Under Pressure. How will your cybersecurity team do?
Nothing could be truer than the quote above, often attributed to an anonymous Navy SEAL. When things get real, your training kicks in. Training is not just filling your head with stuff, but actually performing it. Try. Fail. Learn. Get it right. Perfect it. And doing it again and again. The better the training, the better the students learn. This truism is the bedrock of high-performing, effective teams everywhere.
Somehow the business world hasn’t taken this to heart yet. As cybersecurity threats have escalated, the business world’s search for an effective solution has evolved. After a period of denial, the great hope was that some AI-powered “black box” would solve all cybersecurity concerns without having to do anything. That didn’t work. Next, let’s outsource to a cyber insurance firm. The only problem is that it’s pricey, and you don’t control the process. The insurance company does, and they aren’t always on the same team as you. So, we’re left with one solution—an in-house or hybrid human-based solution, probably a small group of folks charged with the impossible. Stop any and every attack, 24x7x365 from any source—script kiddie or advanced persistent threat (APT). It’s got to be 100%, every time. There might be some pressure building there.
Here’s where the challenge comes in. You see, the people on your incident response team, as defined in your IR policy and procedures (if you have one), most likely have never been hands-on with a complex incident (If they had, you probably couldn’t afford to keep them). They may have studied cases, taken classes, read tons of materials, and have an alphabet soup of certifications. But they probably have never executed your Incident Response Plan. They’ve never seen what the adversary’s tactics, techniques, and procedures (TTPs) look like in your technology stack. Do you have sufficient visibility? Is your logging up to snuff? So, how will your team perform in a high-pressure situation? How about with no sleep for 48 hours? Where are the gaps? You need to know. Your company is on the line.
Train Like the Champs
How do you overcome this? You train. And then train some more. This type of training is called Adversary Emulation or Purple Teaming. Regardless, the concept is to step through a targeted attack using real TTPs but without all the dangers of a real attack. Team members are divided into two groups, a Red (Offensive) Team, and a Blue (Defender) Team. PacketWatch team members are on both teams and provide the technical resources to emulate the attack. At each step, Red Team and Blue Team members get together to:
- Review the actions that occurred
- Analyze the result of those actions
- Determine the effectiveness of the current controls
- Identify the gaps
- Recommend changes
- Discuss other lessons learned
Custom Active Security Engagement
With an Active Security Engagement, you can:
- Validate your security controls and incident response processes against the tactics of real threat actors representing the most significant risk to your industry vertical.
- See and experience how real attacker tactics and exploits appear in your security tools. Identify gaps and assess the capabilities and maturity of your team in realistic scenarios.
- Improve your organization’s readiness for detecting and responding to the next attack. This hands-on exercise is a better experience than just reading a white paper.
Ultimately, it’s all about the quality of your team’s training. That determines the outcome. Enable their success with a PacketWatch Active Security engagement.
[i] “Under Pressure” by the British rock band Queen and singer David Bowie was originally released as a single in October 1981.