In this Help Net Security interview, Debbie Gordon, CEO of Cloud Range explains the concept of a cyber range, its crucial role in preparing for real-world cyber threats, and the importance of realism in cyber training scenarios.
Gordon also discusses how cyber ranges facilitate the identification of vulnerabilities and provides advice on maximizing the benefits of cyber range training. Finally, she talks about the resources needed for a robust cyber range environment and the future of cyber range training and simulations.
Can you explain what a cyber range is and how it works to prepare for real-world threats?
A cyber range is a controlled environment that is set up to realistically emulate network infrastructure, systems, and applications seen in the real world. On a good platform, teams can work together as a group to safely and effectively detect and respond to various cyber attacks without risking real systems. This allows teams to better understand and be more prepared for multiple threats and techniques that could appear in real-life situations.
Cyber ranges take traditional cyber training and turn it into real-life, experiential learning so learners can actually apply their knowledge and skills and gain real experience using a simulation method. SOC analysts, who are the last line of defense, need to continually engage in these simulations to strengthen their capabilities and create “muscle memory.” An ongoing cyber range training program with real-life attacks enhances their preparedness as individuals and as a cohesive team through immersive experiences.
One thing to note is that not all cyber ranges are equal to each other. They can vary in terms of their purpose, complexity, and available features, tools, and technology. To ensure your team is getting the most effective training, it’s critical to use a dynamic range with live-fire attacks that the whole team can participate in together, versus more of a directed lab environment or individual exercises that team members do in parallel.
I like to use baseball as an analogy to describe the different forms of training. Similar to understanding the rules of baseball and learning how to pitch or catch, cyber practitioners have knowledge from courses and certifications, and they have individual, finite skills they have honed. Those things are vitally important, but they don’t mean you can get on the baseball field in a real game, against a real opponent, and know how to work together as a team to succeed under pressure.
You may not know when and why to use those skills, so regular, real-world practice is needed for the team to become a whole greater than the sum of its parts. In cybersecurity, a cyber range program is that needed component: It allows teams to work together to gain real-world cyber defense experience, which ultimately helps improve cyber resilience and reduce risk.
How important is the realism of the training scenarios provided in cyber ranges for the effectiveness of the training? Can you give some specific examples?
Realism is critical in a cyber range program. A quality platform can be customized to use different SIEMs, firewalls, EDRs, IDSs, and more, so the team is using the same tools they use every day. The simulated attacks mimic the tactics deployed by real-world bad actors, including malware payloads, phishing strategies, and a variety of other techniques drawn from the MITRE ATT&CK Framework. The team employs an array of methods and resources to effectively counter the attacks, such as analyzing log files, conducting forensic analysis, and implementing countermeasures.
For organizations in critical infrastructure sectors, the range can include an OT network with elements including virtual PLCs and HMIs so participants can understand how systems are integrated and “see” the effects of different attack vectors. It helps IT and OT/ICS teams work together and understand their different protocols, objectives, and security methods.
Like flight simulators, the live-fire attack simulations are designed to replicate the complexity and diversity seen in real-life cyber incidents or potential incidents. They allow cybersecurity professionals to develop the skills and competencies needed to detect and respond to incidents quickly and efficiently in a safe environment. The training scenarios mimic the intense pressure team members experience during incident response. The sessions not only improve technical proficiencies, but they also help participants improve their communication skills, problem-solving skills, and teamwork.
This ultimately helps boost their sense of familiarity with the related situations, tools, technology, and systems so that in the future, they will have the confidence and judgment to identify and act on the given circumstances. It also gives teams the opportunity to walk through real conversations and collaboration strategies that can possibly occur during real life situations.
That’s why realism is important. Live-fire simulations accelerate the practical experience of cybersecurity practitioners in incident response, enabling them to detect and respond to threats more swiftly, ultimately reducing risk and exposure.
How does a cyber range facilitate identifying vulnerabilities in a controlled lab environment?
