All accepted publications from SPARTA partners under its funding.
Information Sharing in Cyber Defence Exercises
Eduardas Kutka, Aušrius Juozapavičius, Linas Bukauskas, Agnė BrilingaitėAbstract
Availability and easy access to sophisticated cyber penetration testing tools enable exploitation of vulnerabilities in different systems globally. Repetitive nature and recognisable signatures of attacks raise demand for effective information sharing. Timely warnings about cyber incidents in other systems make it possible to identify related attacks locally. International cyber community supports several commercial and open-source threat information sharing platforms. Efficient use of these systems depends both on the quality of submitted information and the ability of the security specialist to receive, interpret, and integrate indicators of compromise into local defence systems. Business stakeholders tend to emphasise the importance of threat hunters, while the information-sharing aspect is overlooked. Therefore, there is a need for professionals who can assess risk levels of cyber incidents in a broad context and share concise information with team members, superiors, relevant institutions, and community. The complex nature of cyber attacks raised the popularity of live cyber defence exercises (CDX), where cybersecurity specialists are trained using simulated real-life scenarios. However, the exercises are mostly oriented towards the development of technical competences. This paper addresses the problem of proper development of information sharing competence during the CDX. We performed a case study of two annual international CDX. Research data were collected using several techniques. First, the participants filled in pre-event and post-event questionnaires. Additionally, each defending team was continuously observed by a dedicated evaluation team member. Finally, incident reports in short and long forms were gathered. We distinguished challenges related to internal team collaboration, information sharing among the teams, and reporting to relevant authorities. Based on the findings, we present a methodology to integrate information sharing into the planning and execution of CDX. The methodology encompasses activities, scoring strategies, scenario recommendations, tools, and communication- encouragement components. The presented enhancement creates an observable added value to the CDX training event.