September 8, 2020 - Posted by Guzman Gonzalez Jesus Alexander Cybersecurity

Learn to Select the Right Cyber Range For You!

With the growth of internet connectivity and cloud services usage, the world has become a virtual village. Your company's data is just a hack away. Cybercriminals are becoming more and more adept at navigating security systems and breaching them. That is why cybersecurity is so ...

With the growth of internet connectivity and cloud services usage, the world has become a virtual village. Your company’s data is just a hack away. Cybercriminals are becoming more and more adept at navigating security systems and breaching them. That is why cybersecurity is so critical today. Cybersecurity pertains to protecting data from theft and damage by criminals and enemies. You may be interested in protecting:

  • Personally identifiable information (PII)
  • Sensitive data
  • Protected Health Information (PHI)
  • Intellectual Property
  • Industrial and government information systems etc.

You may have been content with installing a firewall in the past, but now it really isn’t sufficient. You need a highly trained Security Operations Centre (SOC). A SOC comprises of a team that monitors and analyses the company’s security position on an ongoing basis. Typically, the group consists of engineers, security analysts, and managers to supervise security operations. Your SOC will work closely with your incident response team. Together they will quickly manage security breaches upon discovery of unusual activity.

The incident response is done by an organization’s Computer Incident Response team. They come up with an incidence response plan. This plan explains what constitutes an incidence and provides a sequence of steps to be followed in its mitigation. The goal is to manage the incident effectively, assign roles in the mitigation process, limit damage, and minimize recovery time, collateral damage, and recovery costs.

How does all this relate to a cyber range? You do not want your SOC team and incident responders to experience an incident for the first time during an actual breach. A little training goes a long way. You want them to respond to attacks quickly and to manage them effectively. A cyber range provides a realistic virtual environment where your SOC team can train. Here they can respond to realistic simulated cyber-attacks and consequently improve their performance.

In the past, Cyber ranges were used by commercial organizations and the military to test vulnerabilities in their systems. They used them for testing purposes. While prevention is essential, the cyberspace’s growth rate means that there may be new developments by hackers that your system was not prepared for. This means that besides prevention, you need a highly-trained team that can go on defence during an actual attack.

cyber range

The who and why of cyber ranges

The first place to begin when it comes to cyber ranges is understanding who needs a cyber range and why cyber ranges are necessary

What is the purpose of a cyber range?

  1. It provides real-time performance-based learning and assessment.
  2. It gives real-time feedback on the capabilities of your team and the strength of your security networks.
  3. It provides a simulated environment in which teams can work together to improve their abilities and teamwork in solving cyber problems.
  4. It gives on-the-job experience.
  5. It provides a suitable environment where new ideas can be tested.

Who needs a cyber range?

  1. Educators – These are people who wish to compile and implement basic and advanced cybersecurity education. They need them to create a curriculum and come up with courses
  2. Individuals seeking continuing education and training in security operations. They can be security operators in a SOC team, security analysts or even forensic analysts
  3. Organizations seeking on-site services. They use cyber ranges to test new products, test new software and their organizational vulnerabilities, and train their staff
  4. Organizations that want to validate the skills of potential staff before hiring them
  5. Individuals seeking validation of their abilities for certification purposes, practice, or to prove their capabilities to a prospective employee
  6. Organizations seeking to train their SOC and incident response teams on teamwork in response to a breach in a simulated environment

This is not an exhaustive list of who needs a cyber range and why. But, it paints a picture of some of the objectives of those who purchase and utilize cyber ranges.

Generally, the right cyber range for you will allow you to:

  1. Evaluate processes and procedures
    This means that the range will allow you to examine how altering a procedure or a process in a customer network affects your security standing. You will be able to assess your security procedures and level of preparedness objectively.
  2. Simplify analyst training
    The first goal is to provide training for new employees and allow continued education for existing staff to sharpen their skills. The second goal is to create an in-house certification process that tracks the progress of analysts. Finally, you want to provide a training environment that motivates your analysts to grow continuously.
  3. Provide an operative testbed
    By using a cyber range, your SOC team will be able to evaluate your existing architecture for vulnerabilities. They will also be able to test out new products in a controlled environment.

The types of cyber ranges

There are various types of cyber ranges available. Each type varies depending on its features, which shall be elaborated on later in this guide. The kind you pick must match the associated use case of the individual or organization. The differences between the types may seem insignificant, but they align with a particular use case or objective. Generally, there are four types of cyber ranges. They shall be discussed below:

Emulation ranges

Emulation involves running the range on dedicated network infrastructure. First, you map the network, servers, and storage infrastructure as it is onto physical infrastructure. You then use this physical infrastructure as the cyber range. Emulation sometimes involves activities like generating traffic as would the actual network; it provides an authentic experience. This is as opposed to a range that requires responding to preprogrammed actions.

