The COVID-19 pandemic has shifted the way we work, and a large variety of teams have either gone virtual or hybrid, working remotely in some capacity, including IT and security teams. In a pandemic or other crisis, security teams that wish to stay sharp and continue to work on their incident response capabilities should consider opting for a virtual cyber range that can offer better resilience and ease of setup without sacrificing training efficacy.
So, how can an enterprise build an effective cyber range? Here’s what we have learned and what you can do to build your own, on the cheap. A quick caveat — the majority of organizations coming to us are asking for some on-premise capabilities as they value the in-person experience, but all want to be able to run cyber ranges virtually in case of unforeseen circumstances like pandemics, wildfires or floods.
What’s the Right Range for Your Organization?
First, you should ask the following question: What is the right fit for our organization? As with many other security investments, there are different answers for different types of organizations. Let’s run through a couple of examples.
Universities typically want generic training to introduce students to the world of cybersecurity. But while that might seem rather basic, some schools are inclined to delve deeper, performing specific research, such as behavioral research, to look into ways to enhance their user experience. To that end, they build more intuitive interactions with incident response or attack forensics.
Government entities generally want training for reskilling, cross-skilling and building inter-agency or intra-agency response capabilities across broad teams.
Governments also often use cyber ranges to train contractors or to bring people up to speed to advanced levels from scratch, training prospective cyber warfighters. Usually, government training is more technical and focused on espionage or national security risks such as attacks against infrastructure, utilities, government decision-making bodies or key government leaders.
A key part of government training, which is a great tool for other sectors as well, is vendor validation. Cyber ranges can be a useful method of test-driving a cybersecurity product and working directly with the vendor on exercises. Enterprise interests are similar to government interests but focus more intently on protecting business assets and mitigating business risks, such as loss of financial data or personally identifiable information.
Variations on Virtual Cyber Range Design
For all types of cyber ranges, you will need a number of common key attributes. At a minimum, cyber ranges require:
- A dedicated network and namespace that is not attached to either the internet or to other parts of the organization’s network, which will be used for conducting exercises.
- A sufficient representation of the desired stack of defended IT assets and infrastructure. This is easier to do today thanks to cloud infrastructure, software-defined networks, containers, etc.
- A replica of the security team’s command-and-control environment, including the same software tools, UX and other things the team uses in the real-world setup.
This core setup allows for some flexibility and configurability:
- For government entities, the same virtual cyber range might be used by different agencies that work on dissimilar asset stacks and IT environments.
- For basic training of beginning cybersecurity students, the environment can be generic and focused on defending against widely known and understood attacks.
- For vendor validation, the stack needs to be easy to modify so as to test out new products and perform side-by-side comparisons.
For universities or cost-prohibited projects looking for more generic training, deploying a suite of open-source and free tools and platforms is usually the best course of action. Students typically learn concepts, so products matter less. Instructors are teaching the baseline skills required for security operations center analysis, such as reverse engineering malware or performing basic threat analysis from freely available feeds. Because Linux and other pieces of common open-source software are freely available and easy to modify, they can also be designed to be hacked and probed for practice.
For governments and commercial enterprises, the list grows more specific. These types of organizations are likely using one or two types of SIEM platforms as well as one or two types of firewalls and load balancers. There may be a wider variety of endpoint management and other lower-end security controls in play, but putting too much diversity into a cyber range can needlessly complicate exercises. That said, for the most advanced exercises, you’d want an exact replica of your environment to create the highest-fidelity experience.
Broadly speaking, if an organization knows that it wants to train someone on a specific platform or security tool, it should seek free training licenses from vendors. Most vendors offer them and are also happy to provide hands-on technical support during exercises.
Aside from licenses, if you are building a dedicated virtual cyber range you will need dedicated expert staff to manage the range. This can be an IT person but one with a security background. The staff operating the range on an ongoing basis will need to ‘blow away’ the used machines after exercises and restore them to their pre-exercise state. Any time someone from outside of your organization touches the range, the system will later need to be scrubbed to ensure security.
For the X-Force team, we have built out an automation toolchain using Ansible, not unlike what you might find in workflow automation tools for system administrators or continuous integration/continuous delivery pipelines. We can use it to blow away an entire virtual cyber range, including the content and coursework, security controls in place, networks and virtual assets or endpoints. This is an important consideration because at present there is no single dedicated piece of software that is purpose-built for managing cyber ranges.
Tuning Up, Adding Content and Going Live
Once you have drawn out in detail what will be needed for your virtual range and have assembled it, it’s time to get the range ready for action. First, you should run a few shakedown exercises with your IT and security team to ensure that everything is working as planned and to spot obvious issues around user experience, network connectivity and tooling. This also includes blowing away and restoring the range several times to make sure that functionality is working well before you start scheduling live training sessions.
Equally important is the readiness of your content and curriculum. To guide your content selections, consider the most important risks and attack scenarios facing your organization or the purpose for which you’ve built the range. Universities may want to set up for classic cybersecurity problems and attacks, while government and enterprise will need to program more contextually relevant content. If possible, you should add a dynamic content engine that can easily supply new scenarios and up-to-date tactics, techniques and procedures (TTPs) and threats. Adding this capability will both make exercises more relevant and allow you to do a better job of chaos security engineering.
At the IBM Security cyber range, we use the SafeBreach platform for our dynamic content creation and programming. SafeBreach has a team of researchers that constantly add new content to the platform, drawing on the latest common vulnerabilities and exposures (CVEs), often a mere few days after they are reported.
This dynamic content is used in the SafeBreach platform for risk-based vulnerability management of the production environment, but we also use SafeBreach to generate customer-, industry- and situation-specific content to populate our cyber ranges. For this, we create a generic ‘playground’ that we can easily add content to and then decide on the precise attack playbooks even on the day of the exercise. This allows our customers to pick from over 20,000 playbooks from SafeBreach’s Hacker’s Playbook of TTPs and attacks.
Dynamic content also helps create progressive curricula that are essential in building on previous lessons and continually introducing new skills. To guide this process, we help each customer create a learning plan with distinct progressions and goals. The goal-driven theme works best if there are metrics associated with each level and session, and benchmarks are set. Metrics might be time-to-identification of breach, percentage of indicators of compromise mitigated and points-based systems for protecting the organization’s most critical assets. Part of why SafeBreach works so well is because it enables ‘before and after’ testing of mitigation measures taken on the range environment so that teams can validate their progress and see the tangible impact of their actions.
For broader crisis response exercises, where business and operations teams are brought in to focus on software skills, such as customer support response, social media management and public relations control, ratings may be more subjective. We encourage our trainers to set up rough metrics for these exercises for softer skillsets to encourage a similar level of intensity and aim toward improvement. A well-trained instructor will help a group understand when and how they went off the rails and how to improve.
Above all, the best cyber ranges instill enthusiasm and joy in learning; the exercises should be challenging but fun, like an excellent video game or escape room. We believe that in the future every organization above a certain size will have a cyber range. The virtual versions will be cost effective, easy to use and ubiquitous. For now, building a cyber range — either physical or virtual — requires a bit of work. So, you should consider whether you want to build or buy to save time and leverage the experience of security experts that have spent decades on the range.
To learn more about building effective preparation and incident response capabilities with a cyber range, check out this site.