Cyber ranges

What types of attack scenarios can you simulate in a cyber range?

January 13, 2021 by Patrick Mallory

Introduction

Just as in any other endeavor, practice makes perfect, and the same goes for preparing for cyberattacks.

For organizations looking to take their preparations for cyberattacks to the next level, many turn to cyber ranges. These are specialized environments that can be designed to mimic your existing network infrastructure or customized to create unique scenarios. Once in place, cyber ranges can then be used to simulate different attack situations, ranging from worst-case scenarios to crippling distributed denial of services (DDoS) attacks, phishing attempts and everything in between. 

Each time an organization runs an attack scenario, however, their security professionals are put to the test, applying their training, learning new skills, utilizing legacy or new tools, and confronting the latest threats first-hand in a highly realistic technical environment. Over time, security teams can improve how quickly they can identify and respond to threats and attacks, integrate additional security controls or rules, learn what types of system behavior are abnormal and how best to sequence protections to critical infrastructure components to maintain continuity.

Finally, many technology leaders also use cyber ranges to evaluate existing and new cybersecurity investments, such as network monitoring tools, rules and policies. In a time of tightening budgets and continually evolving threats, cyber ranges make sure teams are not only equipped with the best tools to mitigate their threats but that they know how to operate them effectively when it counts.

Attack scenarios

While every organization has a different attack surface, there is a set of threats that occur either due to natural causes, because of inadvertent employee actions or due to criminal cyber actors. In every case, however, there is an attack vector and a set of network devices and assets that are impacted. 

The following scenarios encompass some of the more common threats and attack methods that can be replicated within a cyber range to put your team to the test. 

Malware or virus infection

Your organization has spent plenty of money and time implementing, configuring and testing an incident detection system, antivirus, email filter and data-loss prevention tool, but have you put it all to the test?

A cyber range can allow your team to test how your enterprise antivirus and email filtering tools work to stop a piece of malicious code from entering your environment, propagating and calling back to its command-and-control devices. At the same time, test how quickly and comprehensively your incident response process initiates to notify your security team and how quickly the malware is contained and removed. 

Fortunately, cyber ranges can be configured to test replica viruses of all breeds, offering your organization extra peace of mind that devastating malicious code will not be allowed to take over your network.

Unauthorized network devices

In many organizations, there are segments of the infrastructure where the number or type of devices connected to the network are limited. Similarly, organizations can have limits on the types of applications installed on devices or when certain functions can be performed. If not controlled, attackers can potentially bypass security defenses while employees — even if they did not have malicious intent — could access data or systems outside of their job function, threatening the confidentiality of system data.

Security teams can use cyber ranges to replicate these scenarios, evaluating the ability of security products to alert the presence of unauthorized devices or applications placed or installed in the network as well as abnormal user behavior. The results can be used to further define access controls, limit network functionality and provide additional guidance for end-user training.

Insider threats

According to a 2020 IBM report, insider threats account for 60 percent of cyberattacks. Of those, 63 percent are a result of negligent behavior. With their natural access to sensitive information, active credentials, and connectivity to coworkers and related systems, employees make obvious and lucrative targets for cybercriminals or some of the most dangerous actors themselves. When paired with cyber hygiene and awareness training, organizations can use cyber ranges to test their defenses against disgruntled insider threats or to ensure attempts to lure unsuspecting victims are blocked or blunted. 

Although these attacks are more unique, scenarios such as accidental file loss, abuse of user credentials or unauthorized access attempts can be replicated in cyber ranges to see if built-in controls are working as configured. Similarly, when most cybersecurity tools are placed on the edge of networks or are outward-facing, cyber ranges can also be used to test if malware introduced by employees is detected and eliminated by antivirus products, while data-loss prevention tools flag unusual or unintended data movement.

DDoS

A DDoS attack, when a website or service is overwhelmed with more traffic than the network can handle causing it to fail, is often facilitated by botnet armies of remote-controlled hacked computers. When one hits your network, there is little to no time to stop it — unless you are prepared.

