As the cyber threat environment grows more intense, industry and government groups tasked with cyber defense are finding it increasingly difficult to recruit and hire trained security professionals. Having a degree in cybersecurity is usually not enough to give an individual the skills required for mitigating sophisticated attacks. This requires training in realistic breach scenarios.
Unfortunately, day-to-day work in cybersecurity offers few opportunities for such training on the job.
A cyber range offers a solution. Modeled on the physical shooting ranges used by police and the military, a cyber range creates a training space that simulates a wide range of security incidents — so cybersecurity professionals can practice and learn how to respond effectively.
Many states are now building cyber ranges. This article explores how cyber ranges work and why states are committing to the cyber range to bolster their security postures.
What is a cyber range?
A cyber range is a controlled, interactive technology environment where up-and-coming cybersecurity professionals can learn how to detect and mitigate cyber attacks using the same kind of equipment they will have on the job. The range simulates the worst possible attacks on IT infrastructure, networks, software platforms and applications. The setup encompasses technology that is able to operationalize and monitor a trainee’s progress and performance as they grow and learn through simulated experiences. Used the right way a cyber range can instill confidence in cybersecurity workers.
The range also contains learning management components (A “Learning Management System,” or LMS). An LMS enables both instructors and students to make measured progress through a defined training program. The LMS may also connect with what is known as an “orchestration layer” that connects specific parts of the curriculum with the underlying IT assets that comprise the range. For example, if the instructor wants to simulate an attack that features data exfiltration, the orchestration layer translates these attack parameters to the data and network components of the cyber range. The student can then experience the simulated exfiltration attack and apply his or her defense techniques.
The range’s underlying infrastructure might include a network, storage, compute (servers) as well as switches, routers, firewalls and so forth. In some cases, the range is built using an open source platform like OpenStack. A virtualization layer helps reduce the range’s physical footprint. Some ranges are partly or fully cloud based. The range’s “target infrastructure” simulates the actual digital assets that might be subject to a cyberattack. The target may consist of “real world” commercial products, e.g., Microsoft Windows Server. Such accuracy is important, as it enables instructors to gauge whether a student has mastered the skills needed to repel an actual attack. The instructors can then provide feedback in real time.
Beyond training, cyber ranges are useful for people and organizations that wish to experiment with new cyber defense technologies. They can use the range as a safe place to solve complex cyber problems. They can test new ideas and see how teams interact with emerging cybersecurity solutions.
Drivers of cyber range development
There are many different drivers of cyber range creation. For one thing, it is impossible to become fully competent in cyber defense in a classroom. Operators need practical skills. However, the real world is not suitable for this kind training. It is too risky to allow trainees to learn cyber skills on production systems and real data. Also, the likelihood of a teachable incident occurring on a schedule that aligns with a training program is extremely low. One could in fact sit around waiting for a major cyberattack for months — but when it comes, it’s essential to be prepared. Hence, the range.
Lack of well-trained cybersecurity professionals
The number one reason cyber ranges are becoming more common and sophisticated is that there are nowhere near enough trained cybersecurity personnel to meet demand. According to a 2019 study by the Center for Strategic & International Studies (CSIS), 82 percent of employers are reporting a deficit of cybersecurity skills among their workforces. Seventy-one percent believe this talent gap is resulting in direct and measurable damage to their organizations.
Another research effort by the National Initiative for Cybersecurity Education (NICE) revealed that the US has a shortfall of over 300,000 cybersecurity professionals. Worldwide, the number of unfilled cyber positions is approaching 2 million. BankInfoSecurity.com published research projecting that cybersecurity employment must grow by over 40 percent in the US and 89 percent worldwide to fill the talent gap.
The growth of highly advanced, constantly evolving attack vectors
As the talent gap grows, the threat landscape becomes all the more serious. Anyone following the news in recent years will have seen a dramatic rise in data breaches and brazen attacks — including the shocking penetration of US government agencies through the Solar Winds supply chain attack. Almost every corporate and public sector organization in the US is facing attacks from nation state actors. The stakes have never been higher.
A need for training that simulates different kinds of attacks
Attacks are getting more varied and nuanced, too. Cyber professionals need to train on complete technology environments if they want to stand a chance of defending sensitive digital assets from advanced persistent threats (APTs) and other sophisticated attack vectors. These include spear phishing, Distributed Denial of Service (DDoS), bot attacks, API attacks and more. In many cases, detecting the attack requires learning how to spot seemingly minor anomalies in network behavior and device logs. All of this takes intensive training and individual testing to ascertain competency.
A need for readiness
Ultimately, the training and staffing needs potentially addressed by cyber ranges are about achieving a high state of readiness for cyber defense. It is not workable to wait until the threat landscape becomes more intense to start recruiting and training cyber professionals. This must happen now, in alignment with the surging risk occurring in cyberspace worldwide.
