Facilitated Cybersecurity Wargames

Numerous armed forces have successfully executed wargames for educational purposes, evaluation of
readiness and to facilitate future acquisition strategy and planning since the 1800s. Wargames provide
a controlled and facilitated environment to generate invaluable insight into potentially difficult
situations. Wargame audiences are considered participants versus merely spectators and are expected
to make and defend their decisions as well as interact with other participants. Wargames can also create
a controlled dynamic tension amongst participants to assist in identifying potential conflicts so they can
be resolved prior to a real life situation. Throughout the entire wargame process, human controllers
actively monitor each customized scenario(s) to drive the game toward predetermined desired learning
objectives.
There are different types of wargames based on desired level and size of participation group as well as
the scope of scenario. Levels of participation vary from hands on technical skills to high level
management risk analysis. The number of participants can be as small as a handful of individuals to tens
of thousands of players working in conjunction. Scope of scenarios range from local environments to
international interactions and coalitions. Generally there are three categories of wargames.

Sylint Group Cyber Wargame Approach

Cybersecurity wargames that concentrate on technical skills are usually associated with discovery
and/or response to a cybersecurity incident or breach and include an organizations Incident Response
Team. An intermediate level wargame, designated for organizational planning focuses on
cybersecurity incident response plans, policies and resources and consist of IT management and other
Incident Response Team leaders. A senior management level wargame focuses on organizational
cybersecurity risks as a component of the organizations enterprise risk and involves oversight of
established policies, plans and resources. The emphasis of this level wargame is to examine the
organizations ability to maintain operational requirements during a cybersecurity incident and to
quickly resolve associated issues. It is usually conducted with a small group of high level senior
management, such as C-Staff and Board of Directors.
Cybersecurity wargames can be a powerful tool to enhance the effectiveness of dealing with an
uncertain future and associated risks. Wargame players become enlightened to potentially unexpected
and unpredictable events, including embarrassing ones that have consequences. New perspectives
when exposed to challenging events can be incorporated into budget decisions and lines of authority.
Sylint Group facilitated cybersecurity wargames are constructed based on the unique characteristics of
each organization, its roles and responsibilities, network environment, and risk tolerance level. Sylints
wargames are facilitated by a team that is led by a retired USAF Brigadier General who has significant
experience in conducting wargames at all levels, to include the operational capability certification of
the Air Force Cyberspace Component Command and US Cyber Command. The following attachments
further describe the three levels of cybersecurity wargames with regard to concept, audience, objectives
and methodology.

Tactical or Technical Level Cybersecurity Wargame

Concept: Assess the organizations Cybersecurity Incident Response Team technical skills and assets to
successfully respond to cybersecurity incidents.
Target Audience: Incident Response Team manager and assigned technicians.
Objectives:
Validate team member familiarization with anticipated duties and required tasks
o Incident Response Plan activation events and procedures
o Potential incident/breach scenarios
o Current threat tactics and methodologies
Practice technical skill sets as individuals and to collaborate, coordinate and integrate results
within the Incident Response Team to produce an effective and efficient synergistic effect.
Validate network documents/diagrams
Validate individual skill/knowledge level
Determine additional education requirements
Methodology:
Prior to cyber wargame:
o Sylint review of available Incident Response Plan and available assets
Team composition
Documented Incident Response Plan
Network diagrams
Log capability and storage
Backup capability and storage
o Creation of customized task based technical scenarios
Cyber wargame:
o Concept focused with custom solution discoveries based on uniqueness of organization
o Actual Incident Response Team walk through of Incident Response plan activation and
procedures
o Facilitated Incident Response Team discussion regarding anticipated threat scenarios
and capability
o Facilitated breach scenario
Discuss plan of action with Incident Response Team
Provide training material for Incident Response Team to determine indications
of potential threat indications and tactics
o Facilitated scenario debriefing
Prioritized areas for potential improvement

Operational or Management Planning Level Cybersecurity Wargame

Concept: Assess the organizations Incident Response Plan and associated procedures with regard to its
unique operations, responsibilities and network environment.
Target Audience: CIO or senior management spokesperson/representative to Incident Response Team
and all Incident Response Team leaders. Incident Response Team leaders usually represent various
organization departments that may have significant interests or roles in a potential cyber breach or
incident.
Objectives:
Validate team member familiarization with anticipated duties and required tasks
o Incident Response Plan activation and procedures (means of notification)
o Potential incident/breach scenarios
o Current threat tactics and methodologies
Validate appropriate organizational departments are represented
Validate communication procedures and criteria for notification of senior personnel
o Internal to organization (other department heads, legal, C-Staff or Director level)
o External to organization (other parallel organizations, regulatory agencies, law
enforcement, media)
Determine additional resource and education requirements
Methodology:
Prior to cyber wargame:
o Sylint review of available Incident Response Plan and available assets
Team composition
Documented Incident Response Plan
Network diagrams
Log capability and storage
Backup capability and storage
o Creation of customized task based operational level scenarios
Cyber wargame:
o Actual Incident Response Team leaders walk through of Incident Response Plan
activation and procedures (means)
o Facilitated Incident Response Team discussion regarding anticipated threat scenarios
and capability
o Table top facilitated breach scenario
Discuss plan of action with Incident Response Team leaders with periodic breaks
for specific focus area discussions
Review of potential breach magnitude indicators
Review of potential breach notification issues/requirements
Discussion of communication plan
o Facilitated scenario debriefing
Prioritized areas for potential improvement

Strategic or Senior Management Level Cybersecurity Wargame

Concept: Enhance senior managements knowledge regarding potential cybersecurity risks and validate
that their current organizational policies, procedures and resources are aligned with their desired risk
tolerance levels.
Target Audience: Director level, senior management to include CIO/senior IT spokesperson.
Objectives:
Familiarize audience with potential cybersecurity risks
o Potential incident/breach scenarios
o Current threat tactics and methodologies
Review alignment of organization and cybersecurity strategies and risk tolerance levels
Familiarization of communication procedures and criteria for notification of senior personnel
o Internal to organization (other department heads, legal, C-Staff or Director level)
o External to organization (other parallel organizations, regulatory agencies, law
enforcement, media)
Determine any potential additional cybersecurity resource and education requirements
Methodology:
Prior to cyber wargame:
o Sylint review of organizational and cybersecurity strategy documents and available
cybersecurity assets
o Creation of customized strategic level risk focus areas
Cyber wargame:
o Restricted to small audience (free thinking and open discussions)
o Facilitated cybersecurity risk discussions of senior level focus areas:
Review of anticipated threat scenarios and capability
Review of potential breach magnitude indicators
Validation of senior management point of contact and
responsibilities/anticipated roles of other senior management
Review of potential breach notification issues/requirements
Internal to organization
External to organization
o Other executive government agencies (non-law enforcement)
o Congress
o Media
o Law enforcement
Review of potential regulatory requirements
Discussion of communication plan especially update means
o Facilitated scenario debriefing