Simply defined, a Cybersecurity Assessment evaluates your organization’s readiness to respond to a...
Building a Cyber Range is a Good Idea, but Should You?
Recently, IBM X-Force has received a significant rise in requests for creating cyber range, which are simulated environments for companies to train and practice their response to cyberattacks using real-world conditions, tools, and procedures. The growing demand for cyber ranges reflects a recognition by companies of the importance of preparing and testing their cyber defense strategies.
What is causing the heightened demand for cyber ranges? The shift towards remote and hybrid work due to the COVID-19 pandemic has made it more important for teams to train and collaborate effectively in preparation for potential security incidents. This has made cyber ranges a higher priority.
Another factor contributing to the demand for cyber ranges is the increasing frequency of high-profile cyber attacks resulting in seven-figure losses and public exposure, which can harm a company’s reputation and financial performance. The devastating effects of data breaches and ransomware attacks have underlined the importance of having a well-practiced and effective incident response plan in place to prevent or minimize the damage caused by such incidents.
If you determine that your cybersecurity team and other stakeholders involved in your cyberattack response plan need to train together, then investing in a dedicated cyber range becomes an economically attractive option. With a dedicated cyber range, an organization can train a larger number of employees more efficiently.
Before making a final decision to invest in a cyber range, it’s important to thoroughly assess both the advantages and disadvantages. The main drawback to consider is that a dedicated cyber range may not be suitable for the organization’s long-term needs and might end up being underutilized, which could make the costs of constructing and maintaining it unjustifiably. On the other hand, some organizations may prefer to conduct cyberattack simulations remotely in order to more accurately reflect the real working environment of their teams.
This article will serve as an introductory guide to evaluating the need for a cyber range and will provide steps to help determine what type of training environment would be most suitable for your team.
Why Build a Cyber Range? Mandatory Training, Certifications, and Compliance
Building a cyber range is crucial as it offers a highly effective means of enhancing the collaboration and expertise of your team. Regular practice and hands-on experience improve teamwork and equip the team with the necessary skills to make informed decisions during a cyberattack. Cyber ranges allow for the simulation of real attack scenarios, providing the team with a practical and immersive exercise in responding to such events.
Another benefit of having access to a cyber range is that it satisfies the mandatory cyber training requirements set forth in various compliance certifications and insurance policies. These requirements, established by the National Institute of Standards and Technology and the International Organization for Standardization (ISO), mandate that organizations allocate budgets toward relevant cyber training.
Satisfying the mandatory training requirements can be accomplished in various ways. Employees may be required to obtain certifications from organizations like the SANS Institute, depending on their role in the company. Alternately, the requirements can be met through micro-certifications and online coursework using remote learning platforms like Coursera. Opting for a cyber range does not always require building one internally.
A Cyber Training Progression in Stages: From Self-Study to Fully Operational Cyber Ranges
When consulting with our customers, we present them with multiple options for setting up a cyber range and suggest a phased approach. Each phase is suited for varying levels of involvement, intensity, and desire for a comprehensive cyber range experience.
Stage 1: Self-Training, Certifications, and Labs
The first stage, referred to as the “blocking and tackling” phase, covers the basic necessities for adequate cybersecurity training. It provides the foundational knowledge required for further education and meeting cyber training mandates. Stage 1 may encompass:
- SANS training course in desired areas of expertise
- Finishing Coursera self-paced online or MOOC classes and obtaining the required certification of completion.
- Specialized classes such as reverse engineering malware or network forensics delve into the methods attackers use to move through networks undetected, etc.
An additional component of Stage 1 is hands-on labs that allow participants to perform tasks or simulate blue-team or red-team actions. The labs should emphasize both outcomes and completion, allowing participants to evaluate their ability to identify and mitigate attacks efficiently and effectively, as well as understand the key tactics, techniques, and procedures (TTPs) involved in the simulated attacks.
Stage 2: Team and Wider-Scale Corporate Exercises
In Stage 2, more established organizations can advance to organized group exercises that follow a structured curriculum. This requires dedicated computing infrastructure or hardware (some companies opt to use their existing workstations). During these exercises, all relevant parties apply their acquired knowledge to orchestrate a coordinated response. One option is to pit red teams against blue teams, and involve threat intelligence teams and other security personnel from the company’s security operations center.
For a more immersive and realistic experience in this stage, you may consider involving other teams such as marketing. Including operational technology (OT) teams is highly recommended, as recent ransomware attacks have targeted not only IT devices but also OT devices.
