Shockingly, organizations don’t tend to enjoy having their environments breached even by people who have the best of intentions. Take high-school student Bill Demirkapi, who
identified a number of issues with Blackboard and Follett’s edtech systems. After failing to be taken seriously by the education companies, he used his ill-gotten access to send a push notification to his whole school district:
“Hello from Bill Demirkapi :)”
His reward? A two day suspension, and it could have been worse. White hat hackers who want to bring attention to serious vulnerabilities may technically end up breaking the law to find and reveal them.
Is there another option for bored students other than to hack their school’s edtech systems?
Yes – cyber ranges!
What is a cyber range?
A cyber range is an interactive virtual environment that cybersecurity students and professionals can test their skills in. It simulates an organization’s hardware and software systems, providing targets that can be attacked or defended.
They provide people a safe and controlled environment to get hands-on cybersecurity experience, like a shooting range does for firearms training.
The simulated nature of a cyber range means there’s no need to worry about breaking the law or doing any damage (intentional or unintentional) while exploring. Plus they can be built to simulate a wide variety of environments for different uses. You can even have a custom cyber range developed to mimic your specific business environment!
Despite how exciting a “live-fire cyber range” sounds, they don’t actually look very impressive in action. A common and free cyber range is
Hack the Box, which consists of 331 different virtual machines that are designed for users to connect to and exploit. Hack the box uses both a web browser and the option of a command-line interface (CLI) to create the cyber range experience. The progress tracking and instructions are in the web browser while the actual exploitation is done in a web-based Linux desktop connected via VPN. An example can be seen below.
Cyber ranges can be even more complex, however. Take a look at the diagram below to see how multiple groups of people and systems can all interact with a range to create the experience.
This represents a typical capture the flag (CTF) event where there is a red team (attackers/bad guys) and blue team (defenders/good guys) that interface with the range. This range has lots of virtual machines (VMs) that are configured to generate traffic in order to simulate a real network environment.
One example could be a desktop that is watching a YouTube video while checking an email inbox. The IT infrastructure is also simulated which is the server stack, firewalls, switches, etc.
Finally there is simulated Operational Technology (OT) which is the software and hardware that interfaces with equipment and machinery that we see computerized systems used for today.
This all comes together to create a very realistic environment that mirrors real world cybersecurity battlegrounds that can help information security professionals get training and experience.
How have cyber ranges changed over time?
Like the Internet itself, cyber ranges were originally used by the U.S. military.
Originally, they were set up to allow the
government and military the ability to identify vulnerabilities and simulate their infrastructures to test security technologies. They were custom made by the people using them and highly specialized only focusing on the exact environments they were trying to protect.
If the military found cyber ranges useful for simulating and defending their environments, it’s no surprise that large companies are now using the technology for the same purpose.
That said, the idea of having a publicly-accessible cyber range for fun and training didn’t exist at this time, it was a privilege afforded to people with the resources to create them. With these older ranges, an organization could examine the effectiveness of their security tools and configurations.
Eventually, companies started developing their own ranges that could be sold for widespread use. Hackathon events would start building their own cyber ranges for contestants to compete within.
The wider scale adoption of simpler education based cyber ranges has also become common, enabling hacking events to be run even at high schools and colleges.
What are cyber ranges used for?
Cyber ranges have a few different uses, but the most common ones are education and training.
In 2020, the National Institute of Standards and Technology (NIST)
released a draft guide to cyber ranges.
It’s a shame the “final” version was never published, since it’s still a good source of information. The authors denote five key uses of cyber ranges:
Educators seeking to implement basic and advanced cybersecurity education courses and curricula.
Organizations or individuals seeking training and continuing education for security operations, analysis, and forensic specialists.
Organizations seeking “situational operations” testing for new products, software releases, and organizational restructuring.
Organizations or individuals seeking cybersecurity skills validation to evaluate candidates for cybersecurity positions.
Individuals seeking workforce training for people moving into cybersecurity-related fields and positions.
The most high-profile usage of cyber ranges is not explicitly stated here: hackathons. Most hackathons have fully designed systems with specific files or other targets hidden within the range that represent you successfully defeating the security controls, or in a lot of cases, your opponents. But hackathons can fit into all of these categories!
Cyber ranges are especially great for cybersecurity education.
Cybersecurity is, in general, such a new field that university degree programs are only now starting to establish themselves. Nevertheless, cyber ranges are proving to be excellent educational tools for anyone wishing to enter the field.
Users are able to train on the necessary skills required to protect from and respond to cyber attacks effectively. They also can learn from an attacker’s perspective by being the attackers themselves. Users are able to test and evaluate measures including intrusion detection systems and firewalls safely and often in real time. This can then translate to the actual infrastructures and effectiveness of one’s incident response plan which can identify gaps that improve overall security posture.
For students and anyone else who is looking to jump into the world of information security, a cyber range is often their first hands-on experience. Simply participating in hackathons provides students with new knowledge and experiences they can put on a resume and discuss in a job interview!
What is it like to use a cyber range?
During my senior year of college I participated with my senior design group in CyberSEED2022, University of Connecticut’s annual cybersecurity competition.
This was the first time I had ever used a cyber range, so it was a huge learning experience.
The thing that stood out to me the most was how much I was able to apply myself with little knowledge beforehand. The scenarios were designed to start you off with a simple task that would award lower amounts of points and for each category have increasingly difficult steps that would in turn award larger sums of points.
One of the categories was Open Source Intelligence (OSINT), and the first challenge was simply a picture of a green cookie that asked, “what store was this picture taken in?”
Following this were more intricate questions such as “when it was taken?” which we used the metadata to discover. Even the group members who weren’t concentrating in cybersecurity were able to solve even medium to high level challenges in the decryption section of the event. Everyone can stand to learn a lot from spending some time in a cyber range!
Is there really a business use case for cyber ranges?
Cyber ranges can be useful for businesses in the same way they’re helpful for students: training and practice.
Companies can have cyber ranges developed to mimic their environment to give employees hands-on exercises without touching the company’s real environment. This could be useful in training new employees, testing configurations, or even doing a technical incident response exercise, as opposed to (or in conjunction with) a tabletop exercise.
However, it’s important to note that cyber ranges are usually built for cybersecurity professionals. They help to train and test full-time, full-fledged cybersecurity personnel. They don’t provide appropriate training for an entire company’s staff – that’s what cybersecurity awareness training is for.
This is likely why cyber ranges are growing in popularity with large businesses, Managed Security Service Providers (MSSPs), and other companies that retain a staff of full-time cybersecurity professionals, but have limited presence elsewhere.
In Fractional CISO’s experience, midsize and growing tech companies building their own cybersecurity or compliance program without a full-time team do not use or have expressed interest in using a cyber range.
Ultimately, cyber ranges alone do not improve a company’s cybersecurity. They are tools that, when used to train employees and enable their practice, could help improve cybersecurity.
Cyber ranges are an emerging technology and while simple ones are widely accessible, simple ranges are not going to be useful to most businesses for these purposes. A custom-built range is much more useful, but also much more expensive. This brings up a major cost concern when training and incident response exercises can be conducted without ranges – even if they aren’t the same.
This is something that may change as the space continues to develop!
There was a happy ending for Bill Demirkapi. Eventually, through cooperation with his school district, Blackboard and Follett addressed the vulnerabilities he found. The companies and the students they serve are more secure for it.
White hat hacking does play an important role in the security landscape – but cyber ranges make for a much better playground and training environment for students and cybersecurity teams alike!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.