Staying on top of the evolving cyber threat landscape can be a challenge for cybersecurity professionals. The daily grind of the job leaves little time for mastering the latest threats and tools, but cyber ranges offer a way to keep skills fresh — and maybe have a little bit of fun at the same time.
Governments, universities, and workplace training organizations have been running these simulated training environments, which give users a place to practice using the networks, systems, tools, and applications they will encounter on the job, for more than two decades. Yet cyber ranges remain a vital tool in the arsenal of the cyber professional looking to stay on top of emerging threats and new technologies.
Most recently, last month the National Aviation University in Ukraine launched the Cyber Range UA, a virtual platform dedicated to simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. And last October the US Navy announced the opening of the Department of Defense’s fourth cyber range, the National Cyber Range at Naval Air Station Patuxent River, dedicated to testing and training initiatives for aircraft, their subsystems, and supportive technologies. Its other cyber range facilities focus on the Air Force, submarines and ships, and mission-force training.
“On top of being the most capable, defense technology is also required to be cyber-resilient,” said John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center Aircraft Division (NAWCAD), in a statement. “We harden warfighter systems by performing vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing our data or defeating our technology.”
Cyber Ranges as a Business
But cyber ranges aren’t all wargames. In the private sector, the SANS Institute has been running its NetWars cyber range competition since 2009 for the wider cybersecurity community, and its free Holiday Hack Challenge has about 20,000 participants annually. SANS holds a variety of cyber range competitions for individuals and teams, all focused on making sure cybersecurity professionals are at the top of their game.
“How do you maintain mission preparedness? How do you make sure that you’re ready on a continuing basis? That’s where ranges come in,” says Ed Skoudis, president of the SANS Technology Institute, who leads the team that develops cyber ranges for SANS.
The organization designs its ranges to build real-world skills in a gaming environment. Some of the ranges are designed to be completed in three to six hours, while others can be accessed over the course of four months, depending on the complexity and time commitment users and companies are able to make. SANS also builds custom ranges for clients who are looking to bolster specific skill sets or experience business-relevant training simulations.
“Sometimes customers will come to us with a very specific need,” Skoudis says. “They need something with certain specific content, maybe a particular mix of cloud providers, a particular SIEM solution, or particular challenges associated with certain applications or SaaS offerings. They’ll come to us, and we will create custom ranges for them.”
The team members make sure they’re up-to-date on the current threat and technology environments by working as cybersecurity consultants or range designers.
“We’ll learn things from the real world, build it in the range, see people attacking it and dissecting it, and doing all kinds of things with it, and then we can take that and apply it in our consulting services,” Skoudis says. “So it’s this virtuous cycle of consulting and range building.”
At the same time, the designers are working to make participation as entertaining as it is practical, no matter how well they do, he adds.
“We try to make our ranges fun,” Skoudis says. “I want the person who came in 92nd place … to say, ‘I really enjoyed that. I learned from it. I had a good time. I am a better cybersecurity professional for having participated in that range, even though I came in 92nd place.'”
Gamification for National Security
Singapore’s Home Team Science & Technology (HTX) agency recently commissioned a custom cyber range from SANS to help boost the skills of its practitioners in an engaging way.
“The gamification of cybersecurity helps to raise awareness of new attack surfaces from emerging technologies, such as artificial intelligence (AI), in a more engaging manner,” says Tay Sze Ying, head of cyber threat intelligence and hunting, xCybersecurity, at HTX. “It also allows the participants to better understand how such emerging technologies are used in the field of homeland security and the potential impact they have on daily lives. We also hoped that the participating teams could, through this initiative, explore how AI is useful in investigating cyber incidents on Internet of Things (IoT) devices, such as drones and networked cameras.”
Leadership at the agency was looking for innovative ways to benchmark the team’s cybersecurity competency on both a local and international level, and senior management was excited by the idea of gamification when it came to homeland security use cases, Tay says.
The team’s biggest struggles came from finding ways to complete the project in the tight time frame.
“During this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, articulate homeland security contexts to the challenge developers, and even validate each of the technical challenges within the cyber range,” Tay says. “This was a truly enriching and memorable experience. Now that we have experience in doing this, we will explore creating more innovative competition formats in the future.”
Cyber Ranges Built Right In
Companies are also dreaming up new ways to leverage cyber ranges for training and to differentiate their offerings from the competition. For example, managed detection and response provider Critical Start has worked a cyber range feature into its dashboard so that customers can practice responding to system alerts in real time. The cyber range feature is available to all of Critical Start’s managed service customers for free, but it’s also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.
“While we hook them up to the security tools, and while we onboard their MDR service, their analysts now can start looking at curated and anonymized real-world alerts and get started right away,” Carlson says. “Now they can start to practice and be prepared when these alerts start happening.”
The offering is something the company hopes will be a highlight for customers, as it gives an easy way to keep training and learning how to combat emerging threats while on the job. The company will continue to update the range as threats develop in the wild.
“There’s not a lot of training that kind of happens to cybersecurity professionals, right? They have certain credentials, they get the job, and they’re doing the job 50 hours a week, and there’s no time to learn,” Carlson says. “This is now a built-in capability in the same platform where they do their day job.”