Disclaimer: This article is purposefully kept long so as to cover most important aspects of Cyber Ranges. Cricket analogy is only for those who are trying to understand the Cyber Range concepts for the first time, others can ignore.
What is Cyber Range?
Let me start with an analogy . Suppose you want to learn Cricket (India is cricket frenzy country) and you have started getting suggestions from your well-wishers that to become a good cricketer you need a good cricket bat, good quality ball, nice pitch, a high quality cricket kit, team players, few support people etc. What if someone tells that to fast track your learning and to become a real professional cricketer you need a cricket stadium. You learn, practice & play how a real cricketer play their match. You know that if you have played well in a stadium your real matches will not be that different from what you have learned and practiced.
What cricket stadium does for the Cricketing world, Cyber Ranges does something similar for Cyber Security world. As per NIST Definition of Cyber Range –
“interactive, simulated representations of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing. A cyber range may include actual hardware and software or may be a combination of actual and virtual components. Ranges may be interoperable with other cyber range environments. The Internet level piece of the range environment includes not only simulated traffic, but also replicates network services such as webpages, browsers, and email as needed by the customer.”
Types of Cyber Range
Generally speaking, there are 4 types of Cyber Ranges. Though they all provide similar kind of services. The type of Cyber Range becomes more significant when they are mapped against the use cases for which they will be purchased and deployed.
Simulation Cyber Range–
This is the most preferred version of Cyber Range across the world where the primary use case is skill development & infrastructure simulation. The objective here is to replicate the real-world traffic of an enterprise network in a simulated environment with the help of virtual machines. How closely one can match the real-world traffic (attack, defense, and normal traffic) is the main focus area in such type of Cyber Range.
- Easy and Fast to deploy.
- Low maintenance and operational cost.
- Easy to upgrade and update the setup.
- Cheaper than Overlay Cyber Ranges.
- Can be deployed on general purpose servers supplied by vendors like Dell/HP/IBM etc.
- It is still a simulated environment and not the real one.
- Performance issues may be experienced due to underlying Virtualization Infrastructure.
Overlay Cyber Range –
They are designed on top of real networks, servers, and storage. They are almost a replica of a given enterprise network where everything is as close as the real world except they do not receive all the real-time production traffic.
- High fidelity* as compared to other solutions.
- Fast and predictive
*fidelity- the degree of exactness with which something is copied or reproduced.
- High Cost of acquisition.
- High maintenance cost.
Cyber Security Lab at NIT, Manipur. Tools used – Check Point, ArcSight, HP Routers, IXIA, etc. PurpleSynapz Co-Founder & CTO, Ashok at NIT Manipur (Nov 2013)
Emulation Cyber Range –
This type of range is an interconnection of multiple closed networks. Generally, it is used along with traffic generators so as to generate any kind of traffic that is technically possible in a closed environment.
- Quality & quality of traffic is excellent.
- Application stress testing can also be performed.
- It offers moderate fidelity as the traffic is coming from emulated software.
- Cost of traffic generators are generally high.
As the name suggests it is a combination of any of the above Cyber Ranges.
- Flexibility to choose what you want and how you want to use.
- Complex integration process.
- Higher maintenance and operational cost.
Cyber Range Use Cases
Cyber Ranges are generally used for the following use cases. End customer/user has to decide how they want to invest and use the Cyber Range.
One of the most common use of Cyber Range is to train participants of any experience in a simulated environment. The training usually focuses on following domains:
Red Team, Blue Team, Incident Response, Threat Hunting, Cyber Forensic, Product Training, Red Vs Blue Game, CTF (Capture the flag) etc.
Cyber Ranges works well when it is delivered with best quality training materials.
Like in Cricketing world, every player needs a good coach and proper playing ground to teach them the nuances of the game. Only then you can be developed as good batsman, bowler, fielder, all-rounder or may be an umpire or a scorer.
Product Security Testing platform-
I remember working on a VAPT project. We were cautious while performing pen-testing on the production network as any critical bug/vulnerability would have caused a serious damage to the systems. But consider the situation where a malicious user trying to breach your network, they for sure will have no mercy. They will continue with their attacks till the last possible stage. Why cannot the red team be allowed with similar powers to test the applications, security control devices and the associated processes so as to improve the security posture.
With Cyber Range platform, the Red Team has a complete freedom to launch multiple attack scenarios without worrying about the damage. This allows them to perform rigorous attacking scenarios to test how their security controls stand against real-life cyber attacks.
Like in cricketing world, you do not want your players underplay their skills due to restricted boundary. Let them hit the ball as hard as possible.
