-
The contest
This red team vs blue team contest was held in a realistic cyberenvironment, powered by cutting-edge technologies from some of our leading security partners.
-
The winners
While each team was equally competitive, a few of them were able to outsmart the others.
-
From the leader’s console
Here we dive into how the leaders felt about the contest, their key lessons and useful insights borne out of their experience.
-
5 key takeaways from the Cyber War Games
Cybersecurity is rarely a single function, but rather an orchestra of musicians playing together in sync. Which is why security must be looked at as a holistic practice that considers the entire solution framework, and not just one thing at a time.
-
Conclusion
“By working together in the Cyber War Games contest, we didn't just strengthen our security game – we also strengthened the trust and team spirit that really make us succeed.”
February 14, 2024
Cyber War Games 2023: How CDW Defends Clients in an Always-on Security War
During a two-day event called Cyber War Games, we invited cybersecurity experts from our Security Operations Centre and Risk Advisory Services teams to compete against each other in a simulated cyber battleground. Here are their key takeaways.
The contest
This red team vs blue team contest was held in a realistic cyberenvironment, powered by cutting-edge technologies from some of our leading security partners. Five teams were formed, each sponsored by a different partner: Palo Alto Networks, Cisco, Sophos, Fortinet and Microsoft.
Each team had to secure their own environment, attack their competitors and defend against their intrusions, following the rules of engagement and expectations set for them.
Teams were judged on who could best secure the infrastructure within their lab environment before shifting to the attack phase. The winning team would be able to sufficiently harden their systems during the "defend" phase and compromise their opponent’s target asset during the "attack" phase.
Day 1 – Secure the environment
Understand the simulation environment and enable as many security controls as possible.
Day 2 – Penetrate while defending
Attack the environments of other teams while protecting your own.
By the end of Day 2, all teams were expected to submit a report on their offensive and defensive strategies employed during the contest, alongside their environment details. All teams were judged on their final report submissions.
The winners
The contest witnessed some innovative cybersecurity tactics at play. Both the penetration testers and defence architects were expected to wage this intricate battle of strike-and-dodge.
The teams were supervised by our cybersecurity leaders, who were closely involved in the contest. Each team had its own penetration tester, incident response analyst, deployment engineer and solution architect.
While each team was equally competitive, a few of them were able to outsmart the others.
Ultimately, the team codenamed ‘Five Alive’ (led by CDW Principal Security Architect Nyron Samaroo) took the grand prize by exhibiting a formidable combination of active security monitoring and layered security approach. This team came together marvellously to, just as they do with CDW customers, understand their security needs and architect resilient bespoke solutions.
Nyron Samaroo: “We took a layered security approach where we started at the parameter and worked our way inwards to the data assets that were in scope for a breach. We also ensured that we put proper monitoring capabilities to see where the attacks were coming from. Also, I think part of what helped us to win was the collaboration between the team and sharing information about what we saw.”
The ‘Cyber Drop Zone’ team, led by Resty Dagamat, Sr. Security Engineer, won the blue team honourable mention for architecting one of the best defences. His team’s focus on securing the firewall and strengthening the security profiles helped them defend their environment.
Resty Dagamat: “We enabled various security profiles, for example, anti-virus, anti-spyware, vulnerability protection, data protection and zone protection. This helped us mitigate the attacks. We also hardened the firewall because that’s the first line of defence. A duo of shielded network and comprehensive security controls proved pivotal for us.”
In addition, the ‘False Positives’ team led by Bin Bing Wang, Principal FSA, was awarded the red team honourable mention for their striking attack strategies.
From the leader’s console
Let’s dive into how the leaders felt about the contest, their key lessons and useful insights borne out of their experience.
What were some personal learnings for you from the contest?
Reid Nilson: “From my role as a Solution Architect I don’t get a lot of insights into what our Security Operation Centre (SOC) or our Risk and Advisory Services (RAS) teams do on a day-to-day basis. The operational side of the SOC was especially enlightening because I was able to see actual attempts from external parties attempting to exploit a vulnerability on one of our application services.”
Nilson, Principal Security Solution Architect, talked about the valuable opportunity to collaborate with the cybersecurity units and closely witness their internal functioning.
As is the case with many organizations, the leaders may not have full visibility into their teams, which meant they had to work closely together to strengthen their defences.
Nyron Samaroo: “Sometimes we get bogged down with technology and best practices. What I think is that we often lose sight of the things that penetration testers and hackers are doing. Because more often than not, we go in a customer’s environment and configure these things and then leave and the customer is usually the one that has to maintain and operate it.
“So, I think it did highlight some areas that we didn't think about when we deploy some of these security solutions. And I think that could lead to better conversations with our customers on how to better leverage their investment in the technology.”
Wang, who led the winning blue team, talked about the importance of enabling the zero-trust approach, which is crucial in preventing internal and external attacks to the system.
Bin Bing Wang: “The main idea is to massively reduce the attack surface of systems behind the next-generation firewall (NGFW) and inspect all traffic, including encrypted traffic.
The zero-trust approach inherent to more advanced firewalls requires constant validation and authentication for any action within the network infrastructure. This method ensures that every potential threat, whether internal or external, is identified and mitigated.”
How did the exercise display CDW’s cybersecurity prowess?
Nyron Samaroo: “I think collaborating with the team, having different perspectives, different viewpoints, different angles, meaning defence, as well as pen testing just coming together with a single objective.”
Samaroo spoke about one of CDW’s greatest strengths – collaboration. Our diverse team of experts brings value in a variety of experiences that help customers obtain formidable outcomes and not just play-by-the-book solutions.