Incident response plans need to be tested
Readiness is about more than just filling chairs, however. Being ready to defend digital assets means demonstrating that a cyber security operation can respond to incidents. The cyber range provides an environment where cyber professionals can show that they know how to execute incident response plans. This might involve working from established incident response “playbooks” that dictate how to react to various threats.
Different attacks warrant different responses. The way a security operations center (SOC) reacts to a phishing attack will be different from the way it deals with a DDoS, and so forth. On the cyber range, trainees can go through the response processes and attest to their ability to handle a variety of attacks.
Examples of cyber ranges in use today
A wide variety of organizations are building cyber ranges for a number of different use cases. These include educational institutions that are offering curricula in cyber security. Corporate security training programs are major users of cyber ranges. Some use ranges to test prospective cybersecurity hires. Others still are testing new products on cyber ranges.
Some notable examples of cyber ranges in use today include:
Defense/intelligence cyber ranges — Just as the military builds training ranges for gunnery, aviation and so forth, they create cyber ranges to train cyber warriors. For instance, the US Air Forces runs the Simulator Training Exercise Network (SIMTEX), also called “Black Demon.” The Defense Advanced Research Projects Agency (DARPA) has its National Cyber Range (NCR), among others.
Research/educational — Universities create cyber ranges with which to conduct research on security, technology and human-machine interactions, among many use cases. The University of Illinois developed what it calls the Real Time Immersive Network Simulation Environment (RINSE) in 2006, for example. It is used mostly for training. Another example is West Point’s Information Warfare lab (IWAR).
Industrial/commercial — Some cyber ranges are created to test commercial products, such as servers, against malicious actors. That’s the job of the IBM X-Force Command Centre, to name one such range. It is a simulator that enables testers to see how systems will withstand malware attacks.
Smart grids — The power grid is such a significant target for malicious actors that the utility industry has invested in building cyber ranges for their unique IT and network environments. These ranges are able to simulate the inter-connected power networks that comprise the grid. They also run the Supervisory Control and Data Acquisition (SCADA) systems that are common in the power industry.
Internet of Things (IoT) — The rapidly growing IoT represents a new attack surface. Many IoT devices lack inherent security features, so it’s essential to have experienced security operators work in their defense. The cyber range for IoT must simulate the large number of devices and the distributed, perimeter-free environments in which they are deployed.
Why are states developing cyber ranges?
A number of US states are building their own cyber ranges. The reasons vary, but aside from economic stimulus, which is one side benefit, cyber ranges help states train people for work in defending their own vulnerable digital assets. Indeed, states have suffered greatly from ransomware attacks and other threats in recent years. The ranges also help attract talent to work for state governments, which can have trouble competing with private industry when it comes to hiring security staffers. States that have constructed cyber ranges include Florida, Arizona, Michigan, Georgia, Arkansas and Virginia.
Georgia offers a good example. In 2017, the state started building a $35 million cybersecurity facility, which includes a cyber range. According to then Governor Nathan Deal, who announced the project, cyber protection for Georgia’s people, businesses and government institutions was a “paramount concern.” According to GovTech.com, the cyber range will be available virtually as well as in-person, offering the ability to test technology, assess skills gaps in staff and enable students to train in a safe environment.
Michigan has also created its own cyber range, which was set up for the purposes of cybersecurity education, testing and training. The Michigan Cyber Range (MCR) is also used for research for researching security for new industrial control systems. It functions as an unclassified private cloud with virtual servers running on a fiber-optic network. It has four physical locations across Michigan, all at university sites.
The vision for the MCR came from a former West Point professor who had contributed to the creation of the US Military Academy’s cybersecurity program. He was joined by a General from the Michigan National Guard. Other former members of the military have been involved in running the MCR and designing its programs. MCR operates a site in conjunction with the Michigan National Guard.
The MCR’s virtual environment simulates the systems usually found in a city government, power company or law enforcement agency. Many different organizations take advantage of this environment, including the West Michigan Cyber Security Consortium (WMCSC), which performs red/blue teaming exercises in a simulated attack on a municipality. MCR also works with an NSA accredited cybersecurity course and certification provider.
For years, the most popular course offering is the Certified Information Systems Security Officer class, a five-day, 40-hour program. Some courses take advantage of MCR’s “Alphaville” simulated city, which features a virtual town with a library, school, and city hall. Each of Alphaville’s simulated sites has its own network, operating systems and so forth.
The future of cybersecurity ranges
Cybersecurity, never easy, is becoming more challenging and serious. Organizations, from corporations to state governments, are struggling to find and train the personnel who will enable a robust cyber defense. To remediate this talent gap, they are using cyber ranges to train and test potential employees. Cyber ranges are proliferating as a result.
In addition to education and training, cyber ranges play an important role in cybersecurity research and the development of new security products. As the cybersecurity landscape continues to evolve in ever-more threatening ways, the cyber range will have a role to play in preparing cyber professionals to rise to the occasion of cyber defense.