Your boss opened an email, clicking to read a PDF that appeared to be from a supplier—but it wasn't. Cybercriminals have slipped into your organization's systems, nabbing financial data, security credentials, and personal information—a serious issue, as you work for a defense contractor.
What do you do? Where should your technical team start? Are you even sure what's happening yet? Should customers be informed? What about the police or even the government? Who do you tell internally: the board, the legal team, PR?
Panic takes over as you realize you don't have the answers to these questions—and then, ransomware locks down your networks, with a threat to leak without payment. Breathe easy, though, as this time it's just a simulation: Hack The Box's Crisis Control. It’s a modern take on a table-top exercise that reveals how your organization would face such a crisis before criminals come knocking.
So, we know that it’s not if, it’s when cybercriminals will target organization—which means you need to start practicing your response. One solution to improve preparedness is table-top exercises (TTXs): discussion-based sessions where organizations work out a response to a potential crisis using a “choose your own adventure”-style static decision tree. But those lack realism and are inflexible, making them difficult to adapt to specific sectors or even companies, and they can easily be out of date: criminals use the latest techniques, so you need to train on them, too.
These old-fashioned wargames have had a serious upgrade. Hack The Box specializes in gamified cybersecurity upskilling, and in building Crisis Control has turned its expertise—with a dash of AI—to creating dynamic, action-based simulations for realistic, evolving scenarios to help maximize crisis preparedness across senior management and front-line professionals.
“Due to our expertise on the technical level, we can create a realistic scenario so it feels like a real crisis,’ says Haris Pylarinos, Founder and CEO at Hack The Box. “In a crisis, you do not have time to read a manual on how to act. You need to be battle-ready, and this is achievable only by repetition. Hack The Box puts you on the battlefield repeatedly, until a crisis feels like another day at work.”
What is a TTX? Pylarinos says that a Crisis Control scenario is, on the surface, like playing Dungeons & Dragons, but the setting is your organization and the characters consist of your staff and cybercriminals. Instead of a dungeon master leading the game, an expert facilitator oversees the simulation.
Traditional TTXs are limited though, as they lack flexibility, realism, and are discussion-based rather than hands-on. Plus, they can be easily influenced by bias and the assumptions held by facilitators or even participants. That leaves TTXs feeling limited and generic—perhaps specific to an industry, such as finance—meaning they quickly become outdated.
Because of this, Hack The Box redefined the idea of a TTX, using its expertise—developed through working with government, enterprise, companies, academic institutions, as well as the largest community of ethical hackers globally—to create dynamic, realistic scenarios for crisis preparation that suit specific organizations and their goals.
That expertise is now aided by generative AI. “Hack The Box uses its own AI technology to pull information from a variety of publicly available sources, such as news articles, to create scenarios based on current trends and relevant industry developments. This ensures that the generated scenarios are timely and reflective of what is happening in the world today,” Pylarinos explains. “The exercise is as if you have a real crisis in front of you.”
Throughout the simulation, the Crisis Control facilitator plays a pivotal role in managing the flow and effectiveness of the simulation, ensuring the exercise remains aligned with the team’s learning objectives and real-life situations, and using the trained AI model to customize and expand the narrative on the fly—even generating an immersive conversation with a simulated attacker to represent cybercriminals during text-based ransomware negotiations.
“If you observe that participants are not fully engaged—perhaps making light of the situation or losing focus—you can introduce more critical, high-stakes elements that are directly relevant to them, creating a heightened sense of urgency,” explains Manos Gavriil, VP of Content at Hack The Box.
The aim of Crisis Control is to expand preparedness planning beyond the technical team—though they’re very much a big part of the simulation. “A major cyber attack against a company raises two sets of questions,” says Lucas Kello, Associate Professor in International Relations and Director of the Academic Centre of Excellence in Cyber Security Research, University of Oxford. “First are the technical questions—what's happening on the network perimeter, is your data safe, what systems have been compromised? It’s up to the security team to unravel these issues.”
But Kello notes there are further considerations beyond the technical realm. “These broader ‘meta’ challenges are organizational, legal, regulatory, and sometimes ethical in nature,” he says.
While still trying to halt an attack and uncover the damage, companies must understand how to apply relevant regulatory standards: who to bring in internally—for example, compliance teams, legal teams or both?—and what external authorities (if any) need to be informed or consulted, and so much more. “This is where Crisis Control shines: bridging the gap between the technical team and the executive and business sides,” Kello explains.
After the simulation, a post-mortem is held to identify key pain points and action to take going forward. Participants are not going to finish as experts on red teaming and blue teaming, but they’ll have a closer appreciation of how major technical incidents relate to their own priorities and put processes into place in case of a crisis.
“When you establish clear rules and procedures, they activate immediately in a real crisis— eliminating confusion and ensuring that everyone knows which standards to apply and whom to consult, both within and outside the organization,” Kello adds.
And, as Gavriil adds, no one will be at their best during a crisis: “These questions have to be answered under pressure.”
By testing preparedness with a gamified exercise like Crisis Control, participants can learn what they need to do in a low-stress, no-risk environment—and react better when the real deal happens. Pylarinos calls this the mental equivalent of “muscle memory”. Think about fire drills, notes Pylarinos. People know to leave buildings in case of a fire, yet we still regularly practice walking down stairs and meeting at the right point.
And it’s better to be prepared than wait for an attack to get some practice in. “A breach might occur once every three or four years, but cybercriminals attack organizations every day,” says Pylarinos. “They are battle ready, and organizations are waiting for an attack without a solid plan in place.”
It's not an exaggeration to say cybercriminals are constantly attacking—such crime is out of control: attacks of all types are up by 30 percent, ransomware broke records last year, with victims paying out more than $1 billion to criminals, and three quarters of all large businesses were targeted in the last year alone, according to the UK government. Tactics are getting wild, with AI enabling million-dollar voice-cloning scams and state-backed actors motivated by geopolitics targeting critical infrastructure.
Given the rise in serious cybercrime, organizations need to have a plan in place—especially as geopolitical issues come into play. Targeted by state-level actors? Your company may need to inform not just the authorities, but the government—and how do you even do that?
Even if your company isn't a major multinational, it can still be targeted by state-level actors, especially if you work with a government. “Increasingly, private enterprises will be drawn into the fray of geopolitics,” says Kello. “Today, merely being based in a particular country can make a company a target. Geopolitical cyber threats are on the rise as tech providers increasingly operate in contested regions or align with specific sides in interstate rivalries.”
If state-level military attackers target your company—perhaps with ransomware making demands for data, or looking to disrupt supply chains—would your company know who to call in government? You need to figure that out before state-level attackers wreak havoc on your network. It's certainly better than after.
Comments
Post a Comment