The Hacker Mind Podcast: Cyber Ranges

Red teams and pen tests are point in time assessments. What if you could simulate an ongoing attack to test your teams’ readiness? You can with a cyber range.

Lee Rossi, CTO and co founder.of SimSpace, a cyber range company, joins The Hacker Mind podcast to explain how using both live Red Teams and automated cyber ranges can keep your organization ahead of the attackers.

Vamosi: There was this short story, and much later a movie, called Ender’s Game. Perhaps you’ve read it, seen it, or at least heard of it. The premise is pretty basic. Kids are recruited to play this computer game, and the ones who get really good get promoted to live in these fancy villages. And … you’ve probably already guessed the ending, right? It’s the science fiction equivalent of “and it was all a dream.” I mean, the ending is that Ender was battling aliens who were attacking the Earth. The governments of the world wanted the quick and agile minds of children who could think three dimensional -- and without all that moralizing about killing, you know, space aliens. 

Ender’s Game remains a very popular book (yeah, it was expanded into a novel) and as I said later made into a movie. It’s author, Orson Scott Card, told me that he was sitting on his front porch when the idea for the short story came to him full blown. Yeah, I met him at the World Science Fiction Convention, back when I went to that. I met up again with him a few years later when I went to a writer's workshop -- but that’s another story.

Anyway, what if there was a way to simulate attacks on your networks. Yeah, there’s red teams. But they’re hard to scale. What if you could have this training more often, say, once a month. And what if you could see your progress from month to month. Well, you can. And in a moment I’ll introduce you to someone who’s created cyber ranges to do just that.

[music]

Welcome to the Hacker Mind, an original podcast from FromAllSecure. It’s about challenging our expectations of people who hack for a living.

I’m Robert Vamosi and in this episode I’m talking about cyber ranges-- simulations that can both teach and improve the security of your networks.

[music]

Rossi:  So we're a cybersecurity company that started seven years ago we do. 

Vamosi: That’s Lee Rossi, CTO and co founder.of SimSpace, a cyber range company. I met up with Lee at Black Hat USA 2022. And I asked him to tell me more about his company.

Rossi:  We create separate ranges to be able to provide training, testing, assessment, and overall measure the readiness of organization. And that comes down to how good are your people and how do we improve them? How good is the tech that you have? How do I measure it, and how do I make it better? And then the combination of the people with the tech against live adversaries or automated red teams, and really understanding and measuring how well you're doing, and then where to actually improve upon?

Vamosi: All this sounds like what you’d hire a red team to do. A red team would be the enemy and they’d study your network and try to exploit any weaknesses. You’d also have a blue team, they’re the good team, who could defend. And then you’d compare notes. So why not just hire a Red Team? 

Rossi: Very fair, very fair. So I think the value of a red team is super important in many organizations that we work large banks, deities that have the red teams to measure a point in time of the organization itself. But that doesn't really tell you per se, how do I improve my staff and the people itself to be able to deal with a sophisticated adversaries going into so what you really want to do is in the heat of the battle in the heat of the moment when somebody is attacking you, how well do your defensive teams how well the tools acting and reacting to what's going on? So it's not necessarily about the specific controls that the red team is testing, but the readiness of the organization in terms of identifying it, triaging taking action and as you know, it's all about dwell time, shorter, you find the adversary, the faster you can kind of get them out. Ideally, the less damage that's actually happening for them, so I would say it complements it. And what we have is automated red teams put up a sophisticated threat against the defensive teams so they can dial it up. Or when we do these larger assessments for say, large banks, we have our red team going live against the security teams. And now you're battling back and forth and seeing how well they work.

Vamosi:  So you have both human and automated Red Teams. And, like any other Red Tam these emulate the current threats in the wild, right?

