Readiness
November 18, 2024

Eight use cases for cyber security exercises

What are you looking to achieve?

This is the question we ask upfront when working together with an organisation on a cyber security exercise. Doing an exercise to say you did one shouldn't be the actual goal. It should be about the insights they uncover, the learnings they provide, the capability they validate, the outcomes they deliver. The exercise is the vehicle to the destination. Fortunately, they are an incredibly versatile and dynamic vehicle, able to be leveraged in multiple ways to achieve a whole range of outcomes.

At Retrospect Labs, we live and breathe cyber security exercises, having delivered close to a thousand exercises since founding in 2019. Here are eight use cases we’ve come up with, many of them we’ve helped realised for organisations we’ve worked together with.

1. Answering the “what if…” questions

There may have been a recent public incident resulting in questions from the C-suite, or some new threat intelligence received about an adversary targeting your sector, or perhaps there is active exploitation of a newly discovered vulnerability in a product your company uses. Often something happens that triggers the thought of “what if”. What if our organisation was the victim instead, how would we fare? What if we had to isolate these hosts to contain a ransomware attack, could we still operate our critical services? What if this adversary was in our environment, do we have enough visibility to detect their tradecraft?

We sometimes see these questions answered in a subjective way, perhaps solely on gut feel. An incorrect assessment could lead to a false sense of security and inaction, even if the true risk faced is at an unacceptable level. Exercises can generate tangible evidence that can paint a better picture, enabling us to answer those questions more confidently and accurately.

Side note: the type of exercise chosen determines the quality of evidence you can collect, which in turn affects the accuracy with which you can answer these “what if” scenarios. Tabletop discussion-based exercises are good but functional live-play exercises where you discuss the response, as well as physically carry them out, yield the best evidence.

2. Testing plans and procedures

From our experience, testing of the cyber security incident response plan, communications plans, and playbooks ranks as the most common use case for doing exercises.

We go into more detail in a previous blog post about the common findings we’ve seen from our exercises, but to reiterate, having well thought out and, importantly, thoroughly tested incident response plans and playbooks can be the difference between stopping an incident in its tracks, or it turning into the type of incident that the media reports on.

3. Validating invested capabilities

Investment by Australian organisations into information security and risk management products and services continues to increase. We spend a lot so we should expect our invested capabilities are effective. A mistake in a configuration, insufficient space on disk to capture new records, and rules added to a firewall that was confirmed ineffective in blocking C2 traffic - these are issues we’ve picked up through the delivery of functional live-play exercises.

Periodic exercises to validate invested capabilities in the context of different incident types and Tactics, Techniques and Procedures (TTPs) will provide you more confidence that they will perform the way you expect them to when facing a real incident.    

4. Developing [insert skill here]

Exercises are an ideal way to develop your incident response skills, whether it be forensics, incident management, communications, or something else. At Retrospect Labs, we create skills-based exercises that focus on a few aspects associated with a specific incident type being experienced by a fictional victim organisation. For example, we have a pack of exercises we call the “Forensic Files” that provides the opportunity for individuals to be exposed to and learn how to analyse a memory dump, or know what a brute force attack looks like from a log perspective.

A skills-based exercise from our Forensic Files series.
Practicing analysing a technical artefact provided during a skill-based exercise.

Communications is another skill you can develop and nurture through exercises. Engaging in exercises that simulate incidents requiring coordination with diverse stakeholder groups enables individuals to refine their communication strategies.

5. Establishing an internal certification program for the Security Operations Centre

Cyber security exercises can serve as a cornerstone for establishing an internal certification program within a Security Operations Centre (SOC) by providing a structured, realistic environment for personnel to demonstrate and refine their capabilities.

Tailored to mirror the escalating complexity and responsibility characteristic of SOC analyst tiers, exercises enable analysts to showcase their competencies in scenarios that reflect their role's specific challenges.

For example, Level 1 analysts might tackle exercises focused on initial threat detection and alert triaging, while level 2 analysts might engage in deeper incident analysis and remediation strategies. Level 3 analysts could be tested on advanced threat hunting, forensic investigations, and strategic response planning. This stratified approach ensures that the certification process is aligned with the skill sets relevant to each tier and emphasise a hands-on demonstration of the analysts' abilities to confront cyber threats at their respective levels of expertise. Ongoing exercises will also ensure the team builds and maintains the muscle memory of best courses of actions when responding to incidents.

6. Identifying the candidates you should hire

If you are hiring to fill positions within your organisation’s cyber incident response team, consider leveraging exercises as part of the process. Exercises can be crafted to reveal which candidates have the requisite skills, or the aptitude to rapidly develop them, for the positions they seek. It's also beneficial for the candidates as the exercise can provide a more accurate portrayal of what the job entails.

7. Delivering engaging security awareness

Employees can be the first and last line of defence against cyber threats. Rather than make them endure death by PowerPoint, watch irrelevant animated videos, or read endless pages of text, try using exercises to get the points across by presenting tailored content in an exciting format where they can actually interact with the scenario (rather than passively observe).

Instead of tricking your colleagues into clicking a link in a phishing test, how about trying Google’s approach by running phishing fire drills instead? You can setup exercises that step through what a phishing email looks like, what may happen if you click on the malicious link, and how to report the email as per your organisation’s procedure.

8. Creating some friendly competition

For the past four years, we’ve delivered exercise-based competitions with great success. These events, reminiscent of Capture the Flag (CTF) challenges, have cultivated teamwork, presented participants with engaging and intellectually stimulating puzzles, and generated an exciting and vibrant atmosphere.

Break from the routine and give running an exercise-based competition a go.


We hope this blog post has given you some ideas on how to leverage cyber security exercises in multiple ways. If you think of other use cases or innovative applications for exercises, please reach out to us. We’re keen to hear what you come up with!

Back to Blog
Connect with us on social media
Solutions
GauntletExercise programs
Company
About usCase studiesCareersContact us
Learn
BlogMediaEvents
Resources
GuidesSample ScenariosExample Reports
Other
PrivacyDisclaimerSuppliers
© 2024 Retrospect Labs. All Rights Reserved.