Reid Nilson: “IT is a constantly evolving practice, and this exercise only highlighted the changes that are happening in the security space. Threat actors are constantly developing new tactics and techniques and it’s up to us as IT practitioners to stay up to date on the latest developments.
“It’s also up to us to realize that we need to stay humble and accept that we don’t know everything, but at the same time be curious to keep seeking knowledge either from your own work or through the experience of those around you.”
Nilson touched upon the need to stay one step ahead of our cyberadversaries by constantly upskilling. The contest offered the team an excellent opportunity to reflect upon their plans for the future, areas of innovation and at the centre of it – staying humble.
5 key takeaways from the Cyber War Games
1. You can't protect what you don't know
Nilson stresses building accountability and awareness of IT assets in the organization to strengthen the hold of security.
Reid Nilson: “My recommendation would be to ensure that the information related to assets is up to date for the environment. Without a good asset information database, it’s very difficult to determine what needs to be protected within the environment,” he mentioned.
It’s easy to lose sight of various IT assets such as virtual machines, network adaptors, firewall rules, etc., within an environment, which may lead to security loopholes. Nilson suggests assessing the environment prior to securing it so that no critical assets are missed while tightening security controls.
“The other recommendation would be to complete a risk assessment for the environment; this in combination with the asset information database would give a good starting point for implementation of security controls to protect critical assets from threats,” he added.
2. Security needs to be holistic
Cybersecurity is rarely a single function acting on its own, but rather an orchestra of musicians playing together in sync. Which is why security must be looked at as a holistic practice that considers the entire solution framework, and not just one thing at a time.
Nyron Samaroo: “The best approach is to have a game plan that takes into consideration the tools, network design, trust levels, systems, etc. and prioritizes the high-risk targets.”
This approach helps organizations to:
- Reduce the risk of cyberattacks: By identifying vulnerabilities and implementing measures to address them, organizations can reduce the risk of cyberattacks.
- Improve regulatory compliance: A holistic approach to cybersecurity can help organizations comply with industry standards, such as ISO 27001 or NIST Cybersecurity Framework.
- Protect sensitive data: By implementing robust policies and procedures, organizations can protect sensitive data from cybercriminals.
3. Minimize attack surface with zero trust
Attack surface refers to the total number of points that can be exploited by attackers to gain unauthorized access to an organization’s systems, applications or data. A zero-trust model assumes that all users, devices and applications are untrusted and must be verified before being granted access to any resources.
Bin Bing Wang: “I think understanding your attack surface is one crucial step in building an effective defence against threats. The smaller the attack surface, the easier it is to protect.
“Organizations must constantly monitor their attack surface to identify and block potential threats as quickly as possible. However, doing so becomes difficult as they expand their digital footprint and embrace new technologies.”
“In the Cyber War Games, we assessed our attack surface, built an effective plan to reduce the attack surface and built security controls to monitor and defend against attacks,” he added.
4. The importance of risk assessments
Risk assessments help organizations to identify vulnerabilities that may threaten their regular operations and their reputation as a result. A cyber risk assessment is the process of evaluating an organization’s threat landscape, the vulnerabilities and cybergaps in its domains that pose a risk to the company’s assets.
By performing a cyber risk assessment, companies can get a clear view of what they are up against in the cyberthreat landscape and devise a security plan to treat it.
Bin Bing Wang: “I would recommend an organization to conduct IT risk assessments to understand how your endpoint security protection can protect against cyberattacks, especially endpoint security as the last line of defence.”
It is important to note that a cyber risk assessment is not a one-time event, but rather an ongoing process that requires continuous monitoring and improvement. Organizations should also ensure that their employees are trained on cybersecurity best practices to minimize the risk of human error.
5. Set the right security expectations
Cybersecurity best practices often require organizations to configure checkpoints and restrictions on their IT systems to avoid infiltration, but sometimes, these restrictions can limit functionality. If a certain app within the system keeps logging out users every 10 minutes to validate authentication, it will hinder productivity, causing more harm than benefit.
That’s why it’s necessary to match the security expectations for a system with its intended use. Organizations must configure the security tools and processes with a balanced approach. Overhardening components of an IT ecosystem may make it highly secure, but at the cost of making it more difficult to use.
Nyron Samaroo: “One of the recommendations coming out of this for me would be to maybe have a baseline or to have some expectation around how we build our defence tools in a practical way.
“Sometimes if we go too heavy handed on our restrictions, yes, it may protect us in this particular scenario, but in the real world it may not work.
“While it is important to have strong security measures in place, going overboard with restrictions can lead to usability issues.”
Conclusion
As the contest ended, each participant took away a fresh perspective on each other’s competitive strengths, tearing down the silos within teams. Ivo Wiens, the Field CTO for Security Solutions Architecture at CDW Canada, was one of the judges for the contest. Wiens is heavily involved in helping clients refine their cybersecurity posture and compliance. He reflected on what the contest meant for him.
Ivo Wiens: “The Cyber War Games showcased the collaborative spirit of CDW's cybersecurity teams. These games highlighted the daily hurdles and triumphs of the people we work with, offering a unique perspective that is sometimes overshadowed by the routines.
“It's rare for those who work behind the screens to witness the collective impact of their [coworkers’] contributions. This event bridged that gap, fostering a greater sense of community and shared purpose. By working together in the Cyber War Games contest, we didn't just strengthen our security game – we also strengthened the trust and team spirit that really make us succeed.”