Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!Balance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like #StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzz about the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc: ‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!5 Pro Tips for Organizing an Effective Team Sim
While scheduling a Team Sim exercise in the Immersive Labs platform is very straightforward, I’m sharing a list of recommendations and tips for making sure your exercise goes the extra mile: 1. Define exercise objectives Know the purpose of the exercise to keep a laser focus and stop scope creep, which can dilute the exercise experience and learning takeaways. Is this a fun exercise that will encourage engagement, or is it a capability assurance exercise? Knowing your objective is essential for effective planning. For example, a fun exercise might include more guidance and hints than a capability assurance exercise. 2. Block out calendars in advance Identify your participant list as early as possible and send placeholders out to ensure the team’s availability. The more advance notice, the better. At a minimum, provide two weeks’ notice, but ideally one month. In some large-scale cases, whole Team Sim exercise programs are planned and booked out over six months in advance. 3. Host a briefing session These sessions provide a great chance to set the expectations and objectives of the exercise, communicate important exercise information, answer any questions, and, most importantly, get the team excited about it! We recommend organizing a briefing call the week before the exercise. 4. Run a systems test The last thing you’ll want to deal with when your exercise launches is any dreaded technical issues. Make sure you run a systems test early in the planning stages, leaving plenty of time for your organization to make any required configuration changes. You can find system requirement details here. 5. Assign preparation labs Some of the catalog exercises may use security tools unfamiliar to your organization. I believe in the benefits of vendor-agnostic learning when it comes to skills development, but understand that unfamiliar tools can be frustrating. If you have access to our hands-on labs, there are preparation labs available tailored for each catalog exercise. Assign these to participants a minimum of two weeks before the exercise. If you need any help or support with planning, ask a question in our Help and Support forum. Following these steps ensures clear expectations from your participants and a smooth lead-up to your exercise, which plays a big factor in making it a success! Do you have any hints or tips for other exercise planners and facilitators? What lessons have you learned, or where have you seen success? Let us know in the comments below.Crisis Sim Complete...Now What?
Picture it: you’ve designed, built, and exercised your first Crisis Sim. You're pleased with the scenario and satisfied to see your team sharpen their skills, deepen their understanding, and boost their incident readiness. You can bask in the glory of this job well done for a moment, but the journey of the Crisis Sim doesn’t end here. The devil is in the details of the exercise data. Completing the exercise and gathering the results is only the beginning of your journey of fostering people-centric cyber resilience! Not sure where to start? We’ve got you covered Remember how meticulously you mapped out those injects and options to build your scenario? The feedback options, the performance indicators, the branching paths, the exercise types? Your hard work is about to pay off. We’ve processed the exercise responses for you because you’ve earned it – and because there’s more work to be done. Next steps for managers Crafting outcomes from outputs You can expand on the work you’ve already put into the exercise by leveraging both the Results and the After Action Report (AAR) for your scenario in the Immersive platform. Follow these steps to access these items: Go to Crisis Sim in the Exercise tab. Locate your exercise. Hint: use the filters available on the left to show “ended” exercises. Click to open your “Ended” exercise. From there, you’ll see how to dive into the available outputs with a few clicks! If you need a bit more info, here are some additional guides from our Help Center: Where to find Crisis Sim exercise results & reports View Results After Action Report (AAR) Analyzing exercise results Results If you’re looking for granular data down to the details of each inject, you can find it here. In Results, you’ll see an overview including the summary from the exercise scenario, along with key details such as scoring and completion metrics. Need to examine responses to specific injects? In the platform, you can quickly drill down into each inject by using the navigation on the left-hand side of the report. By selecting an inject, you can review responses and start to see patterns that emerged throughout the exercise. If you’d prefer raw data, you can export a CSV file of your results. It's straightforward, packed with detail, and puts all the key metrics and figures within easy reach. Check out our documentation for more details on key information and metrics. This is an invaluable resource for anyone passionate about data! It allows you to establish a foundation, set comparative standards, and ultimately gauge and improve your