Rossi: Absolutely. So the threats that we look after are ones that you would see popular in the wild and against the customers that work large financial institutions, militaries, the US military, foreign militaries, NATO partners, how well do they defend and react against these threats? And it could be somebody like a target, it could be a bank, it could be a municipality, like the city of New York, or it could be the US military. So the question is, what are the Russians up to? What are the Chinese up? What are the North Koreans up? So if you're a bank in Turkey, or you're a bank in the Middle East, and you're worried about threats, say banking data being stolen? How do they defend that they prepare themselves again, say somebody's going after financial? The flipside is, you create as a good example over here, what happens is somebody's attacking my country. How do I find and go through? So whether it's a target or an adversary going after destruction, manipulation for finance? The question is, how do you emulate those threats for those environments?

[MUSIC]

Vamosi: Perhaps it’s good to explain what we mean by a cyber range. It’s a simulated space where defenders can go to see real attacks against their network. But I’ll let Lee explain it greater detail.

Rossi: Very, very, very fair. So I think the cyber range is actually four layers. The first layer is just the ability to recreate the virtual machines, the routers, the domain controllers, the just the physical assets or sorry, the virtual assets or if I have a domain controller, or something in AWS or I have a router, okay, that's layer one. Layer two is going to be the automation of, say the security tools. I want to drop in there, carbon black and cybereason and I want to be able to put in all domain policies and I want to be able to set up all the applications with the US. Okay, that's layer two. The third layer is going to be how do I model virtual users AI little bots that are interacting with the Windows clients sending emails, sending PowerPoint, creating all that background normal traffic, so it makes that network come alive. If I just had three VMs and it just run the attack, it becomes very easy to find the attack, which one is the needle in the haystack, find the attack with 1000s of virtual users using Outlook and browsing the webinar. And then there were also going to run automated attacks. So we're gonna have virtual users audit attacks. That fourth layer is all of the column, the measurements, the telemetry, the assessment tools that when the operators are in there, I'm measuring every step of the attack with what it's doing. I know exactly what every virtual user is doing. I'm measuring the response from the human process. So now I can actually start measuring dwell time efficiency, what the tool COC so think of it as all the measurement tools at the network layer.

Vamosi: You might be thinking this is all generic-- a generic network that’s under attack. Actually, it’s formed from copying your own network, as is exists, with all the tools you currently use.

Ross;  That's all the cyber rage now, historic. It's very hard to kind of create that by hand. It takes weeks or months, what we've done is created the ability to rapidly automate. So the current version can take data from almost thinking like a network designer tool, I design it, I create it and I can rapidly automate thinking about it. The new version that we're creating connects to a production network to your security tools, your splogs, your carbon blacks, and your cybereason pulls the data in, and that will create a model that network from your production that was already had. So it's the ability to rapidly create a very high fidelity replica of your network, your security tools, your operating systems, your environment and the users. And now the data from that environment is not generic. Here's a special. Well, I think it's something that closely matches what you have.

Vamosi: So how do you simulate an attack? You’d go through MITRE ATT&CK or you’d just follow what an APT is doing. So you take like signatures which would be indicative of say a foreign government and you say this is an attack by x

Rossi:  As much as two answers as much as publicly available and disclosed, we'll take that data and recreate as much as available to go through and we may not have the exact payload, but we're going to use the same techniques, procedures and everything else about it. So as much of the payload as we can create, we're going to go through and automate that. But we're going to have the smarter automations there's going to randomize it a bit and may have slightly different IOC so we can randomize what's coming from so you can have some repeatability. And you can actually try it multiple times. I would say that we go through and we create the full attack kill chain from the outside, exploit and take advantage of machines on the inside.

Vamosi: In Episode 53 and in Episode 20 I talked with Frank Duff about MITRE’s ATT&CK Framework. 

Rossi: So we map everything to the mitre attack framework. So every one of the attacks you they might have does a wonderful job and it do a great job of I'll say, having a nice taxonomy where you can kind of see here's my simple way to think about as if all of your tax your testing, I'll say a spear phishing or the same technique. Great out of them I'm gonna make it up out of the 100 possible options. If you're only testing, get three. Okay, great. What we wanted people to do is show as much coverage breadth and depth for the various techniques that somebody may have. And that'll give a better I'll say a better assessment of the people and the tech of being able to actually find them so we try and change around as much as possible right for us.

