Advanced Cyber Security Center (ACSC) Chief Operating Officer (COO) Jim Dinneen participated in SC Media’s thought leadership panel on the topic of CTI-fueled cyber exercises. Dinneen was joined by Amanda Cody, CISO of the FS-ISAC and Alexandre Dulaunoy, Security Researcher at the Computer Incident Response Center Luxembourg.
While extolling the value and impact of incident response simulations and exercises to organizations across sectors, the panel was asked about the importance of fresh threat intel data, examples of recent initiatives, and key takeaways from such exercises. Below is summary of Dinneen’s responses. You can watch the full session on-demand here.
Q: Why is it so important to be up to date when you’re performing cyber range and tabletop exercises?
JD: The ACSC works with a group of threat intel directors from our member companies that meet regularly to talk about the challenges of building a program, integrating threat intel streams and being able to consume intel and make it actionable. Having the opportunity to take real world threat and manifest those in a simulation environment provides a great training opportunity for your front line defenders and blue teamers. We've built that environment for our members via our partnership with SimSpace.
Q: Can you talk about some of the recent initiatives your organization has been involved in?
JD: Our position has always been that our adversaries are out there collaborating, and the good guys need to do the same. ACSC is regional, not because the threats are regional, but because it gives us an opportunity to get together in person, build trust and empower sharing. We’re trying to foster that network.
We run an annual tabletop exercise. In years past we’ve focused on nation state threats, looking at reputational damage. We’ve looked at ransomware on third party providers and how those can impact an organization. Building on that, we’ve moved to the cyber range capability to give the front line defenders the same type of experience - to see what lateral movement in a network might look like and how they might go about detecting and identifying that. Our members get significant value from this collaboration. It’s all about providing a safe venue where folks can discuss with their peers who have different perspectives.
Q: How do you turn intel into action?
JD: There’s a litany of sources out there and it’s difficult to get good context and ensure you have quality data for quality outputs to build your intel feed. The most sophisticated operations out there have a purple team they’ve built where they bring their red and blue teams together to engage and learn from one another. Being able to build an effective purple team process out of your threat intel inputs is critical to building higher level security status.
Q. How do you assess how you’ve held up against the threat you were simulating?
JD: Holding a post-mortem that runs through your pain points is important. You need to be able to run through your incident response plan and regularly refresh it. But also, realizing that cyber range simulations and exercises not only sharpen individual skills – they also build stronger teams and improve communication. Bringing together threat intel, making it actionable and being able to train your team on it is invaluable. It’s a core part of the developing defender capabilities.
Watch the full session, Threat Intel: A Key to Demystifying Network Security on-demand, and learn more about the cyber range opportunity.