Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
The importance of a robust Cybersecurity framework for any private or public institution that relies on cyberspace and digital technologies cannot be overstated in this technology-driven age. No civilian or military institution can consider itself safe in the cyber domain without a comprehensive and dynamic Cybersecurity Strategy that encompasses the integrated implementation of the technical, procedural, and human elements of its digital environment. While institutions continue to adopt innovative methods and techniques to counter evolving cyber threats, procedural gaps, technical security vulnerabilities, and undetected experience deficiencies persist. Security vulnerabilities are frequently exploited by cyber attackers to obtain sensitive data, often resulting in the suspension of critical operations. These security breaches can mean enormous financial and reputational losses for companies — and for governments, they can escalate into serious national security issues. According to Statista, the cost of cyberattacks worldwide grew exponentially from $0.7 trillion in 2007 to $7.08 trillion per year in 2023. This figure is expected to reach $13.82 trillion by 2028 — a value equivalent to the world’s third largest economy after the United States and China.
The serious financial and national security concerns have compelled private and public institutions to place the highest priority on cybersecurity and to invest significant resources in securing their cyberspace operations. While cybersecurity companies continue to deliver innovative security solutions, the initiative in the Cyber Warfare equation tends to remain with cyber attackers and insecure elements beyond the control of organizations — a trend likely to continue into the foreseeable future. As one of the pioneers of computing, Mr. Willis Ware, once noted: “the only truly secure computer is one that no one can use.” The cyber domain will therefore always be under threat as long as we continue to rely on it. The growing global trend of cyber incidents and cybercrime shows that incidents and breaches can be reduced and losses minimized, but cannot be completely eliminated. So, in such a complex, challenging, vulnerable, and unpredictable digital environment, how can cybersecurity breaches be prevented and damage kept to a minimum? The answer lies in adapting the concept of Cyber Wargaming — where the latest technologies and cybersecurity techniques are applied in an integrated manner to prevent unexpected events and minimize damage. If conducted regularly and professionally with the right technical tools and experienced personnel, Cyber Wargaming will greatly help institutions strengthen their cybersecurity posture, address security vulnerabilities proactively, prepare for contingencies, and avoid unexpected financial surprises.
The concept of wargaming was first introduced in the early 19th century by Prussian officer Lieutenant Georg von Reiswitz, who convinced senior officers that warfare could be recreated and different scenarios simulated on a map. Since then, militaries around the world have relied on wargames to minimize unexpected events and prevent catastrophic failures. Wargaming allows for the simulation of illustrative scenarios to account for uncertainties and to narrow the range of uncertainty as much as possible in identifying potential risk areas.
Wargames are analytical games that simulate aspects of warfare between opposing forces at the tactical, operational, or strategic level. They are used to study warfighting concepts, train commanders and analysts, research scenarios, and assess how force planning affects outcomes. Militaries undertake a variety of wargames, including scenario exercises, tabletop map exercises, and computer-assisted exercises. They also provide opportunities to test strategies and concepts, train professionals, identify weak areas and deficiencies, test weapons, validate procedures, develop response strategies, and support strategic decision-making. Wargames also help bring together inter-agency and intra-organizational stakeholders to build relationships and collaborate on finding unique solutions to complex problems.
The application of the wargaming concept in the cyber domain is a relatively new phenomenon that needs time to take root and deliver maximum benefit. Many militaries around the world understand the potential national security implications of cyber threats and regularly undertake Cyber Wargames at the national level and with allies — yet in the private and civilian sectors, Cyber Wargaming is still in its early stages.
Cyber wargames differ from traditional cybersecurity measures such as technology control assessments, penetration testing, and vulnerability scanning. Cyber wargames not only encompass traditional cybersecurity measures but also provide a healthy assessment of an organization’s overall Cybersecurity Posture. At the same time, they enable organizations to prepare for contingencies where parts of the corporate network may need to be shut down to reduce losses, facilitating decision-making processes under pressure. Cyber Wargames are therefore not only useful for identifying technical vulnerabilities — they are also an excellent tool for evaluating your cybersecurity strategy, response mechanisms, professional competence, and decision-making processes during a crisis, as well as ensuring your organization can withstand unexpected situations in the event of a Cyberattack.
Designing and supervising a Cyber Wargame is a complex process that must be carried out with the help of experienced and competent professionals. Since Cyber Wargames are designed to provide participants with a near-real-time experience, wargame planners need to be familiar with the latest offensive and defensive techniques and technologies. Businesses, companies, or organizations can undertake Cyber Wargames themselves — provided they have the right technical infrastructure, trained personnel, and level of maturity. However, if any of these elements is absent or deemed insufficient, it is preferable to seek help from qualified professionals and have the wargames conducted by external experts. It is also important to understand that the participants in a full-scale Cyber Wargame are not limited to technical experts alone.
