In this third instalment of the SagaLabs-Blog we will be talking about cyberranges.
What are they, how does SagaLabs fit into existing frameworks, and last but not least; what will we try to achieve with SagaLabs.
What’s out there on Cyber Ranges?
Around five years ago we started to see the concept of Cyber Ranges trending. Many will remember IBMs 23 tonnes XForce truck touring North America and Europe with their mobile Cyber Tactical Operations Center conducting live technical exercises in the range and engaging the organizational leadership. Also, organizations as SANS, Palo Alto Networks, various Armed Forces and affiliations and others have been early promoters of Cyber Range supported learning and development followed by emerging providers.
As in other areas of the Cyber Security Industry, we are not short on definitions, or for that matter highly enthusiastic individuals keen to discuss and vigorously defend certain meanings of specific terms. So far, there is not an overwhelmingly large number of sources openly out there in the shape of textbooks, whitepapers or academic publishing’s. However, a few books were released in 2022 and some of the providers of services based on ranges have good and informative substance on their web-sites.
Looking for some source on what could be an emerging common language around Cyber Ranges, a place to start would be NIST.
As part of the NICE initiative, NIST drove a project from 2018 on Training and Certification, within which a Cyber Range sub-project was emerging. Unfortunately, it seems, the project was closed in 2021 leaving behind a one pager on Cyber Ranges and a DRAFT Guidance Document for Use Cases, Features, and Types of Cyber Ranges: “The Cyber Range: A Guide”. We think the DRAFT Guide is a quite good starting point for common concepts on Cyber Ranges, and hopefully some day the draft will be picked up again and evolve as a reference.
Since the DRAFT is out there and accessible, and as the NIST concepts apply quite well to the work we have been doing both on the technical and learning side of things – helping us understand, explain and ask questions – we have chosen to use the NIST language anyway. Luring, of course, on what others have to say also.
But what exactly is a Cyber Range?
Is SagaLabs in fact a Cyber Range, or are we stretching our language about our environment ?
Well, the NIST documents define a Cyber Range as follows:
“Cyber ranges are interactive, simulated representations of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing.” (NIST, 2018, p. 1)
SagaLabs falls safely within this definition, as it is both interactive and can be run against images of various states (of breach) of the environment. As it follows from the requirements of the definition, SagaLabs is not only a random collection of hosts in a domain. It is a local network with its own systems, applications, tools connected to a simulated Internet level environment, resembling – purposely simplified – the digital estate of an organization.
The second part of NISTs definition of a Cyber Range declare the broad purposes covered by Cyber Ranges, including ‘hands-on’ training for skills, product development or testing, within which the current version of SagaLabs is focused on education, training and exercise – mainly with a focus on ‘hands-on’ experience within Blue Team roles.
NIST further outlines a reference model for Cyber Ranges (see figure 1), the high-level use-cases, the technical components and types of Cyber Ranges related to purpose.
Figure 1 – The NIST, DRAFT, Reference Model for Cyber Ranges
The Reference Model of NISTs draft offers an ordering of the components of a Cyber Range, whether we talk about technical components or the components related to design and execution of learning experiences. Thus, it emphasizes the notion that a Cyber Range is not only a technology stack but also (a lot of) soft stuff, such as design and development around non-technical orchestration of learning. In coming posts we will dive deeper into the components of SagaLabs and as best we can relate these to the Reference Model.
What kind of high-level use-cases can Cyber Ranges offer ? NIST outlines educational use-cases for educators (i.e. targeted at students) and organizations (i.e. training of staff) and also a purpose of test and validation of skills and expertise (as we know from certifications) to support recruitment and development planning for staff. Also, NIST, indicate a use-case of “situational operation” related to changes, weather changes in technology or organizational changes, pointing in the direction of simulation and decision support – i.e. what would our Cyber Defense capabilities look like in different set-ups. In our view the latter use-case could be expanded and in addition include the Cyber Range as an enabler to generate insights for research.
So how can SagaLabs help train cyber security operatives?
SagaLabs is built to support the educational use-cases, with simulations being at the vision state. As mentioned in a previous post, SagaLabs was made by educators for education, whereas now it supports the professional development of the members of our association Foreningen for Danske Cyber Alumner. In the short term, leveraged by partnerships which we will come back to in further detail in future posts, FDCA is expanding SagaLabs through two projects into further educational uses one for a specific college program and one for organizational training.
As Cyber Range Type, SagaLabs is a Simulation Range in the NIST vocabulary. A Simulation Range is a simulation of ‘some’ non-specific environment, rather than an emulation of one specific environment (of a particular entity) – Emulation Range - or an Overlay Range running directly in a particular entity’s infrastructure.
Developing SagaLabs as a Simulation Range, however, is based on the notion that the learning experience should have a very high degree of realism. Initially this realism was built into out TTP development and reflected in our Threat Emulation. As Target Infrastructure emulation is not really an option for our association, we strive for development of Scenarios and Target Infrastructures hand-in-hand. Thereby we intend a realistic match between critical assets of the infrastructure and the treat scenarios we develop. We will elaborate on teste aspects in a future post on scenario development and how Threat Intelligence Ethical Red Team testing (TIBER) has inspired our approach for SagaLabs.
Stay tuned for our next post, and if you are already hungry for more information, you can reach us at [email protected].