In part one of this two-part blog series, we explained why training the individual is critical. An organization’s people are its first line of defense against cyber attacks, and therefore must be trained on behaviors and skills to keep the organization secure. However, it’s also important to train the entire team to work together and collaborate. Below we’ll explore a team approach to cybersecurity training and how it can support securing the business.
Team cybersecurity training
Now, suppose that all your staff is proficient in their individual tasks. You may be tempted to think the training is taken care of, but how do you know that your staff is able to work together to solve complex problems? You certainly don’t want to wait until you have a major incident to discover you have a bunch of silos of expertise instead of a cohesive, effective team.
One of the best ways to train as a team is to develop runbooks, which are procedures that your team uses to accomplish common tasks. For example, you may have an incident response runbook for dealing with malware infections that looks something like this:
- Isolate the infected device from the rest of the network.
- Locate the malware and send it to reverse engineering for analysis.
- Extract indicators of compromise (IOCs) and use them to search for other infections.
- Create signatures based on the IOCs to prevent future malicious activity.
- Wipe the infected device and restore it from backups.
Note that this runbook requires multiple staff members to coordinate and synchronize their actions. Who locates the malware and how is that done? How is the malware safely transmitted to the reverse engineering team? How, when, and to whom do they report the IOCs? Fortunately, everyday security operations offer an abundance of opportunities to train as a team. The challenge is to ensure you have a defined leader (maybe yourself) observing, coaching and, when necessary, correcting the team. Too frequently, we all get so caught up in the fight that we miss opportunities to assess and develop the team.
Of course, we will need our teams trained to handle events that happen only rarely (perhaps never to date). When was the last time you trained your security team to handle a large-scale data breach? This is where exercises, tabletop or hands-on, can come in handy. Annual testing of your disaster recovery or business continuity plans offers a great opportunity for team training. In addition, you really should be running quarterly incident response tabletop exercises using challenging scenarios (ideally identified during your risk analysis process).
Collective cybersecurity training
Once you have your individual and team training programs up and running, where do you go from there? The answer is to involve external parties in your training. Suppose a threat actor was targeting organizations like yours within your sector. Would you be able to collaborate with others in order to prevent or detect the attacks? What about island-hopping attacks within your supply chain? Collective defense training allows you to identify ways in which you can collaborate with other organizations, companies, and stakeholders to help each other out.
As an example, we at IronNet recently conducted collective defense exercises for the electric power and financial services sectors. The scenario involved a threat actor deploying a novel ransomware that evaded signature-based detections. Working together with other organizations, the participants were able to piece together the puzzle and determine that suspicious events were actually malicious. Any one participant would have struggled to find the adversary, but working together it was done in a matter of minutes. That’s the power of collective defense.
Regardless of your resources, training is a crucial enabler to the success of any organization. As you develop your cybersecurity training programs, you should ground them on your objectives, and then think of them in two dimensions: scope and priority. The scope dimension describes who’s involved: individual, team, collective. The priority dimension gives you room to grow over time: must-have, should-have, and could-have skills. Together, they allow you to tailor your training programs to your needs and resourcing.
To learn more about IronNet cybersecurity training, visit IronNet.com.