Is it strange that cybersecurity companies would be called to share their expertise in a military simulation of today’s digital battlespace? The answer seems to be a resounding no.
However, despite being civilian organizations that don’t drill cyber-military scenarios, full-stack cybersecurity companies consider every day to be the real thing, with malware researchers, threat monitoring analysts, and product R&D teams alternating in various combinations to help set up and test our clients’ IT security and monitor for and deter threats. To be successful, our teams must master an agile phalanx-like approach to protect the collective of online users.
The phalanx, an ancient box-like formation that enabled classical Greek heavy infantry – composed of citizen-soldiers – to rapidly form ranks into a tight defensive structure of overlapping shields, is a well-chosen muse for Locked Shields, the annual cyber-wargaming event organized by the NATO Cooperative Cyber Defense Centre of Excellence. Locked Shields, and the phalanx that inspired it, is the perfect bridge to connect today’s digital present to the analog past, demonstrating that Trojan horses and other ancient battle tactics are still relevant in today’s battlespace.
Our forces and kit
On April 24-25, more than 60 ESET system engineers, security monitoring analysts, malware researchers and analysts, and communications specialists formed ranks with defenders from the Slovak and Hungarian militaries and the private and academic sectors to defend our assigned battlespace, within a virtual nation named Berylia, against massive cyberattacks designed to cripple the country and create public unrest.
Underpinned by this year’s Locked Shields theme “Collaboration is our protection,” our citizen-soldiers used their skills, experience, and tool sets to achieve fourth place out of 18 teams. To give a further sense of scale, the simulation brought together over 4,000 participants from 39 countries to deliver the largest Locked Shields event yet.
Along with our on-loan cyber warriors and their significant professional experience, ESET brought several pieces of critical kit to the simulated battlespace:
- ESET PROTECT: Our comprehensive AI-native multilayered security platform. With ESET LiveGrid and LiveGuard (Advanced) layers enabled, PROTECT was deployed in its most potent configuration.
- ESET Inspect: The mature XDR-enabling detection and response module of the ESET PROTECT Platform.
Setting up defenses
Team Berylia was given a few windows of time to explore the virtual battlespace and calibrate tools before the hostilities began. This meant establishing the processes of:
- Deploying ESET endpoint security solutions, the ESET Inspect agent, and other security agents.
- Setting up and configuring the IT systems Team Berylia would use to manage the power grid, gas distribution, air defense, satellite, 5G, and situational awareness systems, to name a few.
- Calibrating ESET Inspect detections to Berylia’s network, thus reducing noise and giving our defenders the time to allocate threat monitoring and remediation capacity where the battle dictated.
Based on our experience with providing detection and response services to our customers, we also established other proven processes and tools, deployed across critical areas, that tremendously helped us during the execution phase.
Communication and legal support
The exercise included elements that strongly correlated with a security vendor’s business-as-usual operations. For example, ESET and others supplied communications experts who were tasked with preparing reports, such as the SITREP (situation report), used to help defenders keep track of the cyber situation and the status of all capabilities, and the Cyber Threat Intelligence report (CTIREP), which provides an evidence-based analysis of emerging threats.
In parallel, the legal team managed cooperation agreements between infrastructure operators in Berylia, and their cross-border allies, to share electricity and provided counsel to ensure defensive operations remained adherent to international law.
What we learned about ourselves and our tools
We successfully rebuffed the network attacks on the firewall and against the following systems: air defense, gas distribution, and power grid. In addition, the defenders quickly hunted down most of the pre-planted backdoors, both known and custom, severely limiting the usefulness of this attack vector for the Lock Shields’ (aggressor) red team. Unfortunately, a simulated thunderstorm took down our power grid.
But fortune smiles upon the prepared. Our communications and legal teams, and power grid operators, were able to mitigate the impact in a great demonstration of teamwork and coordinated operations between multiple (defender) blue teams. This was proof that a phalanx can still be deployed, even in the modern hybrid battlespace. Cooperation with the friendly neighboring teams happened in two key ways:
- First, quick communication, legal analysis, and agreements with neighboring power suppliers allowed electricity supply to be restored.
- Second, we provided these neighbors with threat intelligence derived from the attacks we had already experienced.
Prevention first
This collaborative defense approach was backed by the sharing of indicators of compromise (IoCs) via the Malware Information Sharing Platform (MISP) server, which provided mutually enriching data points for threat hunting by all blue teams.
In short, this cyber-battle simulation was an intensively immersive experience for all the technologists involved, be it threat analysts trying to understand tactics to anticipate the next stages of an attack or engineers configuring cyber defenses. Locked Shields is proof that our experts, well versed in operations on the digital front lines, could drop the normal constraints of cybersecurity for businesses and partner with both national and European defense structures when called upon.
Looking back on Locked Shields 2024
With collaboration being the focus of the 15th annual exercise under the theme “Collaboratio tutela nostra est,” or ‘Collaboration is our protection’, ESET supplied the Slovak-Hungarian team with defensive capabilities that contributed to the team’s top three placings in:
- Cyber threat intelligence
- Client-side protection
- Forensics
- Strategic communications
Taking fourth place out of 18 participating teams, made up of similarly composed cross-country units, the Slovak-Hungarian team successfully achieved its strategic objectives, building not only on expertise and state-of-the-art security technologies but, most importantly, on communication and intensive cooperation between the participants.
Likely considered underdogs by many, we punched well above our weight and tested ourselves and our security technologies to the limit. ESET considers this fertile ground for new ideas and further collaboration experience and a great demonstration of the reasons why we’ve been successful at protecting progress for more than 30 years.