Inspired by pen-tests or bug bounties, a number of IT departments organise cyberattack simulation exercises to improve awareness among their teams, against the backdrop of fast growing cyber threats. Whether it’s to check security measures on the one hand or the digital habits of your staff on the other, is there a benefit in simulating cyberattacks to raise employee awareness?
Do you see Jeremy from the marketing team over there? The new guy, who’s just joined the team up on the first floor. He looks harmless, doesn’t he? Well in actual fact, Jeremy is a highly experienced hacker, recruited by the company manager to carry out an in situ penetration test. He’s got free reign to do what he likes, as his co-workers are about to discover. A plot worthy of any thriller, which you can discover in episode 36 of the Darknet Diaries podcast dedicated to cybersecurity, Jeremy from marketing. It illustrates a Red Team type internal attack scenario in a company, seeking to lay bare all possible security flaws in order to rate the security level for its infrastructure and networks.
Darknet Diaries Ep 36: Jeremy from Marketing.
Special thanks to guest @TinkerSec.
Listen on @ApplePodcasts or at https://t.co/9zl8mnPKiV pic.twitter.com/OxDXMabqad
— DarknetDiaries (@DarknetDiaries) April 16, 2019
More and more companies are today proposing pen-test services and simulations for employees. Including role-playing, “live my life” exercises and simulated cyberattacks, immersive solutions are becoming mainstream when it comes to developing cyber culture within businesses. For some IT departments, the question is the following: whether it’s to check security measures on the one hand or the digital habits of your staff on the other, is there a benefit in simulating cyberattacks to raise employee awareness?
50 shades of intrusion tests
Using pen-testing or bug bounty solutions, attacking a product or network infrastructure to test its stability or security is a common practice in the cyber world. Frequently, companies which have attained a certain level of maturity in the field of cybersecurity use external service providers to stress test their protective measures. “In the case of “black box” pen-testing, the designated person will have access to the same data as in real life situations and will seek to attack the network from outside”, explains Adrien Brochot, Product Manager at Stormshield. “The other possibility is to give him access to the code and the rules for the data flows, enabling him to try and overcome the protective measures by rereading the code. This is then referred to as “white box” pen-testing”.
For larger companies or organisations with a more mature cyber profile, it’s also possible to organise Red Team vs. Blue Team type simulation exercises. Here, the Red Team’s task is to test the security level of a company, an IT network or an item of equipment via hacking techniques while the Blue Team seeks to defend itself. In June 2019 for example, the French armed forces ministry took part in such a simulation exercise, the purpose of which was to “anticipate enemy action”. This type of cyberattack simulation is intended to identify a company’s weaknesses. To make the exercise all the more effective, it’s also possible to plan on the inclusion of a Purple Team, given the task of interacting regularly with the defence and attack teams. And for the purists, to create a more complete perimeter we should also mention the Yellow Team, Green Team and Orange Team – all part of the BAD pyramid.
For the intrusion tests, the attack surface is defined beforehand between the company arranging to have its infrastructure tested and the service provider chosen to perform the pen-test. “As an example, we’ll try to attack a web server online or to send a phishing email”, adds Paul Fariello, Security Expert at Synacktiv. “We can also create tailored scenarios in which we send a person onto the site to try and enter the company’s premises and to plug in an external peripheral such as a USB flash drive”, continues Paul Fariello. To achieve this, an initial social engineering phase is often required. And unfortunately is often effective.
Setting traps to improve awareness
A recent IBM study mentioned in the Usecure blog stresses that human error is the source of 95% of in-company security breaches. In other words, successfully managing the human factor can eradicate most breaches, in a context in which perimeter security alone is insufficient and in which each individual can become an attack vector. In France, in 2017, 30,000 staff from the ministry of the economy in finance fell into a trap… set by their own IT systems security department. The department’s objective was to make these staff aware of the risks of phishing. They certainly succeeded!
As a direct consequence, more and more IT departments appear to be using pen-testing to raise awareness among staff of cyber risks. Why? To place them in a cyberattack situation to better educate them and help them learn to manage the potential consequences. In June 2019, during the G7 meeting, 24 financial authorities from the seven member countries were invited to take part in a major exercise to gain a better understanding of the extent of cross-border cyber risks to the financial sector.
“Let’s not forget that these operations take a long time to organise and are costly”, explains Adrien Brochot. But if the organisation of such cyber crisis exercises are outside the means of just any small business, IT systems security managers may nevertheless decide to use a modest version of the Red/Blue/Purple Team role-playing games. For a more accurate simulation, it’s preferable that the departments handling the defence side should not be aware of the exercise. “It’s possible to come up with different situations according to the department concerned. Someone from HR can be tested without their knowledge to check that they have provided the necessary protection for a file containing personal data. Other departments will then try and access this file using different methods, whether technical or social”, explains Adrien Brochot. The key challenge for the IT systems security manager is then to highlight the parallels between the simulated cyberattack situation and the main principles of IT security, such as the protection of passwords or basic protective rules to be applied when dealing with suspect emails. During the simulation carried out at the French finance ministry, the staff trapped by the phishing email were shown a webpage containing recommendations on the use of emails and the precautions to be taken, as explained by Yuksel Aydin, the IT systems security manager who managed the exercise, in the French newspaper Le Figaro.
The simulation boom
“A good simulation is certainly worth a thousand PowerPoint training presentations”, adds Paul Fariello. The challenge is to successfully combine the pen-test or role-playing exercise with an effective message to raise cyber awareness. “It’s therefore very important to take the time to review the exercise in a more general context, and to retrace the cyberattack point by point to learn all possible lessons”, he continues. “And even to run through the simulation again several months later to check if staff behaviour has changed and if the precautionary measures to be taken when facing such attacks have been fully understood”, concludes Adrien Brochot.
A good simulation is certainly worth a thousand PowerPoint training presentations
Paul Fariello, Security Expert at Synacktiv
As an example, the company IBM certainly sees the value of focusing on awareness-building in companies. In the summer of 2019, the supplier criss-crossed Europe and gave company managers a “free” fright by showing them cyberattack scenarios, partially to encourage them to sign up to its paid training courses. And to remind them that there are ever more simulation service providers now that cyberattacks have become part of the day-to-day reality for all companies.
In previous articles we discussed several ways to successfully instil an effective and resilient cybersecurity culture in companies: from teaching cybersecurity in schools, to making staff liable for their acts. And so, with most IT departments still looking for the best way to raise awareness in 2020, we can bet that simulation exercises of various kinds could soon become part of their arsenal.