cyber resilience – all with concrete data to back your efforts. If the mention of statistics and spreadsheets doesn't excite you, no worries, the Immersive platform generates an After Action Report for you 30 minutes after completion of your exercise. After Action Report (AAR) Enter the After Action Report! The AAR presents an interactive visualization of your data analysis, offering valuable insights at your fingertips. And, as a bonus, you can download it as a PDF. The AAR is more than a deliverable; it’s a guide to fostering a people-centric cyber resiliency culture. It offers an outline of the exercise and crucial data points that will help drive what you and your team do next. Overall performance, inject-by-inject analysis, and participant breakdown provide a comprehensive view of your team's current capabilities and readiness, wrapped up with relevant recommendations for you and your team. Remember, insights are only available for data that’s collected as part of your exercise, so make sure you offer ranked inject options and enable response confidence and feedback to maximize your exercising. This is defaulted in the Immersive Crisis Sim Catalog presentation scenarios. In the performance overview of the AAR, you'll encounter a high-level snapshot guide for your next steps. Think of this as a performance gauge (based on our experience with Immersive clients) that maps to the following: >=75%: Excellent >=50%: Good >= 25%: Fair >=0%: Needs improvement As you dive deeper into the AAR, these broader performance indicators unfold with more granular data, and you’ll be able to understand the gaps that exist in cyber resilience for your organization. Mind the gap By understanding your organization's current state, you can create targeted improvement plans, whether reinforcing strengths, addressing weaknesses, or identifying opportunities for further training and exercises. This provides a clear starting point for overall improvement and upskilling. Inject breakdowns help pinpoint your team's strengths and weaknesses. Imagine the exercise in a real-world scenario: would there be a data breach, or would operations continue as normal? Assess your team's confidence and accuracy in their responses to identify knowledge gaps and points of failure. Use these insights not to dwell on mistakes but to improve and ensure your team is well-prepared for future challenges. The participant breakdown takes this introspection into your team's capabilities a step further by plotting decision scores against confidence levels. This helps you understand the accuracy and confidence of your team’s responses. Are your strongest team members operating confidently? Are those with knowledge gaps posing risks by overcompensating with confidence? Create an action plan This data helps you prioritize your next steps. Will you address weaknesses, reinforce existing skills, or increase exercise frequency to build confidence? There are plenty of upskilling routes to choose from. After each exercise, you'll see related Crisis Sim scenarios and lab content based on the threats and attack vectors encountered. When creating your action plan, you should consider the following outcomes and their related recommendations: Weaknesses identified at the individual level ⇢ Assign recommended lab content to key users, and reinforce the importance of upskilling by communicating the purpose of the content. Hint: Don’t forget to use assignment deadlines to effectively track progress and keep the team on track. The participants' skills resulted in high accuracy decision-making but low confidence ⇢ Reinforce strengths with clear communication of processes and expectations. Consider reviewing your internal playbooks! Are processes clear, concise, and aligned with organizational needs and expectations? Are policies current and up to date? Are there conflicting processes or policies within your organization? The team performed exceptionally across the board with high confidence ⇢ Test response readiness by exercising on a more difficult level scenario. Does the team excel in all areas, or is this an opportunity to better prepare? The landscape is constantly changing, and new threats are constantly emerging. Ensure your team has a wide breadth of knowledge and coverage by continuously proving their skills and encouraging further learning. Three essential steps to maximize your post-simulation impact Of course, you know your organization and teams best, so the Crisis Sim results are always best interpreted by you. Once you’ve analyzed and understood the results, prioritize these steps: Review the results and gather feedback promptly to identify growth opportunities. Did outcomes align with expectations, or were there surprises? Plan specific changes for future Crisis Sim exercises and build a strategic timeline. Should you adjust the difficulty or coverage areas? Is there time for additional training between exercises? Create an action plan with clear objectives, owners, and deadlines to ensure individual and team development. What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Share your thoughts If you’ve recently completed your first Crisis Sim exercise, what will you do next? If you’ve completed many, what tips do you have for others? Join the discussion below!When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.I’m ready to put up MITREE 🎄 – but is my business ready with MITRE ATT&CK?