During execution, as different scenarios or contingencies are presented, the full involvement of the company’s or institution’s C-Suite in taking on decision-making roles is essential. Likewise, the involvement of a company’s legal, human resources, support, and administrative staff, as well as public relations teams, in applying real-time decisions and actions will play a vital role in shaping the overall outcome of the wargame.
The first step in designing a Cyber Wargame is to gain clarity on the scope and objectives of the wargame. A comprehensive understanding of an institution’s digital environment — including its vital digital assets and services — makes it easier for planners to design a realistic Wargame.
Defining the scope and scale of the wargame is a prerequisite for further planning and management. The scope of the wargame can range from providing cybersecurity professionals with near-real-time experience and training to testing an organization’s cybersecurity posture at the tactical, operational, or strategic level. The number and level of participants are determined by the scope and scale of the wargame. The exercise may last days, weeks, or months depending on the desired outcomes and stated objectives. It is important to understand participants’ competency levels before defining the scope and scale of the wargame, as this has a direct impact on the exercise’s outcome. If the exercise is planned to run on live systems to prevent unexpected operational disruptions, special and mitigating measures will remain in place.
The safest option for running a Cyber Wargame in a near-realistic environment is to ensure it is conducted on a powerful Cyber Range Platform capable of replicating multiple digital environments — including the organizational environment encompassing the networks, systems, and related operational services of the company. A comprehensive Cyber Range Platform allows for a broader scope for the exercise without concerns about interfering with live systems and networks.
PriviaHub is an online Cybersecurity Training, Simulation and Exercise (Cyber Range) Platform that enables personnel working in private or public institutions to increase their knowledge and perform practical exercises.
Once the scope of the wargame has been established, it becomes easier to define its objectives. Objectives can range from tactical to operational or strategic level depending on the scope of the exercise. Since a Cyber Wargame is far more than just a penetration test, it should cover a broader range of objectives to generate real value. Some of the general objectives that can be set for a Cyber Wargame include:
Organizations planning Cyber Wargames can design many objectives based on their specific operational requirements and organizational obligations. It is always better to give the exercise a name to create a realistic impact and to document lessons learned and behavioral details following the exercise. Exercise planners can select an appropriate name for the Wargame in consultation with the institution’s key stakeholders.
Once the scope and objectives of the intended Cyber Wargame have been defined, scenarios simulating the most likely cybersecurity situations must be developed. Scenarios should provide participants with ample opportunity to practice and achieve the desired objectives of the wargame. They can also include both planned and unplanned situations to create the ideal environment for participants to face and overcome worst-case scenarios. Scenarios can range from testing the technical aspects of the latest attack and defense techniques to evaluating response strategies, professional competencies, and procedural effectiveness. For example: what happens if the corporate network is attacked or the data center goes down? What if sensitive voice calls between senior officers are intercepted via a MITM attack? What if a DDoS attack takes down the email server, or the organization is hit by a serious ransomware attack? Similarly, there may be a range of other situations that can be designed during the scenario development phase depending on the wargame’s objectives.
Experts planning a Cyber Wargame should incorporate security measures and thresholds if the exercise is planned to run on live systems. However, as emphasized earlier, it is always better to run large-scale Cyber Wargames on a powerful Cyber Range Platform, since the best Cyber Range platforms also have built-in scenarios with a technical difficulty level capable of creating more with existing tools. However, situational scenarios aimed at evaluating response strategies and procedures must be planned by expert personnel.
At this stage, planning experts — in consultation with the relevant institution — decide how the exercise will be conducted, and if it is planned on a Cyber Range platform, which networks, systems, protocols, and policies will be replicated. The rules of the exercise, team and individual responsibilities (per NIST Special Publication 800-61 Rev. 2), cut-off thresholds, command and control, and the exercise execution timeline are also discussed and finalized. Team formation (Red, Blue, Purple, Controller, etc.) depending on the scope and objectives of the Wargame is also determined at this stage.
