Countdown to shutdown:

IT company opens gym for getting your cybersecurity people in shape

IBM has opened a spiffy new training range for federal agencies who want to sharpen their cybersecurity chops. The X-Force Cyber Range is right in downtown D.C.

IBM has opened a spiffy new training range for federal agencies who want to sharpen their cybersecurity chops. The X-Force Cyber Range is right in downtown Washington D.C. IBM said it is designed for both federal executives and technical security leaders. For details, Federal Drive Host Tom Temin spoke with the leader of IBM’s X-Force Incident Response practice, Troy Bettencourt.

Interview Transcript: 

Tom Temin And what happens in a training range for cyber security? Is it just a big bunch of monitors, NASA style, and what goes on there?

Troy Bettencourt Yes, it is a big bunch of monitors now. So, style, we’d like to think even better. But really it’s not the physical facility, it’s the content and what our facilitators bring. We work really hard with our clients. Historically, we’ve been doing this for over a decade, primarily focused on our commercial clients, and now we’re excited to bring that knowledge to the government, especially with the focus on critical infrastructure. Lately, all the news, articles, hospitals, pipelines, utilities being attacked, this is a great opportunity. One of the key differentiators for us is that we can train the folks that are technical and lack of better term pushing buttons to do their job all the way through the executives, who may not have that technical knowledge but need to make key decisions in the time of crisis.

Tom Temin All right. And what is the content? Say someone goes for some training or sharpening up and you’re sitting at a PC. What happens? What do they see and what do they do to get better at dealing with cyber-attacks, I guess.

Troy Bettencourt Yeah. Great question. A little bit of secret sauce there. But generally, the idea is we work with our clients and figure out a scenario that would be impactful to them. Most clients, it’s ransomware as we know that’s disruptive. So, then we build a scenario out that we have what we call injects. So, we did a recent one for some government clients, and it was travel focused and it was around disruptions to the airlines. So, there was social media sentiment that was plummeting. And they were mad at the federal government and at the airlines and at TSA because wait times were an hour threat actors will call in their role players. We have actors that will call in and pretend to be the bad guys or gals and threaten them. We will do media interviews. Nobody of your caliber, Tom, but we have folks that will pretend to be reporters, and they will grill public relations folks or executives around how they’re responding. And it’s not about the technical response. It’s about how the business or the government organization handles it and re-instills confidence in the public that they’re taking care of the incident and communicating well.

Tom Temin So you deal also then with the reputational aspects of cyber security breaches.

Troy Bettencourt Absolutely. And honestly, that’s huge. An organization can do a great job technically responding to a critical incident. But if they don’t manage it well at the executive level, that could introduce from a commercial perspective concerns from shareholders. If it’s government, obviously everybody’s a shareholder in government and a great technical response can be mishandled without good executive response. And that’s really our sweet spot. Although we can train the technical folks and we do, we have great offerings. Where we see as different is we train the non-technical folks how to handle a critical incident.

Tom Temin And just getting to the technical level. For a moment, though, a ransomware attack, you would know about it by result of an email saying guess what? Or would you see something on your system and then wait for the answer because somebody’s got to email you at some point to tell you where to send the ransom, Bitcoin or whatever the case might be. What does the state-of-the-art look like in terms of what it is someone would encounter at the system level and what they would have to do just, you know, give us the bare bones there.

Troy Bettencourt It’s great question. How they find out can vary. Sometimes a ransom note pops up on every system in the environment. That’s a pretty easy one. It right itself discloses sometimes a government partner might call the FBI or Cisa, and they know that they’re monitoring a threat group and that they’ve hacked an organization. In some cases, the threat actors will call directly to the company and threaten them, call the CEO or even shareholders. So, there are many different mechanisms. And that’s part of what we introduce into these scenarios, is for them to consider all of them as decision makers.

Tom Temin And I guess it is wise to talk about the public response and so on, because, for example, the hospital and inter organizational payment transfer system right now has been hacked. And that’s been a problem for, I think, a month now or so in the commercial sector of health care delivery because of the United Health Care subsidiary attack. So, these things do have public consequences.

Troy Bettencourt They absolutely do. You know, critical infrastructure isn’t just government owned infrastructure, its public private partnerships, and its private entities that provide core fundamental services, you know, utilities, rail transportation. So, it’s very key that we bring all those partners in and help them learn how to respond to an incident of this nature.

Tom Temin We were speaking with Troy Betancourt. He’s leader of IBM’s X-Force incident response practice. And what is the basis on which government agencies can come in and do this? Do they give you a credit card and they get an hour there, or does it work on some other basis?