Vamosi: What I like about MITRE ATT&CK is that it has some 300 tactics and techniques, but you only need to have a handful, those that affect your organization. In some cases, you might have only two or three to worry about.

Rossi:  So the weather spear phishing drive, I got the box, laterally moved compromised data, took it all out. So the zero day is not always as important as the fact that there may be stuff happening on the endpoint or lateral movement going through or command and control going out. Which of your tools is picking up on that right to go through? I'd like to give props to one of our partners, Mandiant. One of things that we're working on there is they do have a lot of great Intel, and how do I take the intel from some of the actual threats and start marrying it into the range and the beauty about the range? The simulation environment is very destructive, right? I can actually attack the machines. I can take the data down. I can manipulate the data in a database, for example, financial or transactional. I should probably expand some of the network environments they do, some model hospitals, some model power companies, some model financials. So further financials will have swift-like payment systems or automatic teller machines. So the attacker is going to get into the accounting systems to manipulate the data. Another question is how well does the security staff not necessarily see that a machine is going down, but that the amounts of money in that account is actually very, and those are harder to find?

Vamosi: And I would imagine one of the advantages of having an automated as opposed to a live read team is that you can perform it more often. And do check marks against time. 

Rossi: So we actually take measurements on a you can almost think of it the US military, US military uses our range, a bulk of the software for the US military during our range, but what they call the separate training environment. That's the cyber mission for us with 6000 offensive and defensive operators and are going to use that as an example because it goes from how do I get individuals that are now skilled up to the position of those individuals and they have to do this like daily weekly, just maintain and build up the skills that's great. Now you want to be part of a team. So just like a football, right wide receiver, you have a quarterback, you have your present. Great, now they're going to work as a team, and they're going to practice every two weeks, four weeks, you name it. After that they're going to come and do some larger exercises. So I have five 610 teams working so you go from individual to team to teams of teams, and at every interval, you're rehearsing you're building individual skills, but you're trying to look a lot like football. Great position players, you got to work together. As a team. You get to know the system and just like a football every day of the week you're practicing and then on Sunday you are doing and you repeat that throughout cyber is really not that different.

[Music]

Vamosi: If only it were like a sporting match.

Rossi: This is where I look back at it is like the defensive teams are getting better. We've been doing this for 20 years. I used to be on wiki lavatory. A federally funded r&d center and honestly the defense is 20 years ago right? No, no firewall, okay, there was a firewall that was not really great. You look around here at BlackHat of so many cybersecurity companies, but defenses are actually getting better. So it's a cat and mouse game. It may not seem like it, but it is getting better. If you want to get to put the energy into it.

Vamosi: And so you said that you have a government party, and you mentioned finance, but what other industries are also interested in.

Rossi: So we look at all verticals. And the way we think about it is any organization that's large enough to have a sock security operations center with a team of say eight plus people then you're ready for us. If you are smaller than that, it's probably not a good thing to be able to do that. And and that spans everything from commercial companies, to militaries, to utilities to hospitals. You name it for that. And some of the areas that we're expanding now this year is to say Europe and Asia Pacific, and Russia is a good example here with thanks even to the support from the US government. How do we help build up defenses for many of the neighboring countries that are already there? So in support or with the help of the US government building up Slovenia and Hungary and Ukraine, Ukraine? Separate story on that website, but how do we help them out so they can actually build their own teams up and be able to actually defend against a potential aggressor, which there's an obvious one that's going on right now.

Vamosi: In Ep 50, I talked with Mikko Hyponnen on the digital battle in the Ukraine. So,. when these trainings occur, do all members of a company participate, or you mentioned the SOC. So I would imagine that they would be key, but how far beyond the SOC do you go?