Once the scope, objectives, and scenarios of the Cyber Wargame are finalized, the planners must prepare in detail the document known as the “Exercise Instructions.” This document should include the written scope, objectives, participating teams, exercise execution methodology, responsibilities, the exercise supervisor or referee, and key stakeholders. The document may or may not include scenario details, depending on the scope of the exercise. The “Exercise Instructions” are reviewed by the lead planner and key stakeholders from the institution where the exercise will be conducted. The document may then be shared with participants to allow them time to understand and prepare for the various aspects of the Wargame. Exercise preparations also include ensuring the necessary technical infrastructure, systems, facilities, and executive support for the Wargame are in place. Finally, after participants and key stakeholders have been given sufficient time to understand the Wargame instructions, a final briefing is held before the Wargame begins. The primary purpose of this central briefing is to refresh the execution methodology and to clarify any questions in participants’ minds.
To ensure a smooth and rewarding experience for everyone and to extract the necessary lessons, the execution of the Wargame is strictly subject to the “Exercise Instructions.” Depending on the objectives set for the exercise, both Red Team and Blue Team undertake offensive and defensive activities. Here, the Red Team attempts to compromise the networks, systems, and services protected by the Blue Team, while the Blue Team operates to defend against or mitigate the effects of attacks. The exercise referee or controller closely monitors ongoing activities to ensure everyone adheres to the rules set out in the instructions. During Wargames conducted on a Cyber Range platform, the organization’s live digital environment is simulated to provide teams with a real-time feel and to achieve realistic outcomes. Cyber Wargames can also be conducted in a digital environment entirely different from the company’s actual environment — one that neither the Red Team nor the Blue Team is familiar with. In such exercise environments, the Blue Team must examine and distinguish the relevant systems before Red Team attacks begin, in order to figure out how to defend them. Similarly, the controller or referee can present various scenarios to the relevant teams, designed to assess the organization’s decision-making and response strategies. Essentially, it is the controller who keeps everyone involved in the exercise on the same page. Procedural scenarios are implemented by giving the acting team a limited time frame, after which their response actions and decisions are evaluated. The decisions and responses of key stakeholders, human resources, legal, public relations, and investor relations teams are documented and assessed for their positive or negative impacts on the company’s operations, interests, and public image.
The most important step during the execution of a Cyber Wargame is to ensure that evidence chains, incidents, and contingencies are recorded in an auditable manner as the exercise progresses. Likewise, a detailed record of the sequence of events is required — including when it was experienced, whether exercise instructions were followed, how well the response strategy performed, whether key decision-makers were ready in time to make critical decisions during contingencies, and whether communication and coordination between the organization’s different units was effective and timely. These technical and operational records play a vital role in evaluating the wargame after its conclusion and extracting the right lessons.
When a Cyber Wargame concludes, the controller delivers a clear message to participants to bring exercise activities to a close. To preserve the integrity of the Wargame, the process of collecting technical and operational logs from the various teams and participants begins — a task that must be carried out with great care. The controller engages with participants to gather all relevant information and prepares a comprehensive “Post Wargame Report” that provides a detailed account of everything from the planning and execution to the conclusion and lessons learned, while evaluating outcomes in light of the scope. This report should cover the organization’s technical, professional competency, and procedural aspects — encompassing all positive and negative aspects of execution, including strengths and weaknesses. NIST SP 800-61 Rev. 2 provides detailed guidance on documenting lessons learned during execution in this regard. The post-wargame report should be prepared to include all significant events encountered during the exercise. The report should be detailed to include, among others:
Once the post-wargame report is finalized, a debriefing session should be organized by the wargame planners. This session should include all stakeholders, participants, and senior management from the company to share and discuss the report’s contents and lessons learned during the wargame.
As threats in the cyber domain continue to evolve and multiply, it has become increasingly difficult for private and public institutions to wrest the initiative from cybercriminals. Cybersecurity companies around the world spend enormous sums on R&D to keep the world operating safely in cyberspace. Yet cybercrime and cyberattacks from known and unknown organizations continue to increase exponentially worldwide — a trend likely to continue for the foreseeable future. While various organizations undertake regular penetration tests, vulnerability scans, and other technical measures to identify weak areas, there are always security vulnerabilities that go unnoticed and are later exploited by cybercriminals and rogue actors. To avoid major surprises, the integrated implementation of the technical, procedural, and human elements of an institution’s digital environment — coupled with a holistic Cybersecurity Strategy — is the need of the hour. An integrated Cybersecurity Strategy can be built on the Cyber Wargaming concept. Cyber Wargaming is a time-tested concept by militaries around the world. Adapting the salient aspects of military wargaming and applying them in the cyber domain can greatly help organizations strengthen their Cybersecurity Posture and prevent costly surprises by proactively addressing technical and procedural gaps and vulnerabilities that often go undetected. A powerful and comprehensive Cyber Range Platform can be an ideal solution for undertaking Cyber Wargames and improving Cybersecurity Posture.
Author: Nasim Abbas
You May Be Interested In These