This blog post reviews the MITRE ATT&CK framework and discusses which tactics and techniques should warrant your attention over the upcoming holiday season. We’ll also show you how to use Immersive Labs to review your skills coverage, identify resource dependencies, and assign timely and relevant content using the MITRE ATT&CK framework.Behind the Scenes of Immersive One: How Lab Builder is a Game-Changer for Cyber Readiness
“The best customer feedback we got was, we don’t need you to do everything for us.” Rebecca: Wait, seriously? Matt: Never more so. We built Lab Builder, a powerful Immersive One platform feature, for a reason: Organizations need a way to create, maintain, and publish their own labs—fast. Historically, our cyber team built every lab in Lab Forge. That worked for us, but it locked out partners and customers who wanted to address their unique needs—tools, environments, policies, and threats. They asked, “Can we do more by ourselves?” Lab Builder answers that. Rebecca: Absolutely. Since its debut last fall, Lab Builder has evolved so much. What are the biggest benefits for users today? Matt: There are two big ones. The first is the ability to curate content relevant to your organization, its threats, and its technologies—quickly. Second, realism. Teams can safely train with real-world code, internal apps, or even live malware—all in a secure, disposable environment. It’s as close to production as it gets, giving them an authentic experience with the exact tools and systems they use every day. The result? Faster upskilling, stronger readiness, and measurable gains in resilience. | “With Lab Builder, your organization can turn any piece of code or policy into hands-on training—instantly.” Rebecca: That almost sounds too easy—until you see the demo in action for yourself! Matt: Yes! The team is super proud of how streamlined it is. The core workflow is just five steps. Create a new lab. Then configure it, adding basics like the lab title, intro, learning outcomes, and gamification aspects like points users will get for completing the lab. From there, the focus is on building the briefing and tasks—drag-and-drop questions, code-review challenges, “find the flaw”, there’s lots to choose from. Then you’re ready to publish. Just assign your SME as Lab Creator, and they’re live on the same Immersive One platform they use every day. Rebecca: To me, the genius of that kind of design is in its accessibility. You’ve also invested heavily in the learner experience. Matt: Definitely. Engagement is a top priority, so we’re always building for the learners who need to know cyber—not only to support their organization’s cyber resilience strategy, but to grow professionally. We aim to remove every barrier to learning we can. Rebecca: I know you’re not one to boast, but how has the team modernized the UI? Matt: We’ve done a lot of work here, starting with completely rebuilding the theory labs interface, giving it a clean, responsive design that works seamlessly across desktop, tablet, or phone. We’ve been building toward that for our practical labs experience too. There are now intuitive panels, seamless task navigation, and instant feedback to guide learners every step of the way. We also turned Lab Builder into a true WYSIWYG (“what you see is what you get”) editor so Lab Creators see exactly what their teams will experience. We also baked in full WCAG compliance, with keyboard navigation and screen-reader support on every screen. Ultimately, we hope to bring every Immersive-built and custom lab into a single, unified front end in Immersive One—so no matter where you are, one clear interface delivers the same training experience. Rebecca: It’s this kind of due diligence that really makes a difference! Let’s talk about VMs. How do they fit in? Matt: Theory can only take you so far, so we released practical labs in the spring. Organizations spin up their own virtual machines in AWS (Amazon Web Services), share the AMI with our account, and import it straight into Lab Builder. Why does that matter? Because learners train in their exact production environments—internal tools, real vulnerable code, compliance setups. We support typical instance sizes—enough CPUs and RAM for most use cases. While we may roll out more environments in the future, AWS supports 99% of our existing customer base. That means the process feels native for Immersive One users; they can truly learn by doing. | “Build your VM. Import it. Assign it. All without leaving Immersive One.” Rebecca: Initially, only Org Admins could build custom labs. How did you expand access so that more team members could create labs, without being given full admin rights? Matt: We introduced the Lab Creator role this summer. Now you pick who builds labs—no full admin rights required. Rebecca: So smart. Now, in-house experts can build content without getting the keys to the kingdom. Matt: 100%. The team is laser-focused on leveling up Immersive One with every Lab Builder release because it’s so instrumental to the customer experience. In June, we added video support right in the briefing panels because some individuals learn best through short, engaging clips. We also rolled out a Machine Library stocked with pre-configured VMs—basically templates, from Kali Linux to reverse-engineering rigs—so you can drop assets in and start training immediately with zero VM building. You just need t And internal publishing