Rossi: Actually, it's a decent amount and one of the one of the top five banks that we work with, and we'll keep the name separate, we started off with just for example, one sock in the US, and then the next, think of these as almost like semi-annual excess. So every six months, we're doing an event, and we're bringing the sock and so it started off with just the one in us and then it was the US with a handover to the Europe and then a handover to say Asia Pacific and we're doing a ship handovers between sock two because the threat just doesn't stop after three hours. It goes for 24 plus hours. From there they said hey, you know what, this is good. But why are we thinking the domain controller guys and the firewall guys, let me start pulling in the domain because you don't want to do a security incident. Many times I may have to tighten up my GPOs on my domain controller or if there is an incident with my Exchange Server in that case, I want to pull that guy in or how do I do it? So that started expanding to I'll say broader it side, but also the business side. And so what we started doing almost by line of business was like, Okay, this month, we're going to deal with assets or we're going to deal with ATMs. So let's bring the business owners and now put this here's a funny one. So we're doing some attacks against one of the banks. They were all over that golden ticket they got into the making show and taking everything over. ATMs are all compromised and the guy the secured guys like we're gonna pull the plug. We're gonna reset the whole system. And we're done with it. The basic guys are not so fast, my friend. If you're gonna pull all the ATM machines or a top five bag offline, there's a real cost of seeing that pressure and as sweat on security guys, you have to operate through Yes, something is happening, but how do I maintain business continuity while I'm under attack, contain it and really minimize that downtime. And that started really emphasizing what happens in the heat of battle right what to call it that.

Vamosi: So if you’re playing a machine, there’s a degree of predictability, I would imagine. Machines are only as creative as programer makes it. But life throws at you a variety of crazy things, so to make the training real, I would imagine there needs to be more randomization of of events and so forth. Is there like an AI operating in the background or is this algorithmic?

Rossi: Its algorithmic but we're also building AI bots, both defensively and offensively to be able to be smarter, right course of action, all that, but I only, but to be fair, it's only going to go so far. So we have randomization and automated attacks, and there's some AI components. But when you're going up against a sophisticated security team, you need to be able to actually go through and to be fair or right teams have to be able to get around how to create tools, right CrowdStrike and titanium and Splunk. So and they're well tuned. So they have to find ways to kind of evade them. And in some cases, our red teams are only like 15 minutes ahead of the security teams as they go through that. So it's a really rapid pace of trying to go through them and operate, but I will say you're gonna laugh a little bit, many times you feel the Automate attacks as chat as noise on the side, while the red teams are doing something on the front of videos. In other words, let me do some automated ransomware some noise over on the left corner, while the red team is are really trying to kind of get into say, a financial system or starting on the side and so this starts getting into the point of others, hopefully triage, how do they disambiguate with what's going out and work through those so it becomes interesting and, and the nice thing is, this is not just to say, Oh, we beach. No, that's not the intent at all. It's really, how do we improve upon it? After every one of the events? We will stop and say, Okay, here's what we did. Here's how we got around it. Here's how you can improve it. This is where you would tune some of the things and then you repeat so back to your earlier question: does the event then allow them to come back automated? Did I improve upon what I was trying to do either because a person missed it or the tech missed it right? And many times you find out shit I had no visibility, start my language. I had no visibility. So what do I need to buy? Or get to be able to actually figure that out? Where they may already have the tool, right? And how do I tune that to be able to find it better? So in addition to not having the frequency with the live Red Team, always, there's also the lack of 360. With an automated system, you've got the fundamentals. But you could also add in some extra sauce in there to spice it up.

Vamosi: In the previous episode, EP 53, I talked about how exercises can help organizations see what tools are useful  … and what are not. IT might be that you have legacy protection on your network that doesn’t make the threats you have today. And also, more troubling, you may not have the protection you need to match today’s threats either.

