posted on July 02, 2020 14:40
By: Terri Clark, Director of Technical Services, Kansas
A cyber range is a network testing environment that can be configured to simulate an organization’s network. When simulated attacks are launched against the test environment a team must detect the attack, then isolate and mitigate the attack.
The test environment includes the network routing and switching, internet gateways and access, firewalls, servers, applications, and databases. Different attacks can be launched to simulate real-world scenarios, such as ransomware, denial of service, and SQL injection.
During an exercise, the instructor launches an attack on the testing environment. The users are coached on how to detect the attack, then determine the scope and impact of the attack. The exercise then moves into methods to contain the attack and restore services as quickly as possible, without destroying critical evidence. The final step is correcting the configuration that allowed the attack to launch. Following the exercise, instructors lead the team through an analysis of the exercise to identify the team’s strengths and areas for future training.
The NCSL Cybersecurity Task Force has investigated cyber range training as one aspect of security training for state government IT staff, including presentations from IBM’s X-Force Command cyber range in Cambridge, MA and the Nashville Cyber Range. In an onsite cyber range, user workstations are equipped with computers and telephones, and multiple displays in the room to allow everyone to monitor the activity. Cloud-based cyber ranges allow users to access the cyber range remotely from their location. The users are responsible for setting up their location to easily share information, such as using projectors to display computer desktops, so everyone can monitor the activities. Instructors can be either onsite or remote and communicate with the users via telephone. While there are similarities between the two, there are also key differences.
The onsite cyber range exercise is comprehensive and addresses all aspects of a security incident. The physical facility can accommodate a larger group of users and multiple instructors. Each user’s desk includes a computer and telephone, and the large displays make it easy for everyone to follow the activities of different users. Instructors can easily pause the exercise at critical points for discussion and training. Once the simulated attack is launched, telephones begin ringing and the news stations broadcast reports of the attack. System administrators begin receiving emails from users about application problems. This creates a realistic atmosphere and adds to the general sense of urgency and panic in the room. Learning to manage the panic is critical to an effective response.
Team roles include:
- Executives: receive reports on attack, determine media response.
- Legal: determine how/when to engage law enforcement, liability issues around a data breach.
- Communications Specialist: respond to media inquiries, manage media onsite, manage social media response.
- End Users: test status of applications and services, report problems.
- Network, Firewall, and System Administrators: detect the attack, then isolate and mitigate the attack.
- Team Lead: leads the team through the attack, an instructor filled this role
The classroom experience is able to provide training on all aspects of a security incident. The expanded roles the Executives, Legal, and Communication Specialist play in the incident response can be surprising. Once the technical problem is mitigated, the bulk of the work related to the incident is handled by these groups.
Cloud-based cyber range exercises are designed for 10 students and two instructors. The focus of this exercise is on coaching the technical team through an attack. During a recent exercise in Kansas, the team was located in one room and used a projector to display user activity. The instructor followed the team actions online and provided coaching throughout the exercise. At different points in the exercise notes were made to report to legislative leadership or the legal team, even though these groups weren’t actively participating. One important lesson learned is that in the rush to restore services, the evidence of how the attack was done can be erased. If the underlying problems aren’t corrected the attacker will simply launch another attack. Taking time to understand the attack may delay restoring services but will better protect the organization in the long run.
Both the onsite and remote cyber ranges are designed to provide periodic training sessions to develop and hone a team’s incident response skills over time. While the onsite facility cyber range provided the most comprehensive training, it can be expensive to send a team onsite for training. Taking advantage of remote training provides value for a technical team and introduces the skills needed for effective incident response. Regardless of the delivery method, incident response training will benefit an organization by improving the user’s confidence in detecting and responding to incidents and reducing the impact of an attack.