Live-fire cyber training slashes incident response time
IT teams at the Illinois Office of the Treasurer have been training on a virtual enterprise-grade network defending against sophisticated attacks using their own tools.
Employees at the Illinois Office of the Treasurer working in a web server-heavy environment suddenly noticed that the servers had been taken over and the public-facing websites defaced. Drawing on the cyber defense tools they had at their disposal, they acted quickly to minimize the impact and return to normal operations.
Fortunately, that was just a drill. The office uses Cyberbit’s cloud-based Cyber Range platform to create such live-fire scenarios to give security teams hands-on training to prepare them for real events.
The training is critical because the number of attacks on the office has increased by 800% since 2019, Treasurer’s Office CIO Joe Daniels said. After 18 months of drills, security teams have cut response time from a week to an hour, he added.
The training came about as a way for the office to ensure the protection of the $52 billion in assets it oversees and the state’s ePay program – a round-the-clock full-service electronic program that state agencies use to quickly and securely receive funds. As of January, 37 state, 30 county and 199 city and village agencies in addition to almost 250 others state-affiliated organizations used ePay, the state reported.
“One of the challenges that I found is making sure that your teams who have to respond to this are trained and ready to go,” Daniels said. “We were looking for a platform that allowed our security folks to actually simulate being under attack. It’s super important because if you don’t train that way, you’re not going to be able to defend in the real world.”
Cyber Range serves as a “cyber playground,” Cyberbit CEO Adi Dar said. At the center is a virtual enterprise-grade network. “That means when someone comes to train on our platform, they really enter a live network, which consists of databases and servers and desktops and an internet DMZ.”
The second component is a sophisticated attack machine. Cyberbit’s research team detects real malware and reverse engineers it to use on the network.
“When they enter the playground, they’re using their own tools in order to try to defend the network, meaning to detect the attack before they know what kind of attack it is, and then to mitigate that,” Dar said. “They are doing that on a real virtual environment, which is working on” Amazon Web Service or Microsoft Azure.
Treasurer’s Office staff have trained on the platform weekly for the past 18 months, and the office also helps train local units of government involved in ePay through twice-monthly sessions using another module of the Cyberbit platform called Cyber Labs. Using the Labs, trainees experience the fundamentals of hands-on cybersecurity, while the Range provides a realistic live-fire exercise in which they must solve a complete attack vector.
“The tools that they use in the Lab, they’re real-world tools that most agencies have in place already,” Daniels said, adding that the Lab-based trainings have a waitlist of six months.
“That shows you the need or the desire for people to understand and learn about this environment,” Daniel said. “I think the pandemic showed everyone how reliant on technology we really are.”
The onset of the COVID-19 crisis is when cyberthreats took off, he added, especially because agencies’ technology footprint grew as employees worked from home. “It’s very different trying to protect your assets when you have a workforce that is remote,” Daniels said.
Dar said Cyberbit’s approach to security focuses on people rather than technology because a shortage of cyber professionals is one of the biggest challenges the industry faces. As of Nov. 17, there are almost 600,000 cybersecurity job openings in the United States – about 40,000 of them in the public sector.
Daniels uses the platform to spot skills gaps and trains current workers to fill those.
His goal, with the support of Treasurer Michael Frerichs, is to create a center of excellence for cybersecurity around financial transactions, although there are plans to expand beyond that area starting in January 2022, Daniels said.
“Obviously cybersecurity is going to continue to be a thing,” he said. “We’re going to continue to expand and keep educating. It’s a thing we’re going to have to get better at every day.”