Simulation ranges

Unlike an emulated range, a simulated range is a synthetic network environment. This simulated environment is based on the behaviour of the actual situation and the network components. Simulations run in virtual instances on virtual machines that copy and emulate the specific network, servers, and storage of the client’s particular IT infrastructure.

Generally, the virtual machine templates are standardized, and therefore, there are limits to how closely they can simulate the client’s IT infrastructure. The closer the match of the simulated range to the client’s IT infrastructure, the more accurate the exercise is. The opposite is also true. A strong orchestration layer will determine how reliable the range is. Simulated ranges are easier to configure than emulated ranges.

Overlay ranges

These ranges lie on top of the actual storage, servers, and network. Generally, they are set up as global testbeds. Overlay ranges are more accurate than simulated ranges, but they run the risk of compromising the underlying network infrastructure.

Hybrid ranges

As the name suggests, hybrid ranges are a customized combination of any of the ranges mentioned above.

The features of a cyber range

While you could get theoretical education on cybersecurity, the conventional education and training models just aren’t enough. There is a gap in cybersecurity training that only real-life simulated training can fill. Just like you wouldn’t trust a doctor who attended medical school virtually, you shouldn’t trust a cybersecurity student without actual field practice. A cyber range saves the student time as they can get experience in handling actual breaches in a short period.

A cybersecurity student that trains on a range will gain confidence that they can handle breaches. An organization will be able to predict the success of its workforce in the event of an attack. This section explains the features of cyber ranges that allow these groups to feel confident in their capabilities. There are five essential features. They are:

The technical components

Many components work together to make up a cyber range. The crucial technological elements are:

Range Learning Management System. (RLMS)

An RLMS is a learning management system for cyber ranges. So what is a learning management system? An LMS is like a depository where you store and track information. LMS software will establish and track online training initiatives. The function of an LMS varies depending on the needs of the organization. It depends on the organization’s objectives, training strategy, and their desired outcomes.

There are two principal parties in any LMS, including the RLMS. There is a training team. They import information into the system, update the content, and organize it in the way the learners will learn optimally. The second party is the learners who use the system to undergo training.

Orchestration layer

The orchestration layer pulls together all the technological components of the cyber range. Cyber range developers have the option of choosing an in-house orchestration layer or a commercial one. It facilitates the interlocking of the LMS with the other layers. It also enables dynamic cyber-range flexibility that supports private clouds, public clouds, and dedicated hard-wire infrastructure.

Underlying infrastructure

All cyber ranges lie on top of a framework of storage, servers, and network. There are two alternatives when it comes to the underlying infrastructure. A cyber range can be constructed on top of physical infrastructure in a rack such as firewalls, routers, switches, and endpoints. This option tends to be very expensive and makes it difficult to scale the range.

A range can also be built on top of software-defined virtual infrastructure. This option makes the range more scalable, cheaper, and more flexible. For this reason, many cyber ranges are shifting to the latter option.

The type of infrastructure directly affects how realistic and accurate a range is. Furthermore, you determine which infrastructure to use based on the software and hardware of the client. Some clients use legacy (old) software and hardware, and therefore the range must be able to support and meet their use cases.

Some common use cases for security analytics include:

  • Threat hunting and identifying threat indicators
  • Detect insider threats or malicious activity
  • Analyze network traffic and identify activity patterns that indicate a potential attack
  • Detect data exfiltration and determine which accounts were compromised
  • Handle third-party and fourth-party vendor risks

Virtualization layer

The virtualization layer allows the hardware components of a single computer such as memory, processors, and storage to be divided into multiple virtual computers. These virtual computers are called virtual machines, and they behave like an independent computer while running only on a portion of the actual computer’s hardware. Virtualization is the basis of cloud computing. Through virtualization, a cyber range can shrink its physical footprint.

There are two main approaches to virtualization, hypervisor-based architecture and host-guest architecture. The use of virtualization means that less hardware is needed, and consequently, the management of available hardware is easier. This makes cyber ranges economically viable. The downside is that all Virtual machines running on a server fail if the server fails. The virtualization layer acts as a firewall between the underlying infrastructure and the target infrastructure.

Target infrastructure

This is the simulated environment where students train. Some use cases require that the target infrastructure match the student’s real-world security and IT infrastructure. Some cyber ranges have profiles of commercially available applications, servers, storage, endpoints, and firewalls. Using this information, the RMLS will create scripts that will direct the orchestration layer to generate the target infrastructure.

In this case, the generated target environment may contain the client’s specific configuration, such as their routing information, IP address ranges, endpoint software, and server attacks. This makes the training very realistic. This option is only possible for highly advance cyber ranges.

