Dear All,ECCWS conference (19th European Conference on Cyber Warfare and Security 25 - 26 June 2020, Chester, UK).Information Sharing in Cyber Defence Exercises
Abstract
Availability and easy access to sophisticated cyber penetration testing tools enable ex-
ploitation of vulnerabilities in different systems globally. Cyber attacks are executed
by various actors – from script kiddies to state organisations. Repetitive nature and
recognisable signatures of attacks raise demand for effective information sharing. Timely
warnings about cyber incidents in other systems make it possible to identify related at-
tacks locally. Early identification could save a substantial amount of money and time.
International cyber community supports several commercial and open-source threat in-
formation sharing platforms. Efficient use of these systems depends both on the quality
of submitted information and the ability of the security specialist to receive, interpret,
and integrate indicators of compromise into local defence systems. Business stakeholders
tend to emphasise the importance of threat hunters, while the information-sharing aspect
is overlooked. Therefore, there is a need for professionals who can assess risk levels of
cyber incidents in a broad context and share concise information with team members,
superiors, relevant institutions, and community. The complex nature of cyber attacks
raised the popularity of live cyber defence exercises (CDX), where cybersecurity special-
ists are trained using simulated real-life scenarios. However, the exercises are mostly
oriented towards the development of technical competences.
This paper addresses the problem of proper development of information sharing com-
petence during the CDX. We performed a case study of two annual international CDX.
Research data were collected using several techniques. First, the participants filled in pre-
event and post-event questionnaires. Additionally, each defending team was continuously
observed by a dedicated evaluation team member. Finally, incident reports in short and
long forms were gathered. We distinguished challenges related to internal team collabora-
tion, information sharing among the teams, and reporting to relevant authorities. Based
on the findings, we present a methodology to integrate information sharing into the plan-
ning and execution of CDX. The methodology encompasses activities, scoring strategies,
scenario recommendations, tools, and communication-encouragement components. The
presented enhancement creates an observable added value to the CDX training event.
Keywords:
Cyber defence exercises, incident information sharing, indicators of
compromise, collaborative defence



Sincerely,