Transcription
SIMSPACE CORPORATIONExperiences in Running Cyber Ranges in the Public CloudCybersecurity throughPEOPLE, PROCESS & TECHNOLOGYBOSTON (HQ)51 Melcher St.Boston, MA 02210www.simspace.comwww.simspace.com
Canyourunsophisticatedcyberrangesinthepubliccloud? andsavemoneyandschedulewww.simspace.com2
Time- ‐Tested, Vanguard LeadershipCYBER EXERCISES& TRAINING 4 years, 23 eventsSeries of “1sts”over 2,000 participantsHigh- ‐risk developmentschedulesCYBER RANGES Core team from MIT LLDevelopers of LARIATand other range toolsNationally recognizedleadership incyber rangesCyber Defense TeamTraining & AssessmentsCyber Defense Team TestingCyber Team CertificationLarge- ‐ScaleCyber Exerciseswww.simspace.com3www.simspace.com
EasyaccessAnyone,anytime,anywhere4www.simspace.com
Cyber Range ToolsUserEmulation0- ‐dayEmulation&Auto- lizationMissionImpact5www.simspace.com
Cloud Components & SecurityCyberRangeCYBER RANGEUser accesspolicies &managementNetwork accesspolicies Two factor authentication, white- ‐list accessNested virtualization engineVMwareHypervisorHigh performance nested virtualizationand o verlay networkDHCPDNSHVXSecure capsule. Isolated self- ‐containedenvironments – prevent leakage into cloudSoftware defined ng)Manage users, access policies, networks,test/training results and security controlsAWS Foundation pace.comAWS GlobalInfrastructureAvailability ZonesRegionsEdgeLocations6www.simspace.com
RANGEBUILDOUTAutomation!1- ‐2 FTEs7www.simspace.com
Catalog: Preconfigured NetworksGeneric SmallGeneric MediumMilitaryGeneric FinancialGeneric LargerGeneric Financial Institution Network DiagramTechco Inc.Internet ServersRange ServicesInternet Clientsis1200.200.200.201Centos 5is2200.200.200.202Centos 5DHCP: 200.200.200.0/24OS: Windows 7Count: 15is3200.200.200.203Centos 5inet-00inet-exch200.200.200.11Windows 2008R2techco-dc9.10.11.102Windows 2008 R2Techco ManagementOS: Windows XPTechco-FWAS 221techco-01inet-dc200.200.200.10Windows 2008R2techco-mgmt1IP: 210.40.52.10br1-teller-03br1-teller-02IP: 210.30.70.1/24IP: 9.10.11.2/24IP: 200.200.215.2/30ISP-2AS 220IP: 200.200.15.1/30IP: 200.200.115.1/30IP: 200.200.115.2/30IP:210.40.50.1/30Fin-Edge-2AS: 400Fin-Edge-1AS: 400branch-fw(NAT)192.168.100.1/24IP: 210.30.10.2/29IP: 210.30.10.4/29IP: 210.30.10.3/29IPSEC .102210.40.51.103210.40.51.101Windows2008R2 Windows2008R2 Windows2008R2techco-web-01210.40.52.101CentOS 6techco-web-02210.40.52.111CentOS 6ext-scanner210.40.50.143OpenVAS 7IP: 210.30.10.1/29IP: 210.40.50.1/24Datacenter1STATIC: 210.40.80.0/24fin-FWIP: 210.40.1.1/30IP: 210.40.1.2/30IT DepartmentDHCP 210.40.100.0/24OS: Windows 2008 R2, Kali Linux 2. RucksackCount: 10 Eachhloan-svr-01210.40.51.111CentOS 6hloan-svr-02210.40.51.112CentOS 6hloan-svr-03210.40.51.113CentOS 5.5IP: 210.40.10.1/29IP: 210.40.100.1/24IP: 210.40.10.5/29IP: 210.40.60.1/24kali-it-01Kali Linux w-it210.40.100.205CentOS 6IP: 0.100IBM AS400IP:210.40.90.1/24core3OSPF 0IP: 210.40.61.1/24IP: 210.40.70.1/24Financial Line Services NetworkSTATIC: CentOS 6IP:210.40.80.1/24IP: 210.40.10.6/29core-2OSPF 0Financial Line Business NetworkDHCP: 210.40.61.0/24OS: Windows 7Count: 35Administrative Business FunctionDHCP: 210.40.60.0/24OS: Windows 7Count: 35IP: 210.40.10.3/29core1OSPF 0IP: 50.142CentOS 5.5NTP/FTP/TelnetIP: 210.40.52.1/24IP: 210.40.51.1/24ATM-02svcs-01proxy-01210.40.50.141 210.40.50.121CentOS : .50.111Windows2008R2Techco DMZSTATIC: 210.40.52.0/24IP: 200.200.15.2/30br1-broker-01Financial Line DMZSTATIC: 40.50.101CentOS 6IP: 200.200.215.1/30ISP-1AS 219br1-open-sale-01 br1-open-sale-02 br1-open-sale-03br1-hloan-02Control-dhcpPublic