Staying on top of the ever-evolving cyber threat landscape can be a challenge for any cybersecurity professional. The daily grind leaves little time to learn about the latest threats and tools, but the Cyber Range offers a way to keep your skills up to date and have a little fun at the same time.
Governments, universities and workplace training organizations have been running these simulated training environments for more than 20 years, providing a venue where users can practice using the networks, systems, tools and applications they encounter in the workplace. But cyber ranges remain an important weapon in the arsenal for cyber professionals who want to stay on top of emerging threats and new technologies.
More recently, last month, Ukraine’s National Aviation University launched Cyber Range UA, a virtual platform for simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. Also, last October, the U.S. Navy announced it would open the National Cyber Range at Naval Air Station Patuxent River, the Department of Defense’s fourth cyber range dedicated to testing and training initiatives for aircraft, their subsystems, and supporting technologies. Other cyber range facilities focus on training for air forces, submarines, ships, and mission forces.
“In addition to being the most capable, defensive technology must also be cyber-resistant,” John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center’s Aircraft Division (NAWCAD), said in a statement. “We harden warfighters’ systems by conducting vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing data or defeating technology.”
Cyber range as a business
But cyber ranges aren’t just about war games. In the private sector, the SANS Institute has hosted the NetWars cyber range competition for the entire cybersecurity community since 2009, and its free Holiday Hack Challenge attracts roughly 20,000 participants each year. SANS hosts a variety of cyber range competitions for individuals and teams, all focused on encouraging cybersecurity professionals to perform at their best.
“How do you maintain mission readiness? How do you ensure you’re continually ready? That’s where the range comes in,” said Ed Skoudis, director of the SANS Technology Institute, who leads the SANS cyber range development team.
The organization designs its ranges to develop real-world skills in a gamed environment. Some ranges are designed to be completed in three to six hours, while others can be accessed over four months depending on the complexity and time a user or company can dedicate. SANS also builds custom ranges for clients who want to strengthen specific skill sets or experience business-related training simulations.
“Sometimes clients come to us with very specific needs,” Skoudis says, “whether they need specific content, a specific combination of cloud providers, a specific SIEM solution, or a specific challenge related to a specific application or SaaS product. They come to us and we create a custom scope for them.”
Team members stay up to date on the current threat and technology environment by working as cybersecurity consultants and range designers.
“We learn things from the real world, build them on the range, watch people work on them, analyze them, and do all sorts of things with them, and then apply that to our consulting services,” Skoudis says. “So it’s a virtuous cycle of consulting and building ranges.”
At the same time, he added, designers are trying to make participation as fun as it is practical, regardless of how well it’s done.
“We try to make it a fun shoot,” Skoudis said. “We want the person who places 92nd to say, ‘I had a great time. I learned a lot. I had a great time. Even though I placed 92nd, I’ve grown as a cybersecurity professional because I participated in this shoot.'”
Gamification for National Security
Singapore’s Home Team Science & Technology (HTX) institute recently commissioned a custom cyber range from SANS to upskill its workforce in an engaging way.
“Gamifying cybersecurity helps raise awareness of new attack surfaces posed by emerging technologies such as artificial intelligence (AI) in a more engaging way,” said Tay Sze Ying, head of xCybersecurity Cyber Threat Intelligence and Hunting at HTX. “It also allows participants to gain a deeper understanding of how such emerging technologies are being used in the field of homeland security and how they may impact everyday life. We also hope that through this initiative, participating teams will be able to explore how AI can help investigate cyber incidents on Internet of Things (IoT) devices such as drones and network cameras.”
The agency’s leadership has been looking for innovative ways to benchmark its teams’ cybersecurity capabilities at both the regional and international levels, and senior management was excited about the idea of gamification when it came to homeland security use cases, Tay said.
The team’s biggest struggle was figuring out how to complete the project within the tight timeframe.
“Along this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, clearly communicate a homeland security context to challenge developers, and validate each technical challenge within the scope of cyber,” Tay said. “It was a truly enriching and memorable experience. Now that we have experienced this, we will consider creating more innovative competition formats in the future.”
Built-in Cyber Range
Companies are also finding new ways to use cyber ranges for training and to differentiate themselves from competitors. For example, managed detection and response provider Critical Start has embedded a cyber range feature into its dashboard so customers can practice responding to system alerts in real time. The cyber range feature is free for all Critical Start managed services customers, but it’s also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.
“As you connect your security tools and onboard your MDR service, your analysts can see actual alerts that are curated and anonymized and start working right away,” Carlson says. “Then they can start practicing for when alerts start coming in.”
The company hopes the product will be a highlight for customers as it provides an easy way to continue training and learning to combat new threats while on the job, and the company plans to continually update its product lineup as threats evolve in the real world.
“There’s not a lot of training that goes into cybersecurity professionals. They get a certification, they get a job, they’re doing that job 50 hours a week, they don’t have time to learn,” Carlson said. “This is a built-in feature on the same platform that they use to do their day-to-day work.”
