How Does Cyber Range Training Prepare SOC Teams for the Next Attack?
How Does Cyber Range Training Prepare SOC Teams for the Next Attack?
By Dr. Edward Amoroso, TAG Cyber
This blog series from TAG Cyber focuses on why security operation center (SOC) teams should engage in regular cyber range training to simulate live-fire incidents, measure and reduce risk, and improve individual and team effectiveness. The Cloud Range platform is used throughout the blog series to illustrate world-class range training for these teams. Check out the first blog here.
Cyber range training has now become an essential tool to prepare SOC teams for emerging threats that involve new offensive tactics and techniques. This article illustrates this type of cybersecurity preparation in the context of the commercial Cloud Range offering.
From a logical perspective, cybersecurity has always been focused on preventing attacks — or at least on being as prepared as possible for the next attack. When training is done comprehensively and proactively, the abilities and insights gained can help teams better defend against what is coming next.
SOC teams must keep these important perspectives in mind as they plan exercises and engage in training. Otherwise, training will be piecemeal and reactive, which is a problem on multiple levels. Specifically, you don’t want the first time your SOC team sees an attack to be when one is happening. That’s too late.
Importance of Simulation
It is valuable to train on attacks in a simulated environment versus on production systems, so the team will be prepared to detect them and respond accordingly. Since the size, scope and intensity of potential attacks will vary widely, SOC teams need to establish a comprehensive simulation program that involves an assortment of scenarios with multiple tactics and techniques.
Security leaders should require any commercial cyber range training to offer a library of live-fire attack scenarios in a hyper-realistic environment. Such a library should accommodate teams of varying sizes and experience levels and should provide guidance to the team as needed. The scenarios also should include a way to measure how the team is doing, what it should be doing next, and how to improve individual skills to prepare the team for the next group exercise.
How Simulations Are Derived
Simulations are developed based on what happens “in the wild.” Every cyberattack uses certain tactics, techniques, and procedures (TTPs), which are documented and analyzed to understand how the bad actors created and executed the attack. Because they have been documented, they can be recreated. That is when the threat intelligence gets codified into a cyber range library. It becomes a simulated scenario that allows teams to safely practice detecting and responding to the attack.
This has the desirable result that when such attack methods emerge in the field, the trained team is no longer new to the approach (see Figure 1 below).
Cloud Range Training
Commercial vendor Cloud Range offers a strong portfolio of attack scenarios, instruction, and metrics to support its cyber range simulation training for teams. The experts at Cloud Range provide the type of SOC cyber range training that ensures teams are prepared if they see an emerging threat in the wild. By staying up to date on new tactics and techniques, SOC teams will be ready to defend against their next cyberattack.
The key to ensuring a SOC team is prepared for new and relevant offensive strategies is to have them work in a replica of the organization’s live environment. Cloud Range’s cyber range includes commonly used security tools, real-time alerts, and other components to ensure that users, including in both IT and operational technology (OT), experience a realistic setting. Cloud Range refers to the injection of relevant attacks into this setting as a live-fire environment, and this seems a suitable reference. Buyers of cyber range training should ensure that this type of attack injection is part of the training experience.
Advice for SOC Teams
TAG Cyber advises security leaders and SOC teams to integrate a regular program of cyber range training to improve their preparedness and find that the offering from Cloud Range would be a wise choice to include in the source selection process. They will find better results for new attacks, as well as obtain untold benefits by focusing on developing their people.
Stay tuned for the next blog in this series in two weeks!
Contact Cloud Range to learn more about preparing your team with cyber range training.
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 500 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth insights, market analysis, consulting, and personalized content based on thousands of engagements with clients and non-clients alike—all from a practitioner’s perspective.
Copyright © 2023 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.