DMZSTATIC: 210.40.50.0/24Techco GRE TunnelSource: 9.10.11.254Destination: 200.200.15.2Tunnel IP: 210.40.52.0/24IP: 200.200.200.1/24IP: P:210.40.52.11IP: 9.10.11.1/24Inet-client-rtrAS 218Branch/BrokerageDHCP: 192.168.100.0/24OS: Windows 7Count:35br1-hloan-01techco-exch9.10.11.103Windows 2008 R2inet-01techco-00is4200.200.200.204Centos 5techco-fs9.10.11.101Windows 2008 R2Techco ClientsDHCP: 9.10.11.0/24OS: Windows 7Count: 15mn-Splunk-01210.40.80.72CentOS 6mn-rh-linux-01210.40.80.51CentOS 5.5mn-rh-linux-02210.40.80.52CentOS 5.5Datacenter2STATIC: 0.101Windows2008R2 Windows2008R2 ows2008R2 Windows2003R2 Windows2003R2 Windows2008R2ln-Splunk-02210.40.90.72CentOS 6trans-host210.40.90.100IBM AS400mn-broker-01Size: 40 hostsDifficulty: - ‐Size: 90 hostsDifficulty: 0.91Size: 150 h ostsDifficulty: 1.26 Internet emulation 1 Simple network Red Team hosts Internet emulation 4 Simple networks Red Team hosts sql-01210.40.70.120CentOS 6broker-sql-01210.40.70.130CentOS dows2008R2 Windows2008R2ln-ELK-02210.40.90.73CentOS 6mn-openvas-02 mn-ubuntu-linux 2Openvas 7Ubuntu 12.04Ubuntu 14.04Size: 290 hostsDifficulty: - ‐Internet emulation Internet emulationIsland defense Financial business unitswww.simspace.comTri- ‐service network Core financial servicesMilitary critical system 3rd Party networkSize: 1,400 hostsDifficulty: - ‐ Internet emulationMultiple business unitsCore servicesDistributed enterprise3rd Party networks8www.simspace.com
Range Build- ‐out and Provisioning Create new uniquenetwork: 2 weeks Copy network for newteam/use: 5 mins Creat new users: 30 mins Deploy range tocomputing infrastructure:up to 30 mins Range cost: only payfor actual use (executiontime) not infrastructure oridle copieswww.simspace.com User scheduling orResource allocation:no concerns(nearly unlimited capacity)Rapid new network and team provisioning (e.g. 1 day); no scheduling or resource constrains9www.simspace.com
Example Cyber RangeInternetRange#3rd PartyTechco Inc. 280 nodes 15 span portsOperating Systems Windows 2008 R2, Windows 7 CentOS, Ubuntu, KaliApplications MS Office,IE, Chrome, FirefoxActive Directory, ExchangeIIS, ApacheSecurity Tools Symantec SEPSplunk, Tanium, QualysRSA NetwitnessSecurity OnionELK, comNetwork Instances Copies for team training Copies for new products(A/B testing)10www.simspace.com
Example: DOT&E CPT Bi- ‐Monthly EventsGoals Preparation for certificationMaintain team or group proficiency byrunning live Red vs Blue eventsFight against live red teamRun every 2nd an 4th WednesdaysSelf- ‐learning between events Dedicated team range Leverage automated red team (April)Preparation for Cyber Flag & Cyber GuardUpcoming Training Topics 16 March – Lateral Movement & DataExfiltration23 March – Covert C2 Channels & LateralMovementTeams: 8 CPTs across Navy and Army11www.simspace.com
Working With Security VendorsPRODUCT VENDORSGENERIC Create unique instance of networkper vendor Limit access to specific instances Allow vendor to install/configuretools (makes for best setup) Reduced burden on range staff Compare performance over timeCLONETAILOREDIncreasing sophistication and tailoring over timeLATEST LIVE MALWARE FEEDSCATALOG OF NETWORKS Nearly unlimited capacity Alternate network configurations Unique instances per user, productRANGE Run multiple concurrent instances Around the clock global access No impact to existing IT staff tomaintain a new 24x7 system12www.simspace.com
