Is it strange that cybersecurity companies would be called to share their expertise in a military simulation of today’s digital battlespace? The answer seems to be a resounding no.
However, despite being civilian organisations that don’t drill cyber military scenarios, full-stack cybersecurity companies consider every day as the real thing, where malware researchers, threat monitoring analysts, and product R&D teams alternate in various combinations to help set up and test our clients’ IT security and monitor for and deter threats. To be successful, our teams must master an agile phalanx-like approach to protect the collective of online users.
The phalanx, an ancient box-like formation that enabled Rome’s heavy infantry, comprised of citizen-soldiers, to rapidly form ranks into a tight defensive structure of overlapping shields, is a well-chosen muse for Locked Shields, the annual cyber-wargaming event organised by the NATO Cooperative Cyber Defence Centre of Excellence. Locked Shields, and the phalanx that inspired it, is the perfect bridge to connect today’s digital present to the analog past, demonstrating that trojan horses and other ancient battle tactics are still relevant in today’s battlespace.
Our forces and kit
On April 24-25, more than 60 ESET system engineers, security monitoring analysts, malware researchers and analysts, and communications specialists formed ranks with defenders from the Slovak and Hungarian military and the private sector to defend our assigned battlespace within a virtual nation named Berylia against massive cyberattacks designed to cripple the country and create public unrest.
Underpinned by this year’s Locked Shields theme “Collaboration is our protectio”, our citizen-soldiers used their skills, experience, and toolsets to achieve fourth place out of 18 teams. To give a further sense of scale, the simulation joined over 4,000 participants from 39 countries to deliver the largest Locked Shields event yet.
Along with our on-loan cyber warriors and their significant professional experience, ESET brought several pieces of critical kit to the simulated battlespace:
ESET PROTECT: Our comprehensive AI-native multilayered security platform. With ESET LiveGrid and LiveGuard (Advanced) layers enabled, PROTECT was deployed in its most potent configuration.
ESET Inspect: The mature XDR-enabling detection and response module of the ESET PROTECT Platform.
ESET Threat Intelligence (ETI): Actionable globally-sourced telemetry and threat data help our researchers, threat hunters and engineers keep their edge, tactics techniques, and procedures of the simulations’ red team.
Setting up defences
Team Berylia was given a few windows of time to explore the virtual battlespace and calibrate tools before the hostilities began. This meant establishing the processes of:
Executing a flawless and record-fast deployment of ESET endpoint security solutions, the ESET Inspect agent, and other security agents.
Creating a triage (prioritisation) for configuration of all the specialised IT systems Team Berylia would use to manage the power grid, gas distribution, air defence, satellite, 5G, and situational awareness systems, to name a few.
Calibrating ESET Inspect detections to Berylia’s network, thus reducing noise and giving our defenders the time to allocate threat monitoring and remediation capacity to where the battle dictated the most.
That simulated battle would be then played out across two maps. A satellite/cartographic map, and simultaneously a map of areas of concern. These “areas of concern” symbolised the collective IT ecosystems relevant to the military, government, energy infrastructure, and neutral parties, representing the critical structures of a nation experiencing a cyberwar.
Communication and legal support
The exercise included elements highly relevant to a security vendor’s daily business-as-usual. For example, ESET, and others, supplied communications experts who were tasked with preparing reports, such as the SITREP (situation report), used to help defenders keep track of the cyber situation and the status of all capabilities, and the CTIREP, which provides an evidence-based analysis of emerging threats.
In parallel, the legal team managed cooperation agreements between infrastructure operators in Berylia – and their cross-border allies – to share electricity and provided counsel to ensure defensive operations remained adherent to international law.
What we learned about ourselves and our tools
We successfully rebuffed all network attacks on the firewall and against the following systems: air defence, gas distribution, and power grid. In addition, the defenders quickly hunted down most of the pre-planted backdoors, both known and custom, severely limiting the usefulness of this attack vector for the red team. Unfortunately, a simulated thunderstorm took down our power grid.
But fortune smiles upon the prepared. Our communications and legal teams, and power grid operators, were able to mitigate the impact in a great demonstration of teamwork and coordinated operations between multiple blue teams. This was proof that a phalanx can still be deployed, even in the modern hybrid battlespace. Cooperation with the friendly neighboring team happened in two key ways:
First, quick communication, legal analysis, and agreements with neighbouring power suppliers allowed the electricity supply to be restored.
Second, we provided these neighbours with ongoing threat intelligence derived from the attacks we had already experienced.
Prevention-first
This collaborative defence approach was backed by the sharing of IoCs via the MISP server, which provided mutually enriching data points for threat hunting by all blue teams.
In short, this cyber battle simulation was an intensively immersive experience for all the technologists involved, be it threat analysts trying to understand tactics to anticipate the next stages of an attack or engineers configuring cyber defences. Locked Shields is proof that our experts, well-versed in operations on the digital frontlines, could drop the normal constraints of cybersecurity for business and, partner within both national and European defence structures when called upon.
Looking back on Locked Shields 2024
With collaboration being the focus of the 15th annual exercise under the motto “Collaboratio tutela nostra est,” ESET supplied the Slovak-Hungarian team with defensive capabilities which particularly contributed to the team’s top three placings in:
- Cyber threat intelligence
- Client-side protection
- Forensics
- Strategic communications
Taking fourth place position out of 18 participating teams, made up of similarly composed cross-country units, the Slovak-Hungarian team successfully achieved its strategic objectives, building not only on expertise and state-of-the-art security technologies but most importantly on communication and intensive cooperation between the participants.
Likely considered underdogs by many, we punched well above our weight and tested ourselves and our security technologies to the limit. ESET considers this fertile ground for new ideas, further collaboration experience and a great demonstration of the reasons why we’ve been successful at protecting progress for more than 30 years.