Cyber ranges — that is, virtual environments — are an ideal tool for testing and validating the cybersecurity posture of systems and software as well as for training cyber defenders with the latest knowledge on cybersecurity tactics. Ranges help defenders improve their cybersecurity skills with real-time practice on a safe version of their own critical IT systems. They help organizations select, integrate, and test new products and approaches without disrupting operations. For the past two years, I've been working on a cyber-range capability for increased cyber resiliency and decreased operational risk.
Technical Challenges of Cyber-Range Implementation
The first challenge I encountered while planning for the architecture of a physical range is the overwhelming investment cost in hardware and infrastructure. The computing power required for hosting a full suite of operating systems, network, and appliances typically translates to racks full of hardware equipment in order to support the types of testing and training environment necessary for enterprise-level missions.
Another challenge is the speed to sanitize the range in-between different scenarios. This typically requires long cycle times and lengthy delays in-between scenarios, especially when tearing down and rebuilding the same infrastructure.
Finally, there are challenges when it comes to the speed and the agility to design and deploy specific environments for different customer missions. A significant amount of time can be spent to reconfigure an environment to satisfy a specific, different mission.
I began to explore ways to improve efficiency and agility as well as to save costs by looking at new technology and methodology that can be applied to developing cyber ranges.
Cyber Ranges Going to the Cloud
The world is going to the cloud, and so can cyber ranges. The cloud provides a flexible, reconfigurable, and elastic computing infrastructure at affordable prices. Cloud-based ranges provide a safe, controlled, and isolated environment and can scale in size based on mission scenarios. You pay as you go based on the capacity you need.
In the cloud, there are easily accessible APIs that allow you to "spin up" and "spin down" virtual hosts, switches, and routers on the fly, instead of having to fidget with physical network cables and switches. It's also easy to leverage the standard images already available in cloud-based marketplaces to quickly find the operating systems and applications you need for each different use case.
More importantly, the cloud approach saves months, if not more, in time otherwise required in the acquisition, design, building, and testing of the computing and networking hardware, not to mention the time, effort, and costs required to maintain the "server farm."
Model-Based Range Operations
Integrating model-based systems engineering (MBSE) into cybersecurity further accelerates cyber-range development and deployment. Applying an MBSE approach enables early validation of its design, visualization of the business processes, assessment of complex network topologies, refinement of requirements, and configuration management of complex environments.
One of the key benefits of utilizing an MBSE integrated range is the ability to rapidly prototype and adjust the architecture of the range you are attempting to build. By leveraging the system modeling technique, you are able to model the range architecture in advance, share that model with key stakeholders to eliminate potential errors, and integrate the necessary changes far in advance of actual implementation.
Another benefit is the ability to build a library of design patterns over time. These patterns are reusable and can be adapted to new requirements as needed, without having to start from scratch. For example, it's easy to remove the Windows domain controller from one of our scenarios and drag in a cluster of Linux-based hosts instead, with just a few clicks of the mouse. This allows us to dramatically reduce the cycle time for each customer, mission, and individual operation.
Finally, by fully leveraging advanced scripting and automation features of an MBSE tool set, a range architecture can be automatically deployed to an actual range environment in the cloud with the click of a button. I've heavily leveraged open source Ansible scripts that are widely available for AWS and VMware to significantly improve the degree of automation in range deployment.
Automation Proves Value Over Time
I've compiled an analysis on how much time can be saved by using automation scripts for cloud deployment and it shows a stunning 5,500% time reduction (chart below). By reusing pre-existing models and leveraging automation, the potential savings every time the range is torn down and rebuilt is astounding. If you haven't looked into automation platforms such as Ansible, Chef, or Puppet, it's definitely worth seeing how much time you can save.
By streamlining cyber-range operations, cybersecurity experts can focus resources in the areas that count, including integration of threat intelligence to arm us with the methods, tools, and the most likely attack profile an attacker would employ. At BAE Systems, our blue team has learned invaluable lessons defending against a real-world attacker by determining reliable indicators and warnings, and developing new ways to discover and eliminate the threat.
A cyber range is an irreplaceable tool that allows cybersecurity professionals to improve their response capabilities as well as their ability to identify risks. Agile, automated, and affordable cyber ranges are the future of cybersecurity training and testing to meet ever-evolving customer missions and to protect our national security.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Entertainment Biz Is Changing, but the Cybersecurity Script Is One We've Read Before."