contact at what point.
- The trainings are hours long to mirror the real thing.
- Team managers are able to compile findings from all trainings in one dashboard as well.
The intrigue: Cyberbit’s customers include FS-ISAC, a nonprofit that shares cyberthreat intel among major financial institutions, and a few major retail and higher-education institutions, said CEO Adi Dar.
Between the lines: Regulators have been pushing executives and board members to take a more proactive role in cybersecurity strategies.
- The Securities and Exchange Commission is considering rules that would require public companies to file reports documenting cyber incidents as well as their strategies for protecting themselves.
- Other organizations, including RangeForce and CISA's National Initiative for Cybersecurity Careers and Studies, also offer training for boards and C-level executives.
Yes, but: Because Cyberbit wants the simulations to be as close to real life as possible, the training can take hours to complete.
- This means it’s still a huge investment for some companies that are low staffed or struggling to implement basic security measures like multifactor authentication.