Product development platform-
So you want to create a new Proof of Concept and this new application/tool must work seamlessly in the production network with all the security controls in place. Well, you now have access to a simulated environment where any new product can be developed, tested, and integrated with other tools and applications.
Compare this requirement with something like introducing a new ball. Let the real players play the game with this new ball. If it works in trial matches that means the product is good for the next stage.
Skill assessment platform-
Finding the right talent and training them has been the major challenge for every Industry and government organizations. Such pursuit requires time and effort, and considering the skill-gap present in the cybersecurity domain, the companies all around the world are finding it hard to match the rising level of cyber threats.
Even after serious due diligence the final list of resources who have been offered expected salaries based on expected skills does not match the actual skills demonstrated during project execution.
To attract best talent, Cyber Range can be of huge relief, this platform can allow teams to assess specific skills and response time in a controlled and hyper-realistic environment. The practice allows right talent onboarding without wasting time in traditional assessment methods.
This one is simple. Choose the best player for your franchise at best cost. Don’t go by experience or past records. Those who following IPL will not take time to understand this point.
Simulation platform –
Customer creates the digital twin of their IT Core Infrastructure and uses the same for skill development customized for their Infrastructure. The simulation platform also offers Cyber Security posture enhancement. For example, the customer/partner can pick up the latest malware relevant for the customer and test whether the security control devices are able to protect against the malware. If not, fix it inside the Range and then port the solution into the production network. And also stress test the SIEM co-relation rules and see if they are effective or just kept at a bare minimum (default) working condition.
You have an overseas tournament and the pitch conditions are different there. You may want to create similar conditions at your local stadium so that the difference between practice and real match can be minimized.
Sample Architecture of a Cyber Range.
Cyber range consists of following main components.
- Base Infrastructure – Physical Hardware, Public Cloud, Private Cloud
- Virtualization Layer – Cloudshell, Openstack, VMware ESXi, Microsoft Hyper-V, XenServer, KVM
- Virtual Machines – These Virtual machines represent real world server, router, firewall, web applications, Attacker machines and other core devices of a typical Enterprise.
- Normal User traffic – Traffic that is normal in nature such as web browsing, dns, ping, ssh, mail, syslogs, ntp etc)
- Application traffic – This is the traffic generated by normal users who are trying to access any web application server in Cyber Range.
- Malicious traffic – This is the traffic that is generated by malicious users. The purpose of such traffic is to bypass the security control devices and attack the servers and endpoints by exploiting the vulnerabilities.
- Attacker machines – These are external or internal devices that try to gain unauthorized access to applications and other core devices.
- Security Control Devices – These are the devices which will try to protect the applications and core devices from un-authorized access or attacks from malicious users.
Here are some of the most common Security Control Devices that are part of Cyber Range solution.
- NIDS & HIDS
- Proxy Server
- Email Protection
- End Point Protection
- any many more.
Components of Cyber Range, Courtesy – NIST.
Things to consider while investing in Cyber Range Products.
Here are a few important FAQs that will help you make an informed decision about deploying Cyber Range.
- What is the primary use case for which you are planning to invest in Cyber Range?
Training, SOC use cases, Red Teaming, Skill assessment, Capture the Flag (CTFs), Product Testing, Digital twin, custom requirement, etc.
- Will the Cyber Range be heavily utilized?
Will the Range be used 24×7 or Twice a week or a few days in a month or Only during a specific period, etc.
- Shall I go for a cloud or on-premises solution?
If the utilization is more then it would be economical to deploy an on-prim solution else pay as you go model is good.
- Which all OEM tools are supported in Cyber Range Lab?
Almost of devices have their virtual avatars so it will not be a problem to integrate any new devices. Go for a solution that offers maximum customization.
- Will I be using my own resources to manage and run the Cyber Range Lab?
If the use case is basic training, then you need not worry as most of the Cyber Range labs do not need a senior dedicated engineer to run the Lab. However, If your use cases are more complex then you may want to hire a senior resource to manage the Cyber Range lab. You may also ask for Trainer on demand.
- How to add custom scenarios in Cyber Range?
Look for a product that allows your team to add scenarios based on data and information available with your team. With little or no intervention from the OEM vendor, your team should be able to add more scenarios.
- Who will provide the training content?
Needless to say Cyber Ranges are complex products and some amount of hand-holding would be needed before engineers start using them to learn new skills. You may want to look for an integrated solution where course content is also part of the final solution.
How many people can be trained in a single batch?
You need to check how many people can utilize the Cyber Range platform at one go. Generally speaking, from Training use case perspective, 10-15 engineers in a single batch is considered a good choice.
Which vendors are providing Cyber Range solution?
Here is the list in alphabetical order.
- Cloud Range
- Palo Alto