Thought Leadership

Oct 22, 2020

Training Trainers: How IBM Uses Data Breach Simulations to Build Real-World Competency


Threat intelligence and response teams need to be ready to respond to an increasing barrage of risks and changes. To be exact, this is where breach-and-attack-simulation (BAS) comes in. Most groups use BAS platforms to validate security controls against various types of data breaches.

Meanwhile, IBM Security saw that it could also be very useful as a training platform. With this platform, training against real-world attacks is the best way to prepare. It lets analysts test themselves against spotting and countering data breaches and other threats in the wild.

One IBM analyst says BAS provides the “unique chance to be an attacker and defender at the same time. I can learn from new logs and new threat patterns that I didn’t observe on a daily basis.”

So how does this kind of training — based on a ‘see one, do one and teach one’ approach — make a difference?

Real-World Data Breach Events

In the past, ongoing training for cybersecurity teams and threat intelligence experts relied on classroom learning methods. A team member who wanted to improve might have taken courses on security best practices in order to gain certifications. They might have read reports coming out of various organizations (including IBM’s incident response team) to learn about the newest threats and how analysts should respond to those threats. They might have gone through quizzes and exercises to test their knowledge. But, rarely did they simulate the experience of an actual attack.

This is crucial because often security teams do not see the latest attacks or live alerts on a regular basis. Many client systems are well protected and block breaches. In other cases, breaches may occur and clients may not catch the breach or identify the indicators of compromise (IOCs). For teams to have relevant experience, they need to be tested against breaches and attacks they have not yet seen and may never see in the real world.

Building a Breach Attack Simulation

SafeBreach, a pioneer in the emerging field of BAS, brings tens of thousands of playbooks including attack patterns, actors, data breach replicas and other tests that allow teams to quickly simulate even the most recent attack types. SafeBreach is a flexible training tool because it contains all this attack prep, is easy to access and analysts can use it to quickly set up data breach tests. With SafeBreach, teams can quickly gain awareness and comfort with combatting data breaches and other attacks that are emerging or have happened only in the last few days or weeks.

To make this work, IBM built some custom integrations with other tooling, including the QRadar security analytics platform, logging and auditing tools and specially created virtual machines for Linux and Windows. During simulations, IBM’s cybersecurity teams could also include their own BAS simulation custom playbooks, written in Python (SafeBreach also allows for custom playbooks in Python). With this setup, team members can see and study the full life cycle of any attack type, including infiltration, lateral movement and ransom or exfiltration of data. They can execute a playbook, see what transpires and read through a detailed audit and report to understand what has happened while comparing specific actions and IOCs to actual log files.

Next, cohorts passing through this program can become curators and trainers for the next cohort. The trainers will pass on their wisdom, design playbooks and breach examples based on what they found most useful. In the future, developers could add machine learning to this process, so the exercises will not only train analysts but also train deep learning systems to better identify, analyze and prescribe remediations for attacks.

Learning from Building IBM’s Advanced Simulation Education Environment

The process of building these integrations was educational itself. IBM learned that the team needed to improve auditing policies to better capture and spot all threat activities in a breach simulation. Additionally, once alerts are created and sent to SIEM, the security analytics rules were often incomplete.

By providing this training as a hands-on mechanism to analysts, they can now educate themselves as part of their regular training curriculum on the latest and most relevant threats. This translates into meaningful knowledge they are applying on a day-to-day basis in their jobs. Further down the pipeline, clients get the benefits of this training directly through analysts’ improved skills.

In one instance, IBM’s team spotted an attack on a client system that looked as if a penetration test was underway. The analysts asked the client about it, and the client said, yes, it was a pen test and gave kudos for spotting it. And, more and more clients are testing teams to determine whether they can deliver on the promise of providing cutting edge analysis and insights.

IBM has already seen strong results from new data breach training programs. Of the first five program adopters, three have already gone on to become architects for this program. These architects are now trainers themselves, designing playbooks, training and mentoring the next class of 30 trainees. With the next cohort, the cycle will repeat.

See one, do one, teach one. It has worked for professionals, such as doctors, for over 100 years. Now, it’s working for cybersecurity training, too.

This type of ongoing training is crucial to stay ahead of the curve in cybersecurity. See why IBM Security is recognized as a leader in managed security services, threat intelligence and response.

Get the latest
research and news