Rossi: Yes. And for two things, when we're talking about the people, it's always hard to say on two fronts. It's hard to take the red teamers. They're super busy trying to get their time to begin with, but it's also challenging to pull a full sock team off the floor to be able to operate. So on whatever frequency makes sense for the conversation to run those. That's good. But then how do I continuously measure the technology of the facsimile or the replica of the arrays to make sure that the controls are actually great. So every time there's a new Lazarus or abt pick a number or some new threat? Let me throw that against the tech and just see how well does that measure up? Does it get through or not get through? So our users often have multiple instances of the range, one for training, one for testing and one for evaluating new products. They're thinking about bringing in to be able to go through one for Intel and analysis to do that. So the nice thing about virtual machines or just cloud and all that is I can make lots of copies over time, too.

Vamosi: While this seems really cool -- modeling your network for virtual training exercises, it’s not for every organization.  It raises the question, when is the right time for this type of environment and the investment to be made?

Rossi: At least to me, governments and large financials because they've been dealing with militaries they've been dealing with these epidemics for a long time. They've been right, there were some earlier customers because they had built a team where they were getting attacked. So they built up the teams and bought the technology, and now they're ready for that next step. Early on in the company move around, we're meeting with some fortune 500 fortune 500 companies, that literally the security was one guy, and they just didn't understand it so once an organization builds up, the technology, the tools that they had, they start building up the people. Great, now that you have those, how do I not continually test and measure and improve so you don't wanna just have a bunch of bodies? Sorry, a lot of staff members. How do I now take it up to the next level? Right, just improve your readiness for the end. People are understanding the threats and the risks from attacks. So this really is a way to kind of start measuring how you're doing but also, it's not just another line item to add to the expense thing. In many regards. It can improve your overall efficiency to send great take away tools that are no longer needed, right to be able to actually start improving it. And I think the reality is, there's not enough people, too many tools. So you have all these people just swiveling chairs between tools. So how do I figure out what tools I really need with the operators are really good, and improve on that one. So it's just the way to now improve your readiness in a quantifiable way. It's not just saying, try Well, let's really measure

Vamosi: We’ve mentioned a few product names in the podcast thus far. These are not endorsement, just examples that Lee sees out in the field today. 

Rossi: They're just some prominent ones that happen to be right around here. I think there's a lot of in general, I think companies do a good job. There's a lot of governance. The question is what's the right one for the organization? Right, the ones that they have, how do they integrate? Honestly, though, sometimes company media limited. What's the right word may not be as capable as they say, and you find that out for that but, but it gives so from our standpoint, we're almost like the cyber Swizzle. We don't advocate we don't push any one of the other ones. We're here to measure, right. We're here to help you make decisions. We don't give you a report. It's your tools in an environment that matches what you look like. You see what's going through and the other one is out of the box. Every one of those are pretty good. It really comes down to that detection engineering and tuning it and getting it just right. And sometimes it's just that it's just how do I tune those tools to, to work to work for the team? Sure. We're not endorsing ravak at any one over the other. But it does give you a way to kind of just figure out the strengths and weaknesses.

Vamosi: Given his years of experience, and his engagement with various organizations, where does Lee see the threat landscape today? Is it getting better?

Rossi: Honestly, this is what I think I'm an optimist. I think it's actually getting better. I think. I think that threat is there because wherever the money is, wherever the potential damage that people are gonna go after having said that organization recognizes the impacts of not being well secured and all that through making the investments and things are getting better. So there's a lot of investment in general, good technology, people are taking a good posture towards not just writing it off as don't care. And I think it is improving the overall security for them. With the improvements overall. Yes, there's going to be some areas that are going to be weaker, and they're gonna have to improve themselves a little bit. But yeah, I'm an optimist. I think things are getting better and are forcing the adversaries to step up the game where they didn't have to do it before.

Vamosi: I’d like to thank Lee Rossi for coming on the show and discussing SimSpace, and how cyber ranges are important to testing the security of large organizations. 

I have so many stories about hackers who are making a positive difference in the world. I don't want you to miss out. Let's keep this conversation going. DM me @RobertVamosi on Twitter, or join me on Discord you can find the deets at the thehackermind.com