Realism and accuracy

To develop predictive learning and operational outcomes, the cyber range needs to represent the real world accurately. While emulating a breach results in a more accurate environment, simulation is more realistic. The goal for individuals and organizations is to find a balance between practicality, cost, and reality. The first aim of the training is for the students to master the relevant skills. Applying this skill in a realistic environment comes second.

Accessibility and usability.

This feature deals with how users access the activities of the range. It can be divided into two main categories, sophistication and location.

Location

The cyber range platform can either be cloud-based or in a particular location. It is crucial for the range owners, users, and learners to understand the circumstances under which their range can be accessed. They need to determine how the software can be affected by bandwidth. For cloud-based cyber ranges, the owners need to determine the minimum hardware and software requirements for their clients. Generally, online cyber range software may either need a dedicated software to be installed into a computer or allow access through a web browser.

Sophistication

For the software to be accessible to the users, the range owners must determine the users’ sophistication levels. They must know how much effort is needed to install, use, and implement the software. Furthermore, trainers, faculty members, and operators must understand the critical components of the training curriculum and the available tools. This will help them decide the best range that fits their needs.

Scalability and elasticity

Scalability implies the range’s ability to support the target population of users that will need the system. On the other hand, elasticity refers to how much time is required to increase the capabilities of the system to handle a larger capacity of users. An ideal range should be able to handle the potential client’s entire population. It should also be able to increase its capabilities on request as fast as possible.

Ranges that depend on local hardware may be limited in their ability to scale because their local equipment has limited capacity. They would not be able to scale their capabilities once their resources are depleted and are, therefore, inelastic. Cloud-based ranges, on the other hand, tend to be very elastic. Upon request, they can leverage additional systems from their cloud provider.

Besides the computer’s hardware capabilities, the range should also have sufficient server-side bandwidth. Low bandwidth means fewer users will have access during peak periods. A cyber range with limited scalability and elasticity capabilities sometimes requests trainers and users to reserve timeslots for training. Alternatively, they may simply deny access until sufficient resources are free.

Curriculum and learning outcomes

The stakeholders’ objectives and the use cases determine the cyber range curricula and learning outcomes. Generally, two broad categories represent the majority of curricula.

  1. Pre-packaged curriculum – This syllabus incorporates low or medium accuracy content, gamification, and testing. There is a standardized path from the beginning to the end of the training.
  2. An ad hoc curriculum – This syllabus differs for each client and is highly customizable. The associated experimentation environment is highly-accurate, persistent, and integrated.

Whatever curriculum you chose should align with the leading industry standards and framework.

Whatever training platform you use should be able to train all your staff regardless of their role or skill level. This means that it should provide sufficient content and necessary features. The curriculum should have both offensive and defensive training techniques and be scalable to meet the needs of a team of any size. Here are some fundamental training models,

  1. Blue team – This involves training your SOC and incidence team to prevent, detect, and respond to a cyber incidence. This training allows your team to be able to respond appropriately to a real breach when it happens.
  2. Red team – This training is vital for penetration testers, security architects, and your SOC team. Penetration testers are ethical hackers whose role is to detect security weaknesses in networks, web applications, and information systems. Security architects then use this information to make improvements to the security systems. Pen testers give your SOC, and IT teams the tools they need to think like hackers.
  3. Individual – A high-quality cyber range should be scalable and customizable enough to cater both to teams and individuals. An individual may seek training from a cyber range to work on any weaknesses they have that they have identified. They can also use it to create a customized road map of the skills they intend to acquire.
  4. Capture the flag competitions – Research in the education industry has shown that gamification makes learning fun and exciting and helps students maintain their interest in a program. Besides providing an opportunity for pen testers to find vulnerabilities in your system, capture the flag competitions also help in marketing and promoting an educator’s range. Every year, some conferences and hackathons run such competitions.

Some crucial cyber range capabilities and functionalities

Orchestration

As was mentioned above, orchestration involves automating the configuration, coordination, and management of the software and computer systems. It is the technology that is responsible for creating automatic workflows and self-provisioning. It also automates tasks between the cyber range components or cyber range interfaced systems and the virtual infrastructure.

An end-user of a cyber range can use orchestration as an assessment feature of a range. However, if an orchestrator is used, it could affect the support for various user cases, the cost, and the usability of a range. Generally, if a scenario requires hundreds to thousands of machines, the range will automatically require an orchestrator.

Attack simulation

This is the ability of a range to simulate an attack. Also known as attack and breach simulation, this simulation focuses on testing the security posture of businesses. An attack simulation allows the company to examine the different types of breaches at different phases and assess how the SOC can deal with it as well as letting them know how they can secure their organization. When picking a range for this kind of simulation, check if they have an attack library which contains information on pre-defined attacks and the capability of the range to create/or import custom attacks.