A combination of firewalls, networking monitoring software, threat monitoring tools and backup internet services, combined with adept network management from your team, can often be enough to thwart these attacks. A cyber range can test your tools’ ability to filter unusual traffic, block nefarious IP addresses, throttle network requests and load balance and divert traffic before the DDoS has the ability to overwhelm your resources. 

And, because there are a number of different kinds of DDoS attacks — from application-layer attacks, to protocol floods and overwhelming volumetric attacks — your team can ensure they have the systems and steps in place to shield your operations from these forms of sophisticated attacks.

Ransomware

According to the Cybersecurity & Infrastructure Security Agency, ransomware is “a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.” When effectively implemented, ransomware can be crippling to an organization, encrypting key data until money is paid. If it isn’t, the data could then be deleted by the attacker. 

Because many organizations do not have sufficient data and system backup procedures in place, facing ransomware can equate to losing all of their key proprietary data — not to mention the damage to their customers and reputation.

Instead, pit your team against a ransomware attack within the safety of a cyber range. Test your cyber defense’s ability to scan incoming and outgoing messages, block malicious IP traffic and block spam and unauthorized software from entering and spreading through your network. If ransomware spreads in the training environment, test if your existing data recovery tools and procedures are enough to allow your organization to completely refresh application data from backups efficiently and reliably.

SQL injection

Your web application went through user, system and integration testing as well as extensive fuzzing to check for bugs and potential vulnerabilities, including SQL injections. But has the version of your SQL database of choice been updated recently? Have other additions to your web server been updated or patched? Are you sure all user fields are secure? All of these factors can contribute to the vulnerability of your system to a SQL injection attack.

In a SQL injection scenario executed in a cyber range, your organization can test if public-facing websites under your control are exploitable, enabling an attacker to inject code or use exploitation techniques to extract privileged information or disrupt business operations. Even worse, if credentials or data was stolen, can an attacker pivot to other systems?

A cyber range can put your firewall, security incident and event management tools and web server security controls to the test, ensuring that your layered defense can block data exfiltration, lateral movement, and prevent real attackers from finding a foothold via your brand’s online web presence.

Natural disasters

Does your organization have a disaster recovery plan in place? Has your organization tested its continuity of operations procedures? These scenarios can also be tested in a cyber range.

Whether it is a hurricane, flood or earthquake, natural disasters have the ability to wreak just as much havoc on your organization’s technology operations as a well-tailored cyberattack. Utilize the cyber range to simulate a power failure in a segment of the network managing backup databases and servers or a flood that wipes out a large group of end-user devices. 

In either case, can your IT staff quickly recreate a network, cut over to backup devices and repopulate key databases and applications and load balance without causing your operations to completely screech to a halt? At most, your organization will only have a few days, thanks to weather forecasts, to prepare backup plans, but earthquakes and fires can happen without warning. Put your IT staff and other business functions to the test to see how well they respond and recover key services.

Bringing it all together

No matter where your organization is on the cybersecurity maturity model, cyber ranges provide your organizations with a secure, safe environment to test the skills and poise in the face of a cyber threat. Whether it is how to deal with a zero-day threat or an inadvertent data breach following a phishing attack, your cybersecurity professionals will be able to go beyond the textbook to have hands-on experience inside the cyber range, emulating reality with a high-fidelity simulation so they will be ready when confronted by the real thing.

Simulations can be tested over and over, reset and tweaked, ensuring that your cybersecurity team and defenses understand the tools, procedures, resources and skills needed to protect your organization from the worst that cybercriminals have to offer without putting your production systems at risk.

 

Sources

What is a DDoS Attack?, AWS

Ransomware Guidance and Resources, CISA

The Cost of Insider Threats 2020, IBM Security

Insider Threat, IBM

Cyber Exercise Playbook, MITRE

What is a distributed denial of service attack (DDoS) and what can you do about them?, Norton

Posted: January 13, 2021
Articles Author
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master’s Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.