Ongoing security training, research, and hands-on testing are required to stay sharp in the information security field. But training is one of the first items to get chopped in tight times, so one option is to take the initiative and create alternative training methods -- like building an in-house security testing lab.
Providing hands-on training and testing in your own lab environment -- which doesn't necessarily have to mimic your production environment -- can prove even more beneficial for infosec pros because it's more flexible and easier to customize than "canned" training environments.
An internal security testing lab is a great asset to an organization. It saves money on training and associated travel expenses, and can serve as a supplemental resource to online training or smaller conferences closer to home. In-house research and training can take place in lieu of travel, which can cost thousands of dollars per person per training class.
For infosec pros, an internal lab is where they can finally test all of the latest, hottest tools they just read about on Twitter or saw in a video from a security conference that they couldn't afford to attend. The silver lining is that a large number of conferences are now putting videos of the talks online, so even if you can't attend, you can view the content as if you were there and then immediately apply what you learned in the testing lab.
Another major benefit is that hands-on lab training can be self-paced, rather than the grueling pace found in many multiday courses. Or if the budget exists and your staff does attend training courses, the lab can be a good resource for reinforcing the course training materials.
Before everyone signs off on the security testing lab, however, you need to answer several questions to determine the design and purpose of the lab. They include:
- Is the lab just for testing new security tools and exploits in a controlled environment?
- Will the lab be home to staged cyberwarfare, where multiple staff members are involved as either attackers or defenders?
- What about mock incident-response scenarios, where one team member "hacks" a system or pretends to be a disgruntled employee while the others are left trying to put the pieces back together?
Answering those questions will help you know what you'll need in terms of the numbers of computers or servers, virtualization options, network equipment, and space. If the goal is to just test new tools and exploits, a simple environment with preconfigured virtual machines (VMs) is probably sufficient. Ideally, a VM of every operating system in use in your organization can be built at varying patch levels that represent your environment. Depending on the tool or exploit, a different VM can be brought online for testing.
Conducting extensive "capture the flag" type scenarios with multiple personnel will obviously require more hardware, including servers and network hardware. The servers can host multiple VMs, and networking can include both switches and firewalls. The exercises can be fictional -- where you simply have groups that must defend their resources while attacking others' -- or more realistic -- where a small representation of the production network is designed, and then one group attacks while the other defends.
Forensic investigators and incident responders need to keep their skills sharp, as well, so analyzing the systems in the above-mentioned scenarios can be useful. And since many incidents often center around HR investigations and sometimes insider attacks, a staff member can create scenario-based VMs that represent an insider attack, employee misconduct, or similar issues. The VM is then provided to other staff for analysis to see if they can catch all of the clues and write a clear, concise report on the "case."
Companies that set aside time and resources for staff to work in the lab will likely find their employees more prepared to deal with emerging threats. Having that hands-on time gives infosec pros the opportunity to test cutting-edge tools and techniques to see both how they work and how they apply in offensive and defensive situations. And the good news is that it also keeps tool testing off the production network, where it could cause unexpected problems and outages.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message