Internet services simulation

Modern attackers use global services and infrastructure, such as social media platforms, to avoid detection. The simulation of internet services describes the simulation of those services outside the primary simulated environment. This main simulated environment typically depends on these outside services for the realization of specific use cases. The process of internet service simulation adds realism to the simulation by the range. This process isn’t performed often because it is complicated.

User activity simulation

This is the process of simulating the presence and actions of cordial users in the range environment. By simulating user activity, you make the simulated environment more realistic. You may simulate both internal and external users. For more realism, the users can be following the business processes as would real users

Scenarios and content development

For a range to be useful, it has to be able to deliver a range of scenarios. Many ranges today have scenario composition tools that can simulate the business environment and full-blown attack, among other situations.

Data collection and analysis

Data collection means how capable the range is to collect the user’s interaction with it. It can either collect data from the user activities, data provided by the users as output, or both. How much data is collected depends on how the system has been created. This data can be used to provide valuable feedback to the range users

Competency management

Competence is a set of attributes necessary to perform a specific task successfully. Examples of these attributes include knowledge, skills, and abilities. By using Competency Management Systems (CMS), an organization can manage a competence program. A competence program is used to analyze skill gaps in your organization, profile employees, and even define their learning paths. Furthermore, a CMS can include an LMS for the administration. In this case, it will document, track, report, and deliver learning and assessment content. Reporting can also be on the assessment of things like which tools were used and what actions did the users take, especially in the context of a specific cyber exercise.

Scoring and reporting

This is the capability of a range to score the activities and interactions of the users with the system. Scoring and reporting can be either for the users, the system, or both. For users, it can track the progress of individuals and teams. For systems, it can check factors such as service availability and system integrity. Reports available can be standard reports for groups or individual users and custom reports that allow the organization to see how resilient it is becoming over time.

Instructor tools

These are the faculties that an instructor may feel they need in the training process. Generally, they should allow the instructor to assess the actions of the users. Using this data, the trainer can provide crucial feedback and determine how far or close he is to meet the set objectives. Sample faculties include:

  • The ability to evaluate students.
  • The ability to review and record users actions.
  • The ability to show students sample answers.
  • Communication facilities etc.

Five principles for selecting a cyber range

Understand the return of investment (ROI)

How much are you willing to invest in procuring the services of a cyber range? What skills do you or your employees expect to gain from this endeavor? How long will these skills be useful to you before you or your employees need updated training? You need to be sure that you will get value for your money.

Not all cyber ranges are created equal.

Evaluate the substantive value and quality differences between range providers before settling on one. If it is possible, try before you buy. Or test the usability on a small scale like with one or two employees before procuring the services for your entire SOC team.

Have a plan

Before you pay for the services, assess your team. Identify the gaps that need to be filled in terms of you or your employees’ expertise and skills base. By coming up with a skills inventory, you will be able to compare the skills needed against a particular range provider. A skills inventory may help you discover talents you didn’t account for hence preventing reduplicating training.

Assess performance

If possible, ask the range providers for proof of their performance. Consult people who have trained with them before and look at their testimonials. A good record of past performance puts your mind at ease that they will be able to replicate this performance with you.

Understand the type of training being offered.

Are they using an ad-hoc curriculum or a pre-packaged curriculum? What topics will be covered in training? What tools do they have to carry out the training? What are the training modules available?

These principles are useful in picking out the correct cyber range for you.

A cyber range checklist for further evaluation

  • A cyber range with a scalable and customizable platform – The simulation and training technology you employ should be flexible, elastic, and scalable.
  • Automatic scenario emulator – The training technology should be able to simulate both benign traffic and complex attack sequences. This will save on the costs of employing red team instructors.
  • Attack scenario builder – It should be able to meet specific attack scenarios at the request of the user.
  • Availability of ready-made scenarios and courses – Your range platform should have a library of scenes and courses that can allow trainees to start training quickly and easily.
  • In-depth scenario documentation – This is useful for providing feedback to users. It is also helpful for new trainers.
  • Support for Information Technology (IT) and Operation Technology (OT) environments – The range you chose should be able to simulate attacks on any kind of network technology. This way, the training will be appropriate for both current and potential employees on all levels.
  • On-premise or cloud deployment – A good range will be available as both on-premise and cloud-based deployments. If it is cloud-based, make sure the vendor offers end-to-end support and management.

There is currently a gap in cybersecurity skills. This is because hackers are upgrading their skills almost as fast as cybersecurity teams are mastering how to rebuff attacks. As an individual, simulation and training technology will improve your skills and provide you with the know-how to be able to fill this skills gap. As an organization, your employees will get the necessary knowledge to identify and respond to attacks effectively. Consider investing in a cyber range platform if you value your cybersecurity and want to stay at the top of your game.