functionality lets Lab Creators bundle custom labs into collections and share them across Organizations—think a self-service marketplace for specialized, high-value content. Rebecca: Honestly, Matt, what you’ve done with Lab Builder functionality is incredible. And I know you’re not done yet. Matt: Yeah, right—not at all. The team is already heads-down on an AI agent, but I won’t spoil it! Rebecca: Love that! Well, thanks again for meeting with me today, Matt. Maybe next time we can discuss ways customers or partners are already using Lab Builder to meet their unique needs—you know, deep-dive into specific use cases. Matt: Oh, absolutely—happy to share what customers are using Lab Builder for. Maybe we even host a webinar for that one? Would be fun to entertain some Q&A. Rebecca: Nice, let’s plan on it! Final Thought Lab Builder not only powers a customer-first UI and UX, it can help you transform every new threat, policy change, or internal tool into an interactive lab—on your timeline, with your exact requirements. Want to explore the possibilities? Contact your Account Manager for a personalized introduction to this powerful feature. In the meantime, preview how easy it is to customize learning by watching this quick demo: Meet Lab BuilderFrom XSS and SQLi to AI-generated code and supply-chain compromise: How application security is evolving
Keeping up with vulnerabilities is like playing a never-ending game of whack-a-mole. One day, we were knee-deep in XSS payloads and buffer overflows; the next, developers everywhere were plugging SQL injection holes with duct tape and regex. A lot of our earlier tech wasn’t built with security in mind – or at least not at the forefront of our minds. But over the past two decades, the culture has changed, and developers are shifting left. Programming languages, as well as the frameworks and ecosystems around them, are evolving and adapting to evade security threats. XSS: From everyday headache to “mostly handled” Remember when cross-site scripting (XSS) was every web developer’s nightmare? In the 2000s, it seemed like every other website was vulnerable. If you were lucky, your users’ only punishment was an annoying pop-up. If not, credentials and session cookies were up for grabs. Modern languages and frameworks took proactive steps in their designs. Today, many of them have built-in protections against common vulnerabilities like XSS. Some examples are: React, Angular, Vue: Automatically escape output by default. You have to go out of your way to render raw HTML (and they make you feel guilty about it). Django, Ruby on Rails, ASP.NET Core: Templates escape user input by default. Browsers: Even they pitch in, with features like Content Security Policy (CSP). It’s still possible to write a vulnerable application, but the bar is higher. As a result, attackers have a bigger hurdle to jump over. This is thanks to the evolution of how languages and frameworks approach security – not as a feature, but as the default. SQL injection: OR 1=1 is mostly history SQL injection once powered major data breaches. Now, parameterized queries have become the norm, and we’re on our way to leaving those days behind. Object-Relational Mappers (ORMs) like SQLAlchemy, Entity Framework, and Hibernate generate safe SQL. Most modern languages make string concatenation in queries unnecessary (and uncool). Even PHP, once infamous for its “raw SQL everywhere” approach, now encourages prepared statements and offers safe database APIs. Not a perfect world, but much improved. It’s crucial to keep in mind, however, that technology shouldn’t be relied upon uncritically to keep applications secure. Developers must do their due diligence. Memory mischief: The rise of Rust (and memory-managed languages) C and C++ are legendary for performance. And legendary for buffer overflows, use-after-free, and all manner of memory mischief. Enter memory-safe languages: Java, C#, Python: Garbage collection and managed memory eliminate entire classes of bugs. Rust: Takes it up a notch with ownership semantics, preventing data races and dangling pointers at compile time. A lot of system-level work has migrated to these “safer” languages, and the impact is apparent in everything from embedded devices to operating systems (hello, Rust in the Linux kernel). The new frontiers: AI and supply chain attacks Just as one threat starts to become old news, new threats emerge. Two of these are: Supply chain compromise The SolarWinds breach and NPM “event-stream” incident have put supply chain attacks in the spotlight over the last decade. It goes to highlight that you can write perfect code and still get breached because a dependency many levels deep was compromised. Some of the changes we’re seeing as a result: Package registries are adopting MFA and signing requirements. Software Bill of Materials (SBOM) is becoming a must-have, especially in regulated industries. But the battle is ongoing. If anything, our code is more interconnected than ever, and the rise of “vibe coding” is complicating matters further. AI-generated code AI tools like GitHub Copilot and ChatGPT are generating millions of code snippets. This is a double-edged sword. You get increased productivity, but the code is often vulnerable. This is partly a reflection of the insecurities in the code that the models were trained on. I asked ChatGPT 4.5 to identify the vulnerability in the following code and it couldn't. Can