* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [CSO Perspective](https://www2.paloaltonetworks.com/blog/category/cso-perspective/)
* Lessons from Cyber Storm ...

# Lessons from Cyber Storm V

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F03%2Fcso-lessons-from-cyber-storm-v%2F)  
[](https://twitter.com/share?text=Lessons+from+Cyber+Storm+V&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F03%2Fcso-lessons-from-cyber-storm-v%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F03%2Fcso-lessons-from-cyber-storm-v%2F&title=Lessons+from+Cyber+Storm+V&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2016/03/cso-lessons-from-cyber-storm-v/&ts=markdown)  
\[\](mailto:?subject=Lessons from Cyber Storm V)  
Link copied  
By [Rick Howard](https://www.paloaltonetworks.com/blog/author/rick/?ts=markdown "Posts by Rick Howard")  
Mar 23, 2016  
5 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)  
[Cyber Storm V](https://www.paloaltonetworks.com/blog/tag/cyber-storm-v/?ts=markdown)  
[Department of Homeland Security](https://www.paloaltonetworks.com/blog/tag/department-of-homeland-security/?ts=markdown)

Two weeks ago, the U.S. Department of Homeland Security (DHS) conducted a national-level exercise, Cyber Storm V, designed to test the nation's Emergency Preparedness procedures. Palo Alto Networks participated by providing cybersecurity expertise during the planning process and as players by using the exercise to test our own internal cyber incident crisis management plan.

The players, located across the United States and around world, cut across multiple sectors and spanned numerous industries, provided real-time input in order to test our ability to combat cybersecurity threats.

The game's diabolical scenario tested the participants and forced all the game players into a Sophie's Choice: picking the better of two really bad choices. The exercise scenario highlighted a compelling case for taking proactive preventative measures as a necessary precursor to detection and remediation.

### The Creation of Cyber Storm

[Cyber Storm](https://www.dhs.gov/cyber-storm-i) is DHS's name for a nationwide cybersecurity exercise that assesses response capabilities during a nationally significant cyber incident. DHS [conducted the first exercise in 2006](https://www.dhs.gov/cyber-storm-i) and has conducted similar exercises every two years since.

Last week, DHS completed Cyber Storm V and Palo Alto Networks participated by providing cybersecurity expertise during the Exercise planning process, and by actively participating in the game play as a representative organization, in this case a cybersecurity vendor, where the leadership had to react to the escalating cyber events occurring during the exercise. At the end of the exercise, we briefed the Palo Alto Networks executive staff -- the CEO, CFO, Chief Legal Counsel, along with the heads of Product Management, Engineering, Corporate Communications, and others -- about the exercise and posed to them the many decisions they would have to make if the exercise events were a real situation. In other words, Palo Alto Networks used Cyber Storm V as a way to exercise our internal response procedures to a crisis situation.

### Cyber Storm V Takeaways

The Department of Homeland Security conducted an exercise "hotwash" at the conclusion of the exercise and will conduct a more detailed After Action Review (AAR) after soliciting input from all the participants over the course of the coming weeks and months. We expect DHS to publish the results of that review sometime following the completion of this formal process. I am not at liberty to discuss the specific scenario that DHS unleashed upon the game players until after they publish their report, but let me just say that it was diabolical. They designed the ever-escalating events to put the entire nation into a Sophie's Choice in which government and commercial leaders had to choose between two bad options, both of which could result in a significant material impact to the commercial and government entities involved in the incident, and might even cause effected entities to cease to function. Like I said: diabolical.

It occurred to me while Palo Alto Networks was playing the game, however, that a substantial portion of the impact from this diabolical cyber incident progression can be avoided with prevention measures applied strategically in the initial phases of the attack cycle, rather than solely relying upon the notion of detection and response (although I'm not making light of the fact that many exercise objectives in Cyber Storm V were clearly designed to test the ability of the public and private sectors to coordinate detection and response, which is certainly important).

In the exercise, by the time the network defender community detected the seriousness of the event progression, it was already too late, and they were all forced into the aforementioned Sophie's Choice. This raises a key point and an important takeaway from the exercise: prevention is a precursor to detection and remediation. By putting strong prevention components in place, the diabolical scenario would never have escalated as far as it did.

Throughout the exercise, we observed that delivering new preventative controls to the impacted parties would significantly reduce the impact of the attacks, mitigating a significant portion of the damage. Bottom line: while detection and remediation must be practiced, it must be a supplement to strong, swift prevention measures.

Threat prevention, threat detection, and threat eradication accomplish key and indispensable network defender activities. Individually, each is important but by itself not sufficient to prevent high-risk material impact to the organization. They are inextricably linked: atomic and irreducible. They are the network defender's trinity, and the network defender must be proficient at all three.

Trinity programs will not stop all adversary groups immediately. What they will do -- when installed properly -- is provide a framework to block every threat that is known, allow network defenders to discover new threats as they emerge, and provide a mechanism to mitigate any newly discovered adversary campaign activity within their organization.

### It All Boils Down to the Network Defender Trinity Program

The Cyber Storm V exercise provided a good scenario to exercise both the nation, as DHS matures its Emergency Preparedness plan, and the executives of Palo Alto Networks as we continue to hone our own internal crisis planning procedures. We believe that in order to combat these types of threats, our nation's network defenders must put the trinity program in place, specifically threat prevention. If we implement aggressive preventative measures, as part of a fully formed Network Defender Trinity Program, it will transform these types of diabolical scenarios into just another routine day.

### References

["Informing Cyber Storm V: Lessons Learned from Cyber Storm IV](https://www.dhs.gov/sites/default/files/publications/Lessons%20Learned%20from%20Cyber%20Storm%20IV.pdf)," by Homeland Security, June 2015

"[Cyber Storm: Securing Cyber Space](https://www.dhs.gov/cyber-storm)," by Homeland Security, 1 December 2016

"[Cyber Storm exercise tests cyber defense strategies](http://www.federaltimes.com/story/government/cybersecurity/2016/03/08/cyber-storm-exercise-brings-cyber-defense-fore/81481144/)," by Michael Hardy, Federal Times, 8 March 2016

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Ireland's Commitment to Cybersecurity](https://www2.paloaltonetworks.com/blog/2019/08/irelands-commitment-cybersecurity/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Using Legislation to Your Advantage](https://www2.paloaltonetworks.com/blog/2019/05/using-legislation-advantage/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Palo Alto Networks Meets With Pentagon and International Officials on West Coast Trip](https://www2.paloaltonetworks.com/blog/2017/08/gov-cso-palo-alto-networks-meets-pentagon-international-officials-west-coast-trip/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### How the Private Sector Can Contribute to Governmental Efforts in Deterring Cyberthreats](https://www2.paloaltonetworks.com/blog/2017/07/cso-gov-private-sector-can-contribute-governmental-efforts-deterring-cyberthreats/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)

[#### Palo Alto Networks Joins Virginia Veteran Cyber Training Pilot](https://www2.paloaltonetworks.com/blog/2017/07/gov-cso-palo-alto-networks-joins-virginia-veteran-cyber-training-pilot/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Activities That Support Deterrence - Industry's Role in Norms of Responsible Behavior in Cyberspace](https://www2.paloaltonetworks.com/blog/2017/06/activities-support-deterrence-industrys-role-norms-responsible-behavior-cyberspace/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language