How to conduct a cyber-war gaming exercise

Defenses are in place, and a cybersecurity strategy has been designed. But how does your organization know they work? Conducting a cyber-war game can expose any shortcomings a real attacker may uncover.

Most cybersecurity professionals are aware they need to conduct cyber-war gaming exercises to ensure overall cybersecurity readiness. But questions remain about how to conduct this exercise, including the following:

  • What should the cyber-war games include?
  • How often should they be conducted?
  • Who should participate?
  • What documentation is required?
  • What should the end results and deliverables look like?

Let’s look at what’s needed for successful cyber-war game exercises, starting with what they are and why businesses should conduct them.

Characteristics of an effective cyber-war game

Cyber-war games are creative exercises in which an incident response team reacts to a hypothetical set of scenarios.

The military has long conducted war games, also known as tactical decision games, because they work. Participants learn to understand the unintended consequences of decisions in the context of the chaos of warfare. As the military adage attributed to Prussian Field Marshal Helmuth von Moltke the Elder goes, “No plan survives first contact with the enemy.”

Now, take those lessons, and adopt them for cyber-war gaming. One important element to conduct effective cyber-war games is to develop scenarios that incorporate multiple unplanned events and generate perfect-storm scenarios. For instance, what if the attack vector is an IoT network and an attack on the connected HVAC system brought the data center down? Or what if a Session Initiation Protocol man-in-the-middle attack compromised sensitive voice calls, while a DDoS attack took down the email server? Or what if a key person is out with the flu?

Another important element is how often the exercises are held. Conducting cyber-war gaming on a regular basis is key — ideally, quarterly but minimally annually. It’s less important to craft the perfect game than it is to conduct cyber-war gaming early and often, learning and improving as you go.

Critical cyber-war gaming roles

The two most important roles in cyber-war gaming are…