Range Capacity (On- ‐Premises) Physical (on- ‐premises) ranges limited bynumber of concurrent VMs they can ndors&rangeprovidersVirtual(Machines((VMs)(2500) Range capacity affected optimize)2000) %)60%)Environment realismHeterogeneous mix of h ostsReal applications, services and systemsRealistic user loadDefensive tools Resources must be committed to Prioritize and schedule events and users Ensure maximal utilization yet not overcommitwww.simspace.com Size the network to the range or availability Monitor usage, equipment for overloading Avoid user (customer) delays, cancellations13www.simspace.com
Cloud- ‐Based – Monthly UsageCyber@Range@UsageCloud- ‐basedCyberRange Customers use range when they want EBi- ‐monthly100,00050,0000Jun 15Jul 15Aug 15Sep 15Oct 15Nov 15Dec 15Jan 16Equivalenton- ‐prem range 2,5000VMs 3.5M,6monthstobuild1400,000 Customers use varies monthly based onown priorities Avg number of monthly active users: 10 Able to spike in load and not worry aboutrange capacity limits and scheduling Range operations staff: 2Elastic Range Matters!1. Preserves mission preparation2. Staffing reductions3. Avoids scheduling delaysFeb 40hrs/week 160,000VMhrs.Datacenterequipmentandbuildcost: 1.4M/1,000VMs
Operating CostsAreaPersonnelDevelopers (range and tools)8Range build & operate (infrastructure)0Range operating costs- ‐Range operations and support staff2Scheduling and rs2Signification cost reduction due to Improvements in tools andOperating costsCost savings about 4- ‐8 times cheaper Software developmentPlanning and schedulingBuild and operateRange support15www.simspace.com
Cloud- ‐Based Cyber Range – Challenges Requires decent Internet connection – about 200kbps per user DoD NIPRNET bandwidth availability not great for some CPTs DREN access for Norfolk team PACOM using dedicated cable modem setup at Ford Island Performance Small performance degradation due to additional hypervisor Security – Limited to Unclassified uses GovCloud option for DoD users up to FOUO level – available based on demand Maturity Some aspects not as polished or robust as VMWare- ‐based solution – rapidly addressing Physical devices Most vendors now have virtual machines solutions Can route out of cloud to access Internet accessible physical devices – adds latency though16www.simspace.com
Benefits Simple to use and operate Simple, integrated, intuitive, comprehensive range tool suite Rapid creation and duplication of predefined or tailored networks Affordable No datacenter infrastructure to build, maintain and recapitalize; no expensive backup solutionsNearly unlimited compute and storage capacityAble to support government, DoD and commercial users on same platformSignification reduction in staff to build and operate Access & scheduling Ranges accessible with any modern web browser and an Internet connection Users access and use at the time and place of their choosing Don’t need to tear down customer range after use. Refine, tailor, compare results over time Rapid software and feature updates and learning cycles Iterate development and features based on user feedback; software updates pushed out every month17www.simspace.com
QUESTIONS?www.simspace.com
CONTACT USBoston, MA (HQ)William Hutchison, CEOHutch@simspace.com320 Congress St.Boston, MA 02210www.simspace.comLee Rossey, CTOLee@simspace.comBart Gray, COOBart@simspace.comwww.simspace.com
I: 2.4.7./ spt FinancialLineServicesNetwork STAIC:210.4070/2 branch-p-0 2 1.4.7 . W indows208R rc-ios csql W indows2008R2 hloan-sql-01 2 1. 4 7 1 CeOS6 broker-sql-01 210. 4713 CO5 bank-host 210.4.8. IBMAS mq 23 Windows2003R2 core-2 O OSPF0 Inte rtSvs inet-dc 20.1 W indows208R inet-exch 20.1 ios 0 is4 20.2.4 Cet5 is3 20.23 Centos5 is2 20.2 .
