Cyber Exercise: Think Like A Black HatReadiness Challenge Puts Security Pros to the Test
Security vendor Symantec recently held a Cyber Readiness Challenge in Mumbai. The goal of the training exercise was to give security professionals an opportunity to experience real-life security scenarios and enable them to formulate stronger strategies against potential cyber-attacks that could result in breaches.
The 25 participating organizations - many of them hailing from the financial services sector - displayed a high degree of technical proficiency, organizers say, but also learned some new tricks. "Along with brushing up our technical skills, it gave us deeper insights into the vulnerabilities and exploits that organizations face today," says a member of one of the participating teams, who spoke on condition of anonymity. "Some of the tools that we were exposed to in the CRC today were new to us and will certainly add value in protecting our organization."
But the event also served to free teams from having to follow any particular rules, policies or procedures - or to even have to "play nice," Symantec says. The thinking is that responding to threats using an overly structured approach may actually impede response speed and effectiveness.
Capture the Flag
Unlike other recent cybersecurity drills that test the complete infrastructure in an organization, CRC is designed to put the participants into an attacker's mindset, giving them the freedom to approach the scenario from a black-hat perspective, to better understand today's top attack techniques.
Symantec's CRC is hands-on, interactive 'capture the flag' competition, and includes scenarios that are based on the contemporary threat landscape, using realistic IT infrastructure. The exercise was designed to help the participating teams intuitively discover and develop a better understanding of hacker's targets, technology and thought processes.
The goal for this particular exercise was to compromise an "e-commerce portal" that Symantec had created, and set up in a contained environment that it controlled.
The CRC itself is a five-step, four-hour advanced persistent threat attack game. The challenge is designed to familiarize participants with the five core activities required to launch an effective compromise: reconnaissance, incursion, discovery, capture and data exfiltration. "With the need today for enterprises to stay two steps ahead of the cybercriminals, activities like these are helpful when planning future protection strategies, and giving the technical team exposure," says the CISO of a large organization whose team participated in the exercise.
Think Like a Hacker
When it comes to emulating attackers, how clued-in are information security professionals?
"The talent on display is tremendous," Tarun Kaura, Symantec's director of sales in India, tells Information Security Media Group. "However, the structured fashion in which security is approached by white hats and security professionals working within organizations is evident."
Hackers, of course, face few if any such limitations, as the exercise is designed to make clear. "It is an opportunity to come out of the defender mindset," Kaura says.
Some participants say that gaining a real-time glimpse of how an attack unfolds - albeit in a controlled environment - offers a great opportunity to understand how hackers might compromise their IT environment. Insights from such exercises will help them in planning future cybersecurity strategies, they say, and help better defend against everything from phishing exploits to watering-hole attacks.
"Such exercises enable professionals to view their organizations from the eyes of the enemy and take appropriate steps to defend and mitigate such attacks through proper monitoring, hardening and solutions," says the CISO of a large, multinational firm, whose team bagged the gold prize in the exercise.
One thing the exercise couldn't duplicate, perhaps, is the amount of time an attacker might enjoy to peruse a network, after breaking through the IT perimeter. In the real world, notably, the period from reconnaissance to data exfiltration - with attackers remaining undiscovered - may stretch to months, or even years. "With targeted attacks on the rise, cybercriminals have become more patient and stakeout [organizations] for longer periods of time to ramp up before carrying out attacks," says Sanjay Rohatgi, Symantec's president of sales in India.
Improving Skills, Awareness
Symantec conducts CRC sessions across the globe, and has previously held one event in south India, in the city of Bengaluru, which saw 40 security professionals from 20 large and medium enterprises compete in the attack scenarios.
"There is a need to increase awareness and improve skillsets in the security domain to deal with sophisticated attacks," Kaura says, noting that the response to the CRC sessions has been enthusiastic. He adds that he has been pleasantly surprised to find security professionals from the risk teams inside organizations also participating in the exercises.
Symantec plans to conduct its next CRC in New Delhi in November.