Leaders in the business sector can greatly benefit from participating in immersive, coordinated exercises. By witnessing and experiencing what other teams go through and how they respond, they gain valuable context that can be applied in real crisis situations. The most advanced cyber response team exercises can involve a large number of team members and span several days.
Stage 3: The Collaborative Cyber Range With Vendors, Customers, and Partners
Having a coordinated response plan for your organization is a good beginning. But what about the people surrounding you—your customers, vendors, and partners? The widespread use of digital infrastructure, the connection to APIs, the growing number of connected devices, and the various types of connections make it essential to collaborate with your closest third parties in the event of an attack.
The importance of a well-coordinated response is clear. The world has become increasingly interconnected, with organizations having numerous connections to vendors, customers, and partners. This has expanded the potential attack surface, making supply chain attacks a preferred tactic for cybercriminals and nation-state actors. These attacks can be challenging to identify as they come from a trusted source, and they can be used to secure future access, move across networks, and spread horizontally within an organization.
As the importance of managing risk from third-party and software supply chains becomes clearer and attacks in these areas become increasingly sophisticated, more customers are requesting to extend their cyber preparedness and exercises to encompass their entire ecosystem.
More and more companies are recognizing the need for a coordinated response to cybersecurity threats at the ecosystem level. Some businesses are even making it a requirement for partnerships and key vendor relationships. CISOs and risk management teams are looking beyond just certifications, like SOC2 or ISO 27001, and want to assess the actual readiness and capabilities of their key partners and vendors.
For instance, when a company works with a bank that uses a payment processor that in turn uses a clearinghouse, these three entities are closely linked and may have established protocols for working together, detecting issues, and responding to a breach. It’s crucial that they know how to contain and stop a cyberattack involving one or more of them. Having a risk-aware partnership and identifying specific risks for each party can lead to a more robust, comprehensive, and rapid response in the event of an attack. This is why multiple parties are often included in a collaborative exercise – to establish procedures and norms for a nimble and precise collaborative response.
Keeping Your Training and Range Lively With Fresh Content and Context
The reason for organizations building their own cyber ranges is due to the increase in attack types and severity. Previously, threats would take months to emerge but now it can be in a matter of weeks or days. To combat this shift, CISOs, and risk management leaders recognize the need for two key measures.
- Increase the frequency of exercises
- Improve the content of exercises to keep things fresh over time
Organizations are opting for cyber ranges because of the increasing pace of new and evolving attacks. These ranges allow for a combination of structured, curriculum-based exercises in Stage 1, as well as dynamic, context-driven content for more advanced exercises in later stages. The exercises can also be updated in real-time to reflect current attack trends and scenarios.
The ideal cyber range should have the ability to be customized with content that can be changed in real-time. This allows a company to quickly incorporate exercises based on recent attacks, making the range more relevant and useful by enabling organizations to quickly improve their security posture and learn faster.
Conclusion: Are You Ready for a Dedicated Cyber Range?
It’s recommended to start with stage 1 and 2 capabilities before considering a dedicated cyber range. Try conducting a single cyber range exercise to assess its usefulness for your team and organization. When planning for a cyber range, consider the utilization rate to maximize your investment. Make sure it’s feasible for your team and enterprise to use it frequently. As a backup plan, consider if it can serve as a temporary command center in case of an emergency.
Before deciding on a cyber range, it is important to consider the advantages and disadvantages of the three options available: building one internally, outsourcing to a trusted vendor, or a combination of both. It is recommended to have a clear understanding of the concept and its value to your organization before making a decision.
- On-premise ranges that are exclusively dedicated to cyber security are costlier to construct and keep running, however, they offer the benefit of fostering personal connections among team members as they work together in person. This type of range has become a more feasible choice in recent times as the number of employees working on-site has increased.
- Before the pandemic, many organizations did not consider setting up a completely virtual cyber range. Virtual ranges are cost-effective to establish and upgrade, and they offer greater flexibility. However, some organizations value in-person interactions.
- Some customers have approached us asking for a combination of virtual and physical components in their cyber range, which is referred to as a hybrid version. Although these models provide more flexibility and can include vendors and partners, they are also more costly to set up.
Having a cyber range at your disposal can greatly enhance your security capabilities and preparedness. To ensure you choose the best option for your organization, it’s important to go through a thorough decision-making process.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com