you? Leave a reply with your thoughts! @limits(calls=6, period=60) @app.route("/change-password", methods=["POST"]) def change_password(): user = session.get("user") if not user: return jsonify({"message": "Unauthorised"}), 401 data = request.get_json() password = data.get("new_password") if not password: return jsonify({"message": "Password is required"}), 400 if not db.change_password(user, password): return jsonify({"message": "Failed to change password"}), 500 return jsonify({"message": "Password changed successfully"}), 200 @limits(calls=6, period=60) @app.route("/login", methods=["GET", "POST"]) def login(): data = request.get_json() user = data.get("user") password = data.get("password") if not user or not password: return jsonify({"message": "Username and password are required"}), 400 if not db.authenticate(user, password): return jsonify({"message": "Invalid username or password"}), 401 session["user"] = user return jsonify({"message": "Logged in successfully"}), 200 The changes I expect to see going forward are: Guidelines and governance for AI-generated code: Programming languages or coding standards may soon explicitly include guidelines, validation rules, or security frameworks tailored to AI-assisted coding, ensuring generated code adheres to secure patterns. Work is already being done to create rules files for improved security. Integrated security checks at the IDE level: IDEs may embed deeper vulnerability scanning and real-time feedback directly within coding processes. Development environments or compilers may also come integrated with validation tools specifically attuned to potential weaknesses inherent in AI-generated code. Increased reliance on static/dynamic security analysis tools: Enhanced automated scanning integrated into CI/CD pipelines, detecting flaws pre-deployment. Keeping people in the loop: Security awareness should be a top priority, so everyone is ready for the worst-case scenario. Proving and improving skills: Developers’ training should increasingly emphasize secure coding, particularly when assisted by AI tools. At the current stage, thorough PR reviews are more crucial than ever. As with any code, always review and test AI-generated code, especially for security-sensitive logic. AI is a tool, not an auditor. Security: Not a feature, but a default Application security has come a long way from the Wild West days of the early internet. The biggest shift in the software development landscape is that security is no longer a bolt-on. Modern programming languages and ecosystems try to make the secure path the easy path. Defaults are safe (escaped output, parameterized queries), dangerous operations are noisy (compiler warnings, explicit function names), and security updates are automated (thanks to package managers and CI/CD integrations). Of course, attackers are creative, and the landscape is always shifting. But the evolution of programming languages, as well as the surrounding tools and communities, means developers have a fighting chance. While we face newer threats like AI-generated code vulnerabilities and supply chain compromise, the foundations are getting stronger. The key is to keep learning, stay skeptical, and use the tools at your disposal properly. The biggest shift I would like to see is the human element no longer being viewed as the “weakest link”. The moles never stop popping up, but now, at least, we have better mallets – and the resources to help us use them.Feature Focus: Crisis Sim Presentation Mode Uplifts
Here at Immersive, we're constantly striving to push the boundaries of cyber education and make our simulations as realistic and impactful as possible. We believe that truly effective learning happens when you're immersed in a genuinely challenging and engaging scenario. That's why we're incredibly excited to announce a significant uplift to the UI and UX of our Crisis Sim Presentation Mode. These aren't just cosmetic tweaks; they’re impactful changes, requested by you, designed to elevate the realism and engagement of your crisis simulation exercises, making the experience more dynamic and true-to-life for you and your team. A modern makeover for a seamless experience First impressions matter, and we’ve given the Presentation Mode UI a thorough modernization. This refresh delivers a cleaner, more intuitive aesthetic that’s not just pleasing to the eye, but also enhances clarity and reduces cognitive load during high-stakes scenarios. Our goal was to create an environment that feels contemporary and professional, reflecting the gravity of the simulated situations. Crucial UX enhancements for heightened realism Beyond the visual refresh, we've implemented several key UX changes that directly address the need for increased realism and participant engagement: The optional countdown timer: Feel the pressure build! In a real crisis, time is often a critical factor. Now, with the addition of an optional countdown timer, facilitators can introduce this vital element directly into the Presentation Mode. This isn't just about a ticking clock; it's about replicating the pressure and time constraints that decision-makers face in genuine incident response. This subtle yet powerful addition can significantly heighten the sense of urgency and consequence for participants, driving more active and strategic thinking. Navigating back: review and reflect in read-only mode Ever wished you could quickly refer back