To effectively address threats to the defense industry, cyber warriors prepare for battle.
Cyberspace is so large that it has become not only its own ecosystem but its own battlespace, as well.
To help position companies against cyber-attacks and practice preparedness, Boeing conducted the inaugural Defense Industry Cyber War Game in August 2017. The exercise, which was the first of its kind, provided an opportunity to examine and address a large number of different cyber-attack methods that can occur simultaneously and, if left unchecked, accelerate out of control.
Boeing led and hosted the exercise, which featured participants from BAE Systems, Lockheed Martin, Northrop Grumman and Raytheon, all of whom are members of the U.S. Defense Industrial Base.
Members of these companies work in the same fast-paced, chaotic, and continual cybersecurity attack environment as our government and military customers. Through the exercise, participants were able to engage in a cyber-based drill designed to test and validate their company’s ability to successfully respond to a cyber-attack. It also tested their respective abilities to share information effectively and quickly, both internally and externally.
The companies and players were placed on a joint defense program, working in a shared collaboration space. These conditions debunked the myth that incident response is driven exclusively by technicians, and showed the broader group of stakeholders engaged in the incident resolution, including board of directors, chief information security officers, and legal and communications representatives. The exercise also challenged conventional lines of authority, as the adversary leveraged four different attack vectors, crossed organizational hierarchies, and incorporated simultaneous events, actions and requests. This operational cadence encouraged proactive communication as the best method to spread awareness of the threat and how to combat against it.
The day-long exercise, comprising two scenarios modeled after real-world events, encompassed both large-scale ransomware and destructive attacks. The adversaries were indicative of today’s nation-state-sponsored actors, and were characterized as highly capable, motivated and intent on achieving military parity with the United States through a combination of economic and intellectual property espionage. The adversaries were also seeking to reduce the United States’ ability to produce and deploy key technologies through destructive attacks.
The methodologies employed by the threat actors were aligned to real-world trends and had deployments both through cyber and physical means, including spear phishing, compromising a downstream supplier, infecting an update patch, and theft of sensitive printed documents.
The adversaries attempted to gain access by leveraging an insider with access to the shared lab environment, and through various hacking techniques to gain remote access.
This combination of internal and external attack vectors highlighted the necessity for awareness across organizational and traditionally defined boundaries. Similarly, the ability to maintain persistence and use diversionary tactics was employed as a means to induce stress and add complexity to the scenario while maintaining realism.
Adding to the realism, the exercise was modeled on the current geopolitical environment. Escalating tensions surrounding the deployment of missile defense capabilities provided not only foreshadowing for impeding retaliatory actions, but set the stage for collusion among various nations—a concern among all critical infrastructure sectors.
A vigorous information campaign ensued that sought to draw out potential threats, forcing intelligence teams to analyze the significance of these communications within the context of their respective organizations, as well as provide a basis for organizational messaging and operational decision-making. Additionally, as social media and news reporting gained momentum surrounding the potential incidents, customer queries began to mount, introducing another level of complexity into the scenario.
The findings from the Cyber War Game illustrated many positive trends, chiefly the strong understanding of the technical steps needed to investigate and respond to a cyber-security incident.
Each organization recognized and embraced the need to adhere to defined processes and procedures. Additionally, the participating companies had incident response playbooks that formalized their approach, enabling a common understanding of community best practices.
Future focus on executive-level response planning was emphasized by the companies, as was the integration of all physical and cybersecurity data to reduce response times. The war game exercise truly illustrated the importance of understanding when to report an incident and how this can reduce liability. It also showed that collaborating enables priorities to be set and reduces confusion across the board.
By Al Lewis, Cyber Intelligence and Analysis Manager, Boeing Information Security