What is a Live Fire Exercise and How is it Conducted?

A live fire exercise helps cybersecurity professionals simulate and practice defending against real-world cyber attacks.  It helps to train the entire team to work together to practice not only their technical skills but also the team spirit necessary in responding to cyber attacks rapidly and effectively.

Live fire exercise is a deep technical Red vs Blue exercise designed for practicing response to a cyber crisis according to a realistic pre-defined scenario. The main goal of the scenario is to give the participants a realistic training experience in defending IT-systems under intense cyber-attacks. The structures and environments used are standardised and, in addition to providing effective training experience, the scenarios have been designed to allow scoring, benchmarking and effective data capture.

Immersive experience

Blue Team is entering into a pre-prepared environment where malicious actor is already in or is about to be. The Blue team is hence tasked with hardening the environment,  detecting the threat, responding to it, recovering their systems and services, etc. When the exercise begins, the Blue team is immersed in the action and feeling the pressure to perform like they would in during the real attack – the red team is attacking and the clock is ticking.

Campaign view
Situational awareness, one Blue Team. An overview of the systems and performance of one Blue Team in a given point in time, highlighting system structure, presence of attacks, level of availability, timeline of reports and overall ranking

The exercise progress is easy to monitor via CybExer proprietary visualisation and awareness software (ISA – Integrated Scoring and Awareness). It  is used by blue team, red team and instructors to analyze the situation and follow the progress of the exercise. It is also an excellent tool to display to the viewers  (C-suite?) what is happening during the exercise.

Team score breakdown with timeline, one team
Each line represents cumulative score for each of the currently applied scoring categories: Availability (green), Incident Reports (light blue), Total (white) and Attacks (red).

Hands-on exercise to practice the readiness of the team

The essence of the exercise is to provide the participants a standardised gamenet environment that would allow fair scoring, as well as be comprehensive and manageable by the Blue Teams. Commonly the aim is not to simulate precise structures and environments of specific real-world organisations, although this can be done, if requested by the client.

The exercise learning objectives are the following:

  • Fostering cooperation between various actors in the cyber defence at the organizational level
  • Rehearse specific defensive measures in case of an attack against a particular field or combination of fields
  • Live reaction, planning of defence and enhancement of the environment
  • Monitoring and analysis of attacks
  • Generalisation and synthesis of information on the attacks, in particular from the point of view of validating appropriate defence plans and scenarios
  • Discovery and understanding of sophisticated attack patterns and vectors against the targets
  • Stress handling and decision making under multiple bad choices
  • Provide reports to create accurate basis for decision-making.
Live fire exercise, step by step

Live fire exercises are always conducted in teams, carrying out the effort is never a one wo/man show, but the entire team may, and should, contribute to making the exercise a success. Here are the steps and phases involved in a typical live fire exercise on a cyber range:

Planning and Preparation: The first phase of a live fire exercise involves planning and preparation. The participating team will identify the objectives and goals of the exercise, define the scope of the exercise and study the environment of the exercise.

The team will also determine the roles and responsibilities of each member, identify the necessary equipment and tools, and ensure that all necessary resources are available for the exercise.

Deployment and Execution: Once the planning and preparation phase is complete, the exercise begins. In this phase, the team will start defending their environment against the red team cyber attacks and execute their response plan.

The participating team members will work together to identify and respond to the attack, using their individual expertise and tools to mitigate the impact of the attack and restore normal operations.

Evaluation and Debriefing: After the live fire exercise is complete, the participating team will take part in an evaluation and debriefing session. In this phase, the team (along with the instructor who has been monitoring the team’s performance throughout the exercise) will assess their performance, identify areas for improvement, and develop an action plan to address any weaknesses or gaps in their response plan.

The team will also document the results of the exercise and use this information to improve their response plan for future incidents.

Overall, the participating team is essential to the success of a live fire exercise on a cyber range, and their collaboration and coordination are key to responding effectively to real-world cyber threats.

Target audience

The target audience for the exercise is technical personnel involved in technical IT-security and cyber defence. The aim is to take the Blue Teams out of their comfort zone and give them the challenge to deal with the unknown environment.