Cyber Range

How to safely test new technologies and tools in a cyber range

4 days ago by Graeme Messina

One of the main attractions behind using a cyber range is the way that they can be used as a training tool to safely test out new technologies without causing problems to a live environment. Cyber ranges vary in the way that they operate, which means that different operating systems, tools and scenarios can be tested in a systematic and structured way.

Part of the learning process is trying out new things, and sometimes in the real-world new things can have unexpected behaviors that result in unexpected outcomes. What makes cyber ranges great is that the outcomes have already been mapped and tested by the creator of the exercise.

We will look at some useful tools that you can use in a cyber range and what you might be able to achieve.

What is a cyber range?

The term “cyber range” is used a lot in cybersecurity training. You can think of a cyber range as being a safe environment for you to test and work on many different security issues. Within the cyber range is a series of different virtual servers that you can experiment with without needing to worry about breaking anything. If there are any problems with your test machine, then it can simply be reset and fired up again, allowing you to carry on practicing without worrying about destroying your test environment.

What can you learn in an infosec cyber range?

If it is relevant in cybersecurity, then it’s in there. You can learn about anything relating to pentesting, networking, Linux, Python code security and even SCADA technologies. Nested within these different topics are some popular technologies that you will need to learn and use to accomplish specific cyber range goals. We will look at the tools that make this kind of work possible, and how you can use it within the cyber ranges found on the Infosec site.

Working with large data sets in a cyber range

There are many tools out there that can grab live data from a network, but one of the best performers is Splunk.

Splunk is best known for its ability to sift through massive data collections to create indexed, searchable data sets. Splunk could be used to help analyze test data within the Infosec cyber range environment. There are many different applications that Splunk can be used in, such as log collections for data analysis. But what about using Splunk on a cyber range? How is it beneficial in this setting?

For starters, you can simulate many of the functions that you can expect to find when working in a SOC when you use Splunk in a cyber range. Splunk will collect data about events like network activity, login requests and anything else that is used in the real world to monitor your network environment. These alerts are searchable and filterable, so you can really drill down into the cyber range network activity. Trainers simulate attacks on this network.

By harvesting all of this data within Splunk, users are able to see a real-world example of what to look for on a network that is being actively attacked. Splunk lets your students visualize how the attack is occurring and then record details for later analysis. Because of the detailed logs that Splunk provides, you can learn how to create comprehensive reports from the data that you collect during an attack.

In the real world, this data can be used to strengthen the network defenses on devices like firewalls. Splunk provides a safe platform to detect artifacts from an attack and then share them for later analysis. These samples are generally safe to explore when used on a Splunk-powered cyber range and can then be inspected during the cyber range exercises.

Cyber range exercises that use Splunk are highly interactive and offer great insights into what you can expect to see when a live system is being attacked on the network.

SIEM analysis on a cyber range

Security Information and Event Management software is not new. In fact, the suite of tools that a SIEM offers your CSIRT teams is invaluable to most companies because of the scope of features that they bring to the SOC and operations teams. The ability for a team to quickly identify and manage threats across the enterprise environment is critical when trying to mitigate incidents before they impact business operations.

QRadar is essentially a highly advanced log event parser and SIEM. It forms the central component of IBM’s Security Suite and pulls data from a multitude of different sources. It uses netflows to find out information that you wouldn’t normally get from logs. 

Using QRadar on a cyber range offers many great lessons for students using the platform. It collects information about security threats and events so that you can view incident data in real-time on the cyber range cloud.

Cyber ranges allow you to engage in scenarios that simulate a cyber incident on the simulated cyber range network. Each step of the process helps you to identify and specific events and tell-tale signs of an intrusion. You can safely attempt the exercises again and again without the inherent dangers of a live cybersecurity incident and or the additional pressure of learning on the job with real data and systems.

Scripting

Because a cyber range virtual machine can be reconstructed in a matter of minutes, it is OK to experiment with some training courses. Scripting is a prime example of the safety net that cyber ranges provide your training environment. Whether you script in PowerShell in Windows environments, Bash in Linux, Python or CuRL, there is a good reason to do some training exercises on a virtual cyber range.

Although most of the exercises will guide you through the course, it is sometimes educational to try firing off a few different combinations of commands to see what the output could be. This is a great way to learn, but it carries risks when experimenting on your work or home computer or laptop. If you accidentally wipe a partition or remove an important system directory then you could cause big problems for your test rig. These risks are seriously mitigated when using a cyber range.

If you have a desire to learn automation, then scripting is the way forward. If you are able to automate tasks that would normally require you to spend time completing the task manually, then you have already added value to your organization by saving time.

Networking

One of the great things about using a cyber range is that you save a lot of time and money getting yourself into a lab environment. Because of the virtualized nature of cloud-based infrastructure, you no longer need to worry about physical hardware like routers and switches. Software-defined networks mean that you can configure virtual switches and experiment with technologies like VLANs and other advanced features found in active switch management.

For more vendor specific exercises, you can learn on industry standard vendors like Cisco. In these environments you will learn how to log into a simulated Cisco device and configure it as you follow along with the exercises. 

The best part is that you don’t have to worry about accidentally locking yourself out of the system like you do with a real-world home lab. If you save a bad config you won’t drop your whole network like a home lab either. Instead, you will be guided through every step of the process, regardless of your skill level.

Using a cyber range for network training is a very smart way to go when you consider the time saved in setting up a home lag as opposed to using a virtual cloud-based service.

Conclusion

If you want to test out new technologies without risking the stability of your home lab or test network, then using Infosec’s cyber range is the way to go. You can configure, test and reset the test environment and follow the onscreen prompts to help you to learn how each of the tools work properly.

Posted: November 19, 2020
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.