This week has seen the third edition of ictQATAR’s Cyber-Security Drill, STAR-3. Conceptualized by ictQATAR and held at Qatar University, the event is a role playing exercise that places IT security teams from nearly 50 of Qatar’s leading corporations and government departments into a simulated business environment facing a series of unexpected cyber-threats, while trying to maximize profit and maintain confidence. The idea is to build a cyber defense strategy by making choices from amongst the best pro-active and re-active controls available.
Every reaction made by the teams to the unfolding events changes the way the scenario plays out, and ultimately how much profit the company makes… or fails to make. Balancing engineering, business, and security priorities against the cost of a realistic cyber-attack, the teams analyze data and make strategic decisions based on uncertain information and limited resources. If that sounds realistic, it should do, because each of the scenarios is based on real-life events.
The game takes place over five to nine rounds. For government organizations, the aim is to preserve reputation and build trust. For businesses, their five rounds are geared towards a potential maximum profit of $200,000 per round. Teams strive to retain as much of that profit as possible by selecting actions from a set of action-cards given to them at the start. Each action comes with a cost to be deducted from a set operating budget. Some of the actions are simple and cost-free, such as changing passwords. Others come at a price – like installing automated patch management systems or conducting training – which can run into tens of thousands of dollars. Teams have to decide on the right moment to play their cards within set times and with changing information.
Threats vary over the different sessions, opening for example with a shellshock vulnerability announcement, while later rounds introduce mobile malware, cyber-ransom, social engineering and BSOD-causing malware.
The organizers, Q-CERT, are at pains to stress that this is not a competition, no winners or losers, and none of the companies’ true identities are revealed. But with the intensity of the clock ticking down – and updates on the total profit for each team screened at the end of each round – there is always plenty of cheering, back-slapping and high-fiving to be had. No team, according to the organizers, has ever made the perfect score of one million dollars – the top teams here were managing very respectable scores of around $800k, balanced against a benchmark score of $295k for taking no action. And that’s because there is no perfect strategy, just ones that adapt better than others to an ever-changing playing field.
What does emerge from the exercise, though, is that some of the first and most basic strategic decisions you take, such as security audits and training, password changes and patch management, will help enormously with the incident responses you may have to make later on.