to a previous piece of information during a fast-paced crisis? Now you can! We've introduced the ability to navigate back to previous injects in a read-only mode. This means participants can revisit past communications, intelligence, or decisions without impacting the live progression of the exercise. This feature fosters better situational awareness and allows for more informed decision-making, mirroring the investigative and analytical processes that occur during a real incident. Companion App integration: all your content, always on hand Perhaps one of the most impactful changes for participant engagement is the surfacing of all content and static rich media directly on the Companion App. Previously, certain elements might have been facilitator-driven. Now, everything from critical intelligence reports to simulated news articles, social media feeds, and relevant imagery is immediately accessible to participants on their personal devices. This comprehensive content delivery ensures that participants have all the necessary information at their fingertips, enabling them to actively participate, analyze, and collaborate without disruption. It transforms the Companion App into a truly indispensable tool for the exercise, fostering deeper immersion and a more authentic crisis experience. Why these changes matter Our core mission at Immersive is to make learning about cybersecurity as effective and memorable as possible. These updates to Crisis Sim Presentation Mode directly serve that mission by: Increasing realism: By incorporating elements like time pressure and readily accessible information, we're making our simulations more closely resemble the complexities and demands of real-world cyber crises. Boosting engagement: When participants have all the information they need at their fingertips and can actively interact with the scenario, their engagement levels naturally soar. This leads to more meaningful learning outcomes and a greater retention of critical skills. Enhancing learning outcomes: A more realistic and engaging environment naturally fosters better decision-making skills, improved teamwork, and a deeper understanding of crisis management principles. These enhancements will provide an even more powerful and immersive experience for both facilitators and participants. We're confident that these changes will lead to even more impactful learning and a greater readiness to tackle the cyber challenges of tomorrow. Share your thoughts We can't wait for you to experience the difference, and we’d love to hear your thoughts on the changes. Log in to your Immersive platform and explore the enhanced Crisis Sim Presentation Mode today!Begin Again: How to Plan for Your Next Crisis Sim Exercise
Welcome back to the third installment in our series for managers using Crisis Sim. If you missed the first two episodes, check them out here: Crisis Sim Complete: Now What? Between Two Sims: What to Focus on Between Exercises The threat landscape is ever evolving and shows no sign of slowing down. Focus on cyber resilience is more important than ever. Everyone must continue to upskill and improve their incident response strategy so businesses can function as usual. In this guide, we’ll help you understand how you can effectively prove and improve your organizational cyber resilience in a crisis. Not sure where to begin? Here’s your guide to planning and preparation You've analyzed the data, bridged the gaps in your processes between exercises, and started building a culture of cyber resilience. Now, it's time to gear up for your next simulation! Remember, each exercise is a fresh opportunity to refine your team's skills, highlight existing strengths and weaknesses, and problem-solve together – all while strengthening your organization's cyber resilience. Let's dive into how to plan your next Crisis Sim for maximum impact. Next steps for managers Goals and objectives Every successful Crisis Sim starts with a clear destination. Before you jump in, take a moment to align your exercise objectives with your organization's priorities. Ask yourself: What specific skills do you want to test? Are there already any areas of concern? In a crisis, what are the most important considerations? For example, if your last exercise revealed communication gaps during a ransomware attack, your next objective might be to improve interdepartmental communication protocols within a defined timeframe. Tip: Incorporate next steps, action items, and the ownership of those items in your debriefs! This way, all parties walk away understanding what must be done to address immediate needs. Ahead of a crisis, you should consider areas that have a critical impact on your organization. Factors could include: Reputational impact: Damaged public and stakeholder trust, eroded image, social media amplification, and strained business relationships. Financial impact: Stock price drops, revenue losses, increased costs incurred, including legal fees, potential fines, and recovery efforts. Operational impact: Disrupted operations, production delays, supply chain issues, service interruptions, and the potential for both physical and digital infrastructure damage. Physical safety impact: Cyber incidents can lead to safety system failures, utility disruptions, security breaches, and equipment sabotage – posing serious risks to employees and the public. Legal and regulatory impact: Cyber incidents can trigger