Troy Bettencourt Well, I’ll send you. Cashapp link Tom, and you can send it out to all your listeners. But no, as many large organizations, we have folks that handle the accounts and the relationships, and then they can point anybody who’s interested directly to us. We also have the information to contact us on our website, and we would love to entertain discussions with any organizations again, public, private, or public private partnerships.

Tom Temin But this is a contractual offering. It’s not a free service you’re giving to the government.

Troy Bettencourt That is correct. There are some free components, and we do sometimes what we call multi-client events that are shorter in duration and less tailored to particular organizations. And then we offer the full suite of very customized solutions.

Tom Temin But someone could come in and just take a look and get a demo to see if they wanted to sign up.

Troy Bettencourt That is correct. We do tours like that multiple times a week.

Tom Temin Who tends to initiate this kind of thing because you say it’s the technical people deal at the technical level and they’re the ones whose radar is out for nefarious activity. But yet it’s really the program owner who may have his or her mind on a million things. And so, who should initiate the type of engagement that would help train the executives that may not even know they need to be trained in this kind of thing?

Troy Bettencourt It’s a great question in most organizations, as a role chief information security officer or similar, and they’re usually the interface from the technical to the executives. And often it’s the CSO that’s the abbreviation. It’s often them who realize that need, or sometimes it might be a board member that realizes their due regulations. And they’ve asked, what are we doing about it? So honestly, it can come from many different parts of the organization, but usually the CSO or CIO or the primary drivers in our experience.

Tom Temin And just looking at this market generally, from your point of view, there are a number of rule makings in process now planned with respect to the reporting requirements of industry to report to their respective federal agency through the critical infrastructure channels overseen by DHS, CISA, plus a lot of other agencies, Energy and Commerce, and so on. So therefore, it’s a moving target. Do you keep up with those changing regulatory part of it, as well as the changing technology aspect of cybersecurity?

Troy Bettencourt Absolutely. It’s necessary for our clients, again, whether commercial or government, they’re subject to different regulatory requirements and they’re always a moving target. You know the EU just introduced their new AI legislation. You’re mentioning the critical infrastructure regulations that’ll be coming out SEC last year. So, we have to stay on top of all of that. One of the beauties is that the IBM X-Force consultancy has offensive security incident response and threat Intel. So, we’re constantly dealing with real world incidents on a daily basis. And all of that informs what we do in the cyber range so that we do stay on top of trends and regulation. Every week we’re changing content.

Tom Temin And what is the current best practice or best thinking with respect to counter measures, when someone is attacked that is reaching out and maybe zapping their server. That’s probably outside of the legal ability of most organizations, but that’s a moving target also, isn’t it?

Troy Bettencourt It is. And really it comes out in thank you because it shows why the range is important. It’s about the preparation ahead of time. I once had a wise executive tell me you have two times to test your critical incident plan. You can schedule it, or the threat actors or attackers will. We would rather work with our clients to go through a fake exercise or a simulation, rather than having to do it after the fact. At that point, everything is on fire, and we’re just trying to put the fires out and guide them to a successful resolution. And that varies by client because they all have different business imperatives and regulatory guidelines are subject to.

Tom Temin But can any agency reach back out in the direction of the attacker and launch countermeasures?

Troy Bettencourt That’s what I need to dodge that answer. To be honest, Tom, there are some legal considerations and depending on what government agency you may be part of, there are different oversight requirements and capabilities there. Technically, it’s possible whether or not it’s advisable or legal is entirely different matter. Yeah.

Tom Temin Check with your general counsel before doing that. Right. Exactly. Don’t ask IBM anything else we need to know about that range. Is there a good coffee espresso machine in there? That kind of thing.

Troy Bettencourt There is not a great espresso machine. We do have a coffee maker and if we have anyone attend, we cater the event and make sure that they are fed and not falling asleep. A lot of great other things. We have a hacking demo. People can break into a server room and figure out how to bypass security and locks. We have another one that’s being built right now that mimics a critical infrastructure. It has windmills and solar and trains, and we can cause impacts like the windmills will stop working. The power grid goes out, the train derails. So, we’re really building all of that in to make it impactful to both our technical and our non-technical audiences.

Tom Temin And by the way, it’s in a historic building, too, isn’t it?

Troy Bettencourt It is. It’s very exciting. For those that are familiar, which is your audience. We’re in the same building as Old Abbott Grill or the Hamilton. We’re just on higher floors.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories