The Value of Attack Simulation: ICS Pulse Podcast, Debbie Gordon, Cloud Range

Cybersecurity Locks
Courtesy: CFE Media

The cliché “practice makes perfect” exists for a reason. Whether your job is to protect operational technology (OT) systems for critical infrastructure or to catch touchdown passes from Patrick Mahomes, it’s essential to be ready for key moments. You don’t want your first experience with cyber defense to be during the throes of a massive cyberattack. Preparing for every eventuality and sharpening your skills can help turn the chaos of a cyber event into something more manageable, reducing systems downtime and saving your organization from reputational and financial damage. ICS Pulse recently talked to Debbie Gordon, founder and CEO of Cloud Range, about why attack simulation is important, whether you’re a Fortune 500 company or a small, mom-and-pop shop. Listen to the full podcast here.

The following has been edited for clarity.

ICS Pulse: Your company does attack simulation essentially. Why is it so important to simulate attacks for companies?

Debbie Gordon: Just like any type of practice, simulation is a way to immerse people into a real live situation or scenario. And it creates muscle memory, it creates situational awareness and it improves their ability to respond to something when it does happen. It is no different than any sport. Cyber defense is a team sport. So whether you think about baseball or football or hockey or anything, you have to practice. Even a team that wins a Super Bowl, they don’t stop practicing. They have to continue to practice and stay in shape. Cybersecurity is a little different because things change. There are new things that they have to practice on. Using simulation is a safe way.

Not only is it safe because nothing is going to break — we’re not attacking a company’s actual network, we’re attacking a replica of it — but it is also safe for the people who are defending because if they’re going through a simulation, they’re allowed to mess up. And they should mess up because in addition to the technical skills that they have to hone, they also have to be more confident. There are a lot of people who have amazing skills who are in cyber defense, but they’re afraid to use those skills if they’re not 100% sure that what they’re doing is the right thing to do. By using simulation, they can test those skills and not only learn new technical skills, but they can test skills and gain the confidence that’s necessary for them to go back and be ready for when something does happen.

ICSP: You don’t want to make that first big mistake when there’s actually a cyberattack, and the stakes are high. When we talked last time, you compared it to flight simulators. You don’t want your pilot’s first experience in the air to be when you’re sitting in the plane.

Gordon: Exact same analogy, yes. As soon as the flight simulator was invented, did anyone not use a flight simulator? No, you cannot. And you’re right, even if somebody understands the process, until they do it, they’re never going to know what it really is.

ICSP: Are you able to share any examples and experiences you’ve seen with other companies, just working with them and different simulation exercises?

Gordon: I have a lot, and it continues to underscore the importance of it. We’ve worked with organizations in many different sectors, both in critical infrastructure and on the data security side, on the OT security side. The one thing that they all have in common is that they need practice, and nobody’s ever done. It’s like golf. Are you ever really done becoming good at golf? No. Same thing in cybersecurity, and people recognize that. They really crave the ability to see things happen that they hear about, but they don’t really know what it looks like.

Organizations need help having people work together to hone those skills. We had one customer a few years ago, their IT (information technology) and their OT people got together for their first simulation, and they had never met. They had never met. It was very indicative about how much room for improvement they had, because they were really just starting a convergence process organizationally. So it was the first step to really stimulating that convergence and helping them realize how important it is.

We had probably about 15 people from the company that were going through a simulation, and they were like, “Oh my gosh, we didn’t even realize that there were conflicting goals.” We were talking about uptime versus data protection, and it was very new to them, but it was necessary. So I’ll tell anyone who’s listening, it’s never too late to start. Getting people immersed in an uncomfortable situation is very necessary because something bad will happen, and people have to be ready for it.

ICSP: I think it’s very easy to assume that in the event of an attack, Debbie is going to do A, and Tyler is going to do B and I’m going to do C. But when you’re in the throes of the attack, sometimes it’s a little chaotic, and you don’t know that you’re supposed to do the task that I thought you were going to do.

Gordon: On top of that, if I’m supposed to do A, I might know that I’m supposed to do A, but I’ve actually never done A. I’ve only read about how to do A. So I think it’s over here, but it’s really over there, and then it all goes to crap at that point.

ICSP: Obviously, major corporations get hit, but there are also these mom-and-pop shops that are getting hit by cyberattacks. What would your advice be for them, because sometimes there’s very limited budgeting? What can they do as a good starting point?

Gordon: Cyber hygiene is No. 1. No one is too big or too small to have good cyber hygiene. So the first thing would be changing passwords, multifactor authentication, things like that. Those aren’t expensive. However, every company should do them. They should be aware of phishing emails, understanding how the bad guys get in, seeing examples. There are a lot of mom-and-pop shops. There are a lot of moms and pops in the world, everyone’s parents. “I don’t know, how did I get hacked?” “Well, did you call the number and give them your social security number when they told you to?”

So it’s awareness and understanding, and that’s easy. I don’t know the statistics, but I would love to say 80% of the attacks can be solved that way. That’s really the best thing, initially, is just hygiene.

ICSP: When you’re doing these simulations, how bespoke is the process? If you’re going into Tyler Wall Technology or Gary Cohen Technology, how much do you need to understand about my systems in order to run an effective simulation?

Gordon: It depends on the organization. A lot of our Fortune 500 customers don’t need much customization because we have all the tool sets that they all use. So any tools that exist in a company’s network from a cybersecurity perspective — whether it’s their system, if it’s QRadar or Splunk, or firewalls from Fortinet, or Palo Alto, or Checkpoint, or tools like Claroty, Nozomi, Dragos or even things on the PLC (programmable logic controller) and HMI (human machine interface) side — all of those can be configured in our system. Whatever our customer has, we can configure that. And I wouldn’t use the word customization on that. It really is configuration. One of the values that Cloud Range has developed is that we’re able to configure environments very quickly and easily for customers so that the relevant elements of their infrastructure are represented there. It doesn’t have to be a true digital twin for all of them.

In some cases, there are use cases for that. But, remember, we’re not testing and simulating a network to see if we can attack it. We are simulating a network and making it intentionally vulnerable, and attacking it so that the defenders have something to defend against. So it’s different than red teaming, where you want a replica of a network so as to see where the vulnerabilities are. We make vulnerabilities so that the defenders have something to defend against. That’s a very important. That’s why when I talk about the last line of defense, it’s not the users who are clicking on an email, or it’s not the infrastructure to see if there’s vulnerabilities and gaps in the infrastructure. It is truly the people who are having to detect and respond to them.




Keep your finger on the pulse of top industry news