Lessons from Cyber Storm V

Mar 23, 2016
5 minutes

Two weeks ago, the U.S. Department of Homeland Security (DHS) conducted a national-level exercise, Cyber Storm V, designed to test the nation’s Emergency Preparedness procedures. Palo Alto Networks participated by providing cybersecurity expertise during the planning process and as players by using the exercise to test our own internal cyber incident crisis management plan.

The players, located across the United States and around world, cut across multiple sectors and spanned numerous industries, provided real-time input in order to test our ability to combat cybersecurity threats.

The game’s diabolical scenario tested the participants and forced all the game players into a Sophie’s Choice: picking the better of two really bad choices. The exercise scenario highlighted a compelling case for taking proactive preventative measures as a necessary precursor to detection and remediation.

The Creation of Cyber Storm

Cyber Storm is DHS’s name for a nationwide cybersecurity exercise that assesses response capabilities during a nationally significant cyber incident. DHS conducted the first exercise in 2006 and has conducted similar exercises every two years since.

Last week, DHS completed Cyber Storm V and Palo Alto Networks participated by providing cybersecurity expertise during the Exercise planning process, and by actively participating in the game play as a representative organization, in this case a cybersecurity vendor, where the leadership had to react to the escalating cyber events occurring during the exercise. At the end of the exercise, we briefed the Palo Alto Networks executive staff – the CEO, CFO, Chief Legal Counsel, along with the heads of Product Management, Engineering, Corporate Communications, and others – about the exercise and posed to them the many decisions they would have to make if the exercise events were a real situation. In other words, Palo Alto Networks used Cyber Storm V as a way to exercise our internal response procedures to a crisis situation.

Cyber Storm V Takeaways

The Department of Homeland Security conducted an exercise “hotwash” at the conclusion of the exercise and will conduct a more detailed After Action Review (AAR) after soliciting input from all the participants over the course of the coming weeks and months. We expect DHS to publish the results of that review sometime following the completion of this formal process. I am not at liberty to discuss the specific scenario that DHS unleashed upon the game players until after they publish their report, but let me just say that it was diabolical. They designed the ever-escalating events to put the entire nation into a Sophie’s Choice in which government and commercial leaders had to choose between two bad options, both of which could result in a significant material impact to the commercial and government entities involved in the incident, and might even cause effected entities to cease to function. Like I said: diabolical.

It occurred to me while Palo Alto Networks was playing the game, however, that a substantial portion of the impact from this diabolical cyber incident progression can be avoided with prevention measures applied strategically in the initial phases of the attack cycle, rather than solely relying upon the notion of detection and response (although I’m not making light of the fact that many exercise objectives in Cyber Storm V were clearly designed to test the ability of the public and private sectors to coordinate detection and response, which is certainly important).

In the exercise, by the time the network defender community detected the seriousness of the event progression, it was already too late, and they were all forced into the aforementioned Sophie’s Choice. This raises a key point and an important takeaway from the exercise: prevention is a precursor to detection and remediation. By putting strong prevention components in place, the diabolical scenario would never have escalated as far as it did.

Throughout the exercise, we observed that delivering new preventative controls to the impacted parties would significantly reduce the impact of the attacks, mitigating a significant portion of the damage. Bottom line: while detection and remediation must be practiced, it must be a supplement to strong, swift prevention measures.

Threat prevention, threat detection, and threat eradication accomplish key and indispensable network defender activities. Individually, each is important but by itself not sufficient to prevent high-risk material impact to the organization. They are inextricably linked: atomic and irreducible. They are the network defender’s trinity, and the network defender must be proficient at all three.

Trinity programs will not stop all adversary groups immediately. What they will do – when installed properly – is provide a framework to block every threat that is known, allow network defenders to discover new threats as they emerge, and provide a mechanism to mitigate any newly discovered adversary campaign activity within their organization.

It All Boils Down to the Network Defender Trinity Program

The Cyber Storm V exercise provided a good scenario to exercise both the nation, as DHS matures its Emergency Preparedness plan, and the executives of Palo Alto Networks as we continue to hone our own internal crisis planning procedures. We believe that in order to combat these types of threats, our nation’s network defenders must put the trinity program in place, specifically threat prevention. If we implement aggressive preventative measures, as part of a fully formed Network Defender Trinity Program, it will transform these types of diabolical scenarios into just another routine day.


“Informing Cyber Storm V: Lessons Learned from Cyber Storm IV,” by Homeland Security, June 2015

Cyber Storm: Securing Cyber Space,” by Homeland Security, 1 December 2016

Cyber Storm exercise tests cyber defense strategies,” by Michael Hardy, Federal Times, 8 March 2016


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.