lawsuits, regulatory or criminal investigations, and significant fines – especially for safety or ethical violations. Did you know? IBM’s 2024 Cost of a Data Breach Report found that the global average cost of a data breach has surged to USD 4.88 million. Scenario selection and target audience Choose scenarios that reflect the real-world threats your organization faces. Consider the level of difficulty, technical skill, and complexity, and select participants from diverse departments to ensure a comprehensive evaluation. Even though you may eat, sleep, and breathe cybersecurity, others may be less familiar – cater to your audience! Customize exercises from our Scenario Catalog to make them relevant and impactful for your organization. The goal is to realistically test your team’s readiness while reinforcing best practices, processes, and decision making. Consider including participants who aren’t usually involved in cyber incident response to break down silos and boost collaboration. If they’re unclear on how to report an issue, it could delay notification and hinder activation of your response plan. Effective injects and options Design injects that challenge decision making and reflect real-world scenarios. Use branching paths and feedback to boost engagement and learning. Leverage all Crisis Sim features – like Option Ranking, and Inject Confidence – to gather valuable data. This not only highlights knowledge gaps and overall risk, but also directly supports your After Action Report, helping you capture the insights, graphs, and charts managers often look for post-exercise. Tip: Use injects that require participants to consider multiple factors and make tough choices under pressure. This will help them develop critical thinking skills. Preparation and facilitation for a successful exercise Preparation is essential for a successful simulation. Set clear expectations, share resources and training materials, and ensure technical, timing, and contingency logistics are in place. Involve stakeholders and leadership early to gain support and align the exercise with organizational goals – they can provide critical input on objectives, attack vectors, and realism. A well-prepared team is a confident team. Make sure everyone knows what to expect and has the tools they need to succeed. Facilitation During the exercise, focus on managing the flow and timing, encouraging active participation, and paying attention to your team's conversations. We recommend having an internal notetaker who can focus on the conversations so that key insights and takeaways don’t get lost or overlooked. Remember, your role is to guide the learning process and ensure everyone gets the most out of the experience – the discussion and collaboration of your teams is a key benefit! Keep the atmosphere positive and supportive, even when things get challenging. Not all options in a crisis are good options, so encourage your team to take risks, make mistakes, and play out what their gut instincts tell them. Reinforce the idea that this isn’t a test, but an opportunity for individuals, teams, and the organization as a whole to take stock of what improvements can be made. It’s a learning experience for participants and facilitators, not a pass/fail exercise. There’s a reason why athletes practice! It’s better to make mistakes when the game isn’t on the line, and the same goes for incidents! It’s better to be wrong and learn from the exercise than to see these gaps in knowledge and processes play out during a real incident. Feedback and considerations Depending on your exercise objectives, follow up with stakeholders and participants to gather feedback and key takeaways. This can be done through a group hotwash, an anonymous survey, or scheduled feedback sessions after the team has had time to reflect. Tip: Encourage additional feedback after a brief cooling-off period to capture both immediate reactions and more thoughtful insights once the team has had time to reflect on the exercise. Planning your next Crisis Sim exercise is an opportunity to build on your team's strengths and address any remaining vulnerabilities. Set clear objectives, select the right scenarios and participants, design effective injects, and prepare thoroughly to facilitate a smooth exercise. By doing this, you can maximize the impact of your simulations and strengthen your organization's cyber resilience. You know your organization and teams better than anyone, so it’s ultimately up to you how you want to proceed! To ensure your next exercise is a success in proving and improving upon your cyber resilience, we encourage you to prioritize these items: Define and communicate the objectives to all participants, whether it's testing a new process, improving communication and handoffs, or enhancing crisis preparedness. Develop realistic scenarios by incorporating real-world, industry-specific events to create relevant and challenging experiences. Prepare logistics, including technical setups, briefing documents, and technology like video conferencing tools or software. Tip: For presentation exercises, remember to send out calendar holds and account for virtual or in-person meeting logistics! Share your thoughts If you’ve recently started planning your next Crisis Sim exercise, what changes did you make from the previous exercise? What recommendations do you have for others who are beginning their Crisis Sim journey? Join the discussion below!
