Practice in Cyber Defence: A Key to Success Against Cyberattacks (By Vincent Riou, CEIS)

Companies and organisations must not only be aware of but also protect themselves against cyber threats, which may have disastrous consequences: tarnished image; financial losses; racketeering; theft of client data, patents or trade secrets; shutdown of an operation; or even major danger for populations if the attack targets sensitive infrastructure.

On an initial level, awareness-raising operations familiarise employees, whatever their technical skills, with the basic behaviours to be adopted. This builds what the French Network and Information Security Agency (ANSSI) calls a « healthy network. » These basic behaviours, like food safety rules, require regular practice to develop reflexes. Thus, regular cyber crisis exercises concerning a large share of employees should be devised to raise their awareness of risks. An employee in the know is worth two in the dark, and the cost of putting together such exercises is largely amortised by the decreased risk resulting from the good reflexes developed on all levels of the company.

Practice for cybersecurity professionals at a company or specialised service firm must go quite a bit further. To acquire and maintain the reflexes essential to cyberspace protection jobs, cybersecurity professionals must train, then practice on an ongoing basis. To draw a parallel with physical security, the staff of the French National Gendarmerie Intervention Group (GIGN) or the French Research, Assistance, Intervention and Dissuasion (RAID) unit cannot be pictured going on an assignment without engaging in preliminary practice so intense that they act reflexively and extremely efficiently once on the ground. Cyber incident response teams must likewise be ready to face a large-scale attack.

Practice differs from training in that it is immersive in nature. Training develops theoretical skills based on an adapted educational approach. Practice consists of engaging in a simulation exercise with a difficulty level correlated to the professional’s skill level. Training imparts knowledge of the basic techniques that comprise the cyber defender’s toolbox, whereas practice imparts mastery of these basic techniques through implementation to increase quality and speed of execution and decrease stress in a real-life situation. Practice enables professionals to acquire vital reflexes in the event of an attack and heighten their effectiveness.

Arnold Palmer said, « The more I practice, the luckier I get. » Indeed, operational efficiency depends on more than the sum of knowledge amassed often with an undue emphasis on theory. It further demands reflex mechanisms that can only be acquired through intensive practice. Many terms and modes of operation in cyber defence strongly resemble those used in combat sports: attack, defence, parry, feint, anticipation, etc. An equally obvious parallel may be drawn with the military world, where soldiers must know arms, tactics and modes of operation backwards and forwards before going on an operation. This is all the more true considering that resources for cyber defence are becoming increasingly complex and thus difficult to master as they evolve in step with new attack techniques and technological advances. This reinforces the need for regular practice.

Therefore the qualities required of a cyber defender may be likened to the qualities required of a competitive athlete:1

1. Relaxation: it is essential to keep a cool head when an attack occurs. Any tension amounts to a drop in efficiency. Relaxation reduces pressure and stress, thereby fostering a state of mind conducive to reducing reaction time and increasing attack response quality.
2. Adapted techniques: these are characterised by flexibility, alertness and adaptation to context. Incident response requires a wide range of techniques, which must be acquired before a significant incident occurs. It must be as comprehensive as possible. Hence defence capabilities must be updated regularly through targeted practice and training sessions in a simulated environment.
3. Decreased reaction time: apart from on-the-ground experience, only realistic practice decreases reaction time. This is crucial to increase attack response quality and limit damage done. Repeated practice goes beyond supplying theoretical knowledge and automates reactions such that they become « reflex » actions.
4. Variety of opposition: a boxer will stop improving if he constantly trains with the same partner. By contrast, he will maximise his improvement curve if he varies his practice sessions (punching bag, bodybuilding, moving targets, different partners, speed work, etc.). The same applies to cyber defence. A variety of large-scale attacks must be faced with different tools in different operational contexts to sharpen the senses and optimise a reaction that is above all human, even if it is strongly supported by technology

Focusing of attention: on an operation, when an attack occurs, it is essential to be able to disregard interfering stimuli, manage effort and react well to commands in the decision chain. This is acquired not in theory, but in practice.

To these individual qualities should be added group qualities, as cyber defence is a team effort. Each player in the defence chain has a specific and complementary role. A parallel may be drawn with the qualities of a rugby or football team. Individual qualities are then added through implementation of group strategies, solidarity and mutual assistance, optimisation of the decision chain, initiative in service to the group, reporting quality, respect for roles and rules, etc.

Group and individual practice sessions must be regular to be effective. Indeed, cyber threats are constantly evolving, and « experts » in the field who rest on their laurels shall never remain « experts » for long. New attack techniques are perpetually being developed in the world of cybercrime. This means that ongoing preparation is required to limit the effect of surprise and the damage done by attacks.

Training and practice are adapted to the required level and the required needs, from awareness-raising to intensive practice and from protective actions in the event of an attack to practice for a professional cyber defender. Companies may decide to establish internal training and practice processes based on the skills at their disposal, or they may choose to call upon professional cyber defence training and practice centres like IBM X-Force Command Centers in the United States or Bluecyforce centres in France. These centres have very substantial resources for realistic cyber crisis immersion and adapted educational methods. To all this is added a key factor in practice: « gamification. » Practice in the form of games must lead to total involvement, increased stress that must be brought under control and high stakes that must be defended. The quality of the scenarios offered is thus an integral part of the education, as is the complementarity of the profiles of the « coaches » of the future champions of cyber defence.