Knowledge is Power

Wilson Tan, director of the Singtel Cyber Security Institute (CSI), knows a thing or two about what ratchets up the stress levels inside the C-suite.

On this morning, for example, he's ensconced in a room with the local senior management team of a multinational electronics company. All eyes are fixed to the national news broadcast airing on the big screen.

"… has suffered a massive data breach involving close to two million customers," the news anchor reports. "Personal information, names, addresses and email addresses may have been accessed. While the attack was discovered on Tuesday, the company admits it could have happened months earlier."

The news story ends. The group re-engages, each keenly aware of the acute damage done to that company's reputation and the potential financial ramifications.

It's the type of unnerving news story that's occurring globally with alarming frequency. But in this instance, the news anchor is an actor. It's part of a management cyber readiness simulation the CEO and his senior management team are undertaking at the Singapore-based CSI.

CSI staffers Amelia Tan Pei Yu, Yeow Chun Wei and Tok Wei Cong huddle prior to the start of the institute's recent three-day Tactical Cyber Wargame course.

Established just over two years ago, the CSI is part cyber range, part educational center, with both tasked with testing and training organizations to confront ever-advancing digital threats. While the former is geared toward IT and security personnel, the latter is largely intended for other parts of the business, where information security seeps into virtually everything they do.

"It's disquieting just how few organizations have robust cyber response plans," said Tan, who has been at the helm of the CSI since its 2016 opening. "Is your organization operationally prepared for a cyberattack? How do you communicate both internally and externally during a crisis? What's your business continuity plan?"

They are questions worth answering. Tan, who holds a master's degree in economics from the University of Wollongong in Australia, pointed to the World Economic Forum's 2018 Global Risk Report, in which cyberattacks ranked high in the list of the top 10 risks to global business – both in likelihood and impact.

"What the CSI provides," he said, "is a safe real-world environment for organizations to test, check and verify their cyber readiness. Think of it as a fire drill, if you will. And like all fire drills, everyone needs to participate and know what steps to take."

The cyber range portion offers "war game" exercises for IT and security professionals, while the educational institute delivers readiness training for corporate executives and department heads and cyber oversight skills building for boards of directors.

Cyber ranges, as defined by the U.S.-based National Institute of Standards and Technology, are "interactive, simulated representations of an organization's local network, system, tools and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing."

At the CSI, IT and security personnel, also referred to as the "blue team," experience and defend against first-hand security threats in a competitive but safe environment. The participants can either come from a mix of different organizations or from just one. If from a single entity, the cyber range emulates their network environment as closely as possible.

In a controlled space, attacks targeting the emulated network are executed by a "red team" comprised of CSI's security experts and from Trustwave SpiderLabs (which is an elite squad of researchers, penetration testers and incident responders). This allows the blue team to learn and test classroom theories and in-house playbooks against the latest in-the-wild attack scenarios.

U.K.-based Trustwave SpiderLabs red team specialist Matthew Lorentzen is often brought in for his expertise in crafting and executing specialized and sophisticated attack scenarios as part of a cyber range exercise.

"Tools are not as important as the underlying principles," he said. "Aside from having an intimate knowledge of attack tactics, techniques and procedures, commonly known as TPPs, building a militant mindset is key to developing formidable red team expertise."

By learning to defend against attacks in a cyber range setting, Lorentzen added, defenders can better understand attacker TTPs and develop a complementary mindset to build better defences and provide a swift and decisive response when necessary.

"Each client has different pain points," said Tan. "It's about understanding their environment. Understanding what the crown jewels are – what they're trying to protect. It's about understanding the client's specific risk profile and concerns. We know this in a very intimate way, as we're creating the environment where they'll be playing out real-world threat scenarios to triage and remediate."

For this afternoon's exercise, the blue team is being asked to identify certain indicators of compromise (IOCs). As a result, they'll be monitoring different dashboards for security anomalies and attempt to defend or respond to them. The CSI's range masters will act as the red team, using the latest tradecraft and tactics to attack and infiltrate the organization.

"The whole idea is to train these IT and security professionals on the blue team," Tan said. "How do they discover these IOCs? How do they remediate to try to stop these attacks, and more importantly, how do they triage? When do they actually escalate and to who do they escalate to?"

Aside from cyber range training, another critical element in cyber resiliency lies with the C-level executives, department heads and boards of directors.

Tan said he believes strongly that to build resiliency, a company needs to go beyond the IT department. "Too often, senior management and boards view cybersecurity solely as an IT issue that needs to be dealt with," he said. "Cybersecurity is a business issue."

Tan facilitates a recent readiness training session at the CSI. He likens the cyber range exercises for IT and security professionals and the readiness training for corporate executives, department heads and boards of directors to a fire drill where everyone needs to participate and know what steps to take.

It necessitates a multi-disciplinary approach that that involves risk management, human resources, legal, operations, communications teams and others all coming together.

"The IT-centric attitude is changing, but that change in attitude needs to speed up if we're going to deal with cyberattacks effectively," he said.

Tailored to the varying needs of corporate leadership, the training covers threat awareness, risk management, business continuity planning and crisis communications preparation.

Through realistic simulations and role-playing exercises, the management and board training is made as hands on and engrossing as possible.

"Our sessions are highly experiential and engaging with various activities designed to keep participants' pulse rate and blood pressure racing as they understand the intricacies of managing cyber risk," Tan said.

One thing he often hears from clients is how relevant the training was to their core business. He largely credits this with bringing in carefully selected practitioners who share best practices and discuss current anonymized real-world case studies on which they have worked.

Asked on memorable CSI moments, Tan recalled a discussion during board cyber oversight training with a financial services organization. The discussion centered around issuing a trading halt on the affected organization's shares as the prices had been impacted due to a significant cyber incident. But what was more interesting – and what the board members were struggling with – was the question on when they should lift the trading halt in light of the uncertainties in dealing with the breach's aftermath.

The discussion brought into sharp focus that processes and guidelines in prioritizing and responding to a crisis need to be developed before an actual incident impacts an affected organization.

Tan, a 19-year Singtel veteran, cited two things he's particularly proud of in the 2½ years since the CSI opened.

The first is the immense satisfaction in the growing number of clients – many from overseas – who are participating in the CSI programs. He said that while the CSI is conveniently located near Singapore Changi Airport for arriving guests, training programs, especially for the C-suite and board, can be brought to client sites anywhere in the world. "A few months back, I was in the U.S., then Indonesia followed by Australia and Malaysia," Tan said. "Next week, I'll be in Thailand."

The second is that because of the programs, trainees are asking the right questions – and getting much-needed answers.

That, Tan said, will help them take the right action when the inevitable strikes.