Testing Cyber-defenses: Does the ‘New Normal’ Mean We Need to Up the Stakes?

Written by

The COVID-19 pandemic has taught us all just how digitally dependent we have become. This means no one is impervious to a well-coordinated cyber-attack and the considerable consequences that come with it. Red teaming, the latest threat intelligence and regular cyber audits undoubtedly play a role in fortifying an organization’s cybersecurity, but as expert as these techniques are, they do not always offer the tools to truly protect against real life threats.

Testing is complex. It often requires a cybersecurity firm to develop a ‘worst case scenario’ for an organization by understanding the most at-risk areas, implementing defenses and then bringing in offensive specialists to see if the protections in place are sufficient. This can often result in the illusion of defense: whether it be only testing one aspect of a business’ infrastructure or conducting tests so infrequently that they failed to account for the evolving changes in the cyber-threat landscape.

The COVID-19 pandemic has brought the reality of this into sharp focus: it has catalyzed digital transitions across a variety of industries, increasing the breadth of the cyber battlefield across the entire world. With whole businesses now existing online, it is more pressing than ever to make sure that cyber-defenses are tested in the most realistic manner possible.

One such way to do this is through simulated cyber-attacks: recreating the infrastructures of real companies and real technological and business processes, real defensive measures and real defenders responsible for protecting the infrastructure of these companies. This requires a cyber-range that contains full-fidelity replicas of supply chains, business scenarios and the latest technology. Through implementing the unique layout of a given business’ infrastructure on a ‘digital twin’, a truly 360 degree of risks and vulnerabilities can be found and tested in real time.

This ‘digital twin’ provides a realistic model of a business and places it on a cyber range. The crucial advantage of this is that this digital model can be truly pushed to the limits, where the actual company could not. Cyber ranges such as the world’s largest, The Standoff can be used to create these replica businesses and incorporate all aspects of a cybersecurity landscape: CEOs, staff, pen-testers, red teams, blue teams and everyone in between. For example, it would be possible to understand not just how a server was hacked or switch port was broken, but what happens after an attack – the real-life consequences. This can be anything from stolen assets, damage to infrastructure (e.g., a chemical leak) or even loss of life. Cyber ranges can be used to realistically demonstrate a cyber-attack from start to finish, without a scratch on the business using it.

One obvious advantage of this method is that it can be done without disrupting normal business operations. There is often a hesitancy to conduct other forms of testing such as red teaming, due to the necessity to play havoc with day to day work and accept some level of impact on a company’s bottom line. By simulating a crisis scenario ‘offsite’, business leaders can be confident that operations will continue as normal but can also ensure regular, and more frequent, testing of their cybersecurity.

Cyber ranges can also go further that traditional testing. Typically, testers will find vulnerabilities, exploit them and then report back. In reality, cyber-attacks are conducted with a specific purpose, whether it be to steal money or data, disable systems or deny services - considerably more unpredictable events. There are countless incidents where companies will have tested the ‘front door’ of the business regularly, without sparing a thought for an attacker going around the back. This is the reality of modern cybersecurity and businesses need to assume that any attack, however isolated it might seem, can pose a major risk and spread to an entire enterprise if not dealt with effectively.

There is also a major advantage in that these simulations will arm cybersecurity professionals with the information necessary to demonstrate the critical importance of robust cyber-defenses. Often company boards struggle to comprehend and in turn justify the costs of cybersecurity and cyber ranges provide an excellent opportunity to do just this. They provide a big picture view of the potential threats to a business as well as clear outcomes from the testing, whereby a truly accurate representation of cyber-defenses can be both explained and actioned.

In a world where so much of our lives - both personal and professional - now exists online, it is imperative that cybersecurity is at the forefront of people’s minds. There is a complacency that comes with traditional cybersecurity testing - businesses have become used to certain processes and accept that afterwards their cybersecurity posture is sufficient. This status quo should be shaken up through the use of simulated cyber ranges, which can be used to map an entire business and its vulnerabilities. By renewing testing practices, cyber ranges allow for more flexibility around day to day work, can provide a clear justification to leadership teams and ensure that nothing is missed.

What’s hot on Infosecurity Magazine?