Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:47 PM

Tech Insight: A DIY Security Testing Lab

When tough economic times do away with security training and other professional networking opportunities, it's time to roll up your sleeves and do it yourself

A Special Analysis for Dark Reading

Ongoing security training, research, and hands-on testing are required to stay sharp in the information security field. But training is one of the first items to get chopped in tight times, so one option is to take the initiative and create alternative training methods -- like building an in-house security testing lab.

Providing hands-on training and testing in your own lab environment -- which doesn't necessarily have to mimic your production environment -- can prove even more beneficial for infosec pros because it's more flexible and easier to customize than "canned" training environments.

An internal security testing lab is a great asset to an organization. It saves money on training and associated travel expenses, and can serve as a supplemental resource to online training or smaller conferences closer to home. In-house research and training can take place in lieu of travel, which can cost thousands of dollars per person per training class.

For infosec pros, an internal lab is where they can finally test all of the latest, hottest tools they just read about on Twitter or saw in a video from a security conference that they couldn't afford to attend. The silver lining is that a large number of conferences are now putting videos of the talks online, so even if you can't attend, you can view the content as if you were there and then immediately apply what you learned in the testing lab.

Another major benefit is that hands-on lab training can be self-paced, rather than the grueling pace found in many multiday courses. Or if the budget exists and your staff does attend training courses, the lab can be a good resource for reinforcing the course training materials.

Before everyone signs off on the security testing lab, however, you need to answer several questions to determine the design and purpose of the lab. They include:

  • Is the lab just for testing new security tools and exploits in a controlled environment?
  • Will the lab be home to staged cyberwarfare, where multiple staff members are involved as either attackers or defenders?
  • What about mock incident-response scenarios, where one team member "hacks" a system or pretends to be a disgruntled employee while the others are left trying to put the pieces back together?

Answering those questions will help you know what you'll need in terms of the numbers of computers or servers, virtualization options, network equipment, and space. If the goal is to just test new tools and exploits, a simple environment with preconfigured virtual machines (VMs) is probably sufficient. Ideally, a VM of every operating system in use in your organization can be built at varying patch levels that represent your environment. Depending on the tool or exploit, a different VM can be brought online for testing.

Conducting extensive "capture the flag" type scenarios with multiple personnel will obviously require more hardware, including servers and network hardware. The servers can host multiple VMs, and networking can include both switches and firewalls. The exercises can be fictional -- where you simply have groups that must defend their resources while attacking others' -- or more realistic -- where a small representation of the production network is designed, and then one group attacks while the other defends.

Forensic investigators and incident responders need to keep their skills sharp, as well, so analyzing the systems in the above-mentioned scenarios can be useful. And since many incidents often center around HR investigations and sometimes insider attacks, a staff member can create scenario-based VMs that represent an insider attack, employee misconduct, or similar issues. The VM is then provided to other staff for analysis to see if they can catch all of the clues and write a clear, concise report on the "case."

Companies that set aside time and resources for staff to work in the lab will likely find their employees more prepared to deal with emerging threats. Having that hands-on time gives infosec pros the opportunity to test cutting-edge tools and techniques to see both how they work and how they apply in offensive and defensive situations. And the good news is that it also keeps tool testing off the production network, where it could cause unexpected problems and outages.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...