A life-fire attack scenario is similar to an escape room. Participants don’t know what they are going to encounter, and they have to work together to understand what is happening and find the clues to detect and remediate the attack. An ongoing program that includes a certified Attackmaster expert ensures comprehensive guidance, objective evaluation, and insightful analysis. This support helps the team and leaders identify vulnerabilities, provide strategies to bridge these gaps, and continuously improve over time.
Cyber ranges may or may not be true lab environments, which are usually highly curated and directed. “Lab exercises” are beneficial and can help individuals hone skills and prepare for live-fire team scenarios. But live-fire ranges are real, dynamic, virtualized networks and systems. That allows testing of real tools and security measures used in the organization’s own network, providing a safe, yet more accurate evaluation of the organization’s security posture. Unlike a static “sandbox,” these ranges are typically used to test and measure cybersecurity defenses. Ideally, combining labs with live-fire simulations ensures maximum effectiveness.
How can cybersecurity teams maximize the benefits of cyber range training?
It’s vital to have an ongoing program of cyber range training to fully maximize the benefits. It should not be a one-and-done session. There are a variety of threats and attack vectors, and they cannot all be experienced in one setting. Practice is key.
Cyber range training should also map to industry-standard frameworks to provide a measurable way to gauge how your team is doing on an individual and team level. Choose a program that maps tactics, techniques, and procedures (TTPs) with the MITRE ATT&CK Framework. Furthermore, scenarios should map to the NICE Framework, adjusting as necessary for each organization, to guarantee that everyone thoroughly understands the knowledge, skills, and abilities (or competencies) required for their role.
When those frameworks and scenarios are integrated into a robust Performance Portal, security leaders can generate customized learning plans for each team member that aligns with goals for each person and the organization.
It’s critical to utilize a comprehensive cyber range solution that delivers expert-led training missions for teams, ensuring that they receive the necessary support and guidance. Additionally, it should provide metrics demonstrating improvement in their ability to detect and respond to cyber attacks. People are a crucial part of your security stack, and security leaders need to see data on the human factor in cyber exposure. When you can measure vulnerabilities and gaps in the security team and receive guidance on how to improve, it’s easier to proactively and effectively reduce cyber exposure, fostering a strong security posture.
What resources are typically needed to support a robust cyber range environment?
If you are building a cyber range, you will need technical expertise to effectively design, build, and manage the range. And that only gives you the infrastructure. What you do on a range is the most important part, so designing, developing, and launching live-fire attacks with live traffic is necessary. Having objective expert instructors is also crucial. They can evaluate performance during exercises, providing valuable feedback to the team leader.
Alternatively, most organizations are opting for a cyber range-as-a-service platform which will take care of all the management and facilitation for you, including range customization, scenario development, and administration. This approach allows you to focus on enhancing the organization’s cyber resilience without the burden of managing the range on your own.
What trends or developments do you foresee in cyber range training and simulations?
I expect to see cyber ranges become even more realistic and accurate, simulating not just the attack and response, but other elements, such as third-party services and outside vendors. We can also expect to see newer technology, such as AI and ML, being incorporated within the ranges for a more seamless process.
Organizations are also using cyber ranges to assist with hiring, which improves time-to-value and employee retention. Cognitive assessments can help people know what cybersecurity roles they are well suited for and generate customized learning paths so they can get started on their cybersecurity careers. Hiring assessments that simulate someone’s potential job give hiring managers insight beyond resumes and certifications to show the person’s actual skills and capabilities.
I also see organizations increasingly making the choice to grow their own talent. Finding the ideal candidate with the right experience, certifications, training, and other qualifications can be challenging. That’s why CISOs, VPs, and security leaders are prioritizing finding individuals with forward-thinking abilities such as problem-solving, leadership, and agility. They then utilize live-fire cyber range training to accelerate the growth, development, and real-world experience of team members.
These developments are important to understand, and I will be discussing them further in my presentation at Blue Team Con, which runs Aug. 25-27 at the Fairmont Hotel Chicago. Cyber ranges certainly are ideal for SOC training, but I’m seeing security leaders use them for various related things as well. A comprehensive cyber range and simulation solution is vital to measurably improve an organization’s security posture.