From paper training to a cyber-soldier factory

Developing competences in the field of cyber security

Photo by Taskin Ashiq on Unsplash

Cyberspace is, as I wrote recently here, an unusual and dynamically changing area of operations. Knowledge quickly becomes obsolete, new classes of attacks, new tools and vulnerabilities appear, and the existing ones lose their importance, although they usually do not disappear completely. The challenge isn’t to build capacity to operate in cyberspace once, but to maintain this capacity at a high level in the long term. For this reason, the issue of competence building is an even more demanding area. However, the rules are exactly the same as for acquiring competence in any other area. Theoretical knowledge, although crucial (especially in the early stages of education) is only an introduction to the extensive practice.

From quiet academic facilities to busy conferences

When no one thought that cyberspace would spread so much, the exchange of skills and experience was completely informal. Moreover, for a long time, security itself was not a separate specialization, but only a side topic, explored by more inquisitive programmers, administrators, physicists or electronic engineers at home or within student interest groups. After all, it was in the Railway Modelers’ Circle at the Massachusetts Institute of Technology that the term “hacking” was used for the first time in 1955, which simply meant at the time: “working on” a technical problem in a different, presumably more creative way than was prescribed in the manual. Over the decades, the concept of hacking has changed and has become rather pejorative through regular misuse.

With the gradual popularisation of electronics and computers, groups of people whose members can generally be called “enthusiasts of modern technology” began to form — especially in the proximity of technical universities, where it was the easiest to find such innovations. These groups constituted and developed largely independently of each other, because cyberspace did not yet exist at that time. Nevertheless, it can be said that they developed a certain subculture, because they shared similar values and were certainly the first hacker communities.

A milestone in the development of these communities was the emergence of the idea of connecting locally connected computers into a larger network covering a wide geographical area. This idea found its realization in the development of the ARPANET project, the precursor of today’s Internet. In the early 1970s ARPANET already covered the majority of significant university centres in the USA. The network allowed for the exchange of knowledge between university staff and over time the exchange of information started to concern these groups.

The 1980s saw the further expansion of technological innovations and the increasing number of people interested in them. More hacker communities are beginning to emerge, now separate from academic centres. Some groups show interest in destructive actions, but many choose a more creative direction. Groups such as Cult of the Dead Cow, Legion of Doom or German Chaos Computer Club publish paper and digital publications, create new tools, organize meetings and studios — places of free exchange of ideas, knowledge and experience. People associated with these groups in the following years also started to organize official conferences, among them the conference called Chaos Communication Congress, organized continuously since 1984 by Chaos Computer Club, and the famous DEF CON and Black Hat which attract participants from around the world.

This brings us to the events presented at the beginning and the issue of the growing use of cyberspace, combined with the growing number of attacks in this cyberspace. The need for digital preservation has been a driving force behind the emergence of a completely new, independent industry within the IT sector — the cyber security industry. The industry is developing particularly rapidly even compared to other IT areas, and the demand for qualified staff with practical knowledge in the field is constantly increasing and exceeds the capacity of universities to make up for the deficits of such professionals. According to (ISC)2 analyses, there will be a worldwide shortage of 1.8 million employees in this sector in 2022.

Paper courses

A growing demand for people working as IT security professionals was an opportunity for many people and companies to find new ways to make money by sharing their knowledge. More and less competent people have begun to offer trainings, usually in the form of a lecture or series of lectures, addressing topics interesting to customers, related to computer and network security. Such education in the form of a traditional classroom is still popular today, of course. However, if there is no or a small amount of practice during such classes, it is of little value, but it only works well as an introduction to the issue for beginners or a demonstration that the company that has bought the training is trying to take care of its own and its customers’ safety, at least on paper.

E-learning

The 1990s and the first years of the 21st century can be considered a breakthrough period in the development of new tools in education. The reduction of data storage prices allowed to use increasingly sophisticated multimedia materials, which also began to become more interactive with time. Every year, a more widespread access to the global network also allowed free access to such content without leaving home. In November 1999, educational technology expert Elliott Masie used the term “e-learning” for the first time as a name for “online learning”. E-learning as a form of knowledge acquisition has many advantages:

1. Access at the participant’s convenience and anywhere in the world.
2. Possibility to take a break at any time.
3. Freely available to return to selected issues.
4. Low cost.
5. Ability to transfer knowledge to a large number of people (the so-called scalability).
6. Regular material updates.
7. More time for practical tasks.
8. Better opportunities to assess learning progress, including self-assessment.

Obviously, this is at the cost of longer preparation of the materials, but their repeated use fully compensates for this. The only problematic element, in this case is the limited contact with the teacher, but this can be solved through contact forms, dedicated web forums or regular webinars.

Despite nearly five decades of development of the global network and three decades of popularization of the idea of websites, many people still do not see the possibility of using these achievements to improve the quality of training and reduce their costs. E-learning gaining popularity in many areas is still a little bit of a challenge in the security training industry, and there are still relatively few companies that use e-learning. Fortunately, this trend is slowly changing and acquiring valuable knowledge by training does not always require travelling to another city and sprinting through the issues.

Figure 1. The relation of educational solutions to theoretical and practical knowledge.

Source: own analysis.

Getting to practice

The transfer of theoretical knowledge, whether in the form of traditional or e-learning courses, is not a major technical challenge. Things are completely different when it comes to practical knowledge. Practical exercises require an appropriate laboratory environment, which is, on the one hand, expensive and, on the other, time-consuming to prepare. The popularization of virtualization solutions in the first decade of the 21st century facilitated the creation of such laboratories. Nevertheless, a traditional training allows the use of laboratories at most in the BYOL model ( Bring Your Own Laptop) which limits the size of such a laboratory to one or two virtual machines running on the student’s computer. Much greater flexibility is possible with the remote training in the form of e-learning. Here, the laboratory can be much larger, because it runs not on a single laptop, but in a cloud computing environment, shared by many participants and run on request to reduce costs.

All these technical possibilities have allowed in recent years to create an even more advanced concept of practical training, which is the so-called cyber range.

The idea of cyber range

The easiest way to give an idea of what a cyber range is simply to say that the previously presented solutions for practical training can be compared to a “cyber-shooting range”. Therefore, it is easy to conclude that the distinguishing features of a cyber range are a much larger scale and training as a team. This is certainly a very realistic approach, after all, defending infrastructure in cyberspace is not about individual people defending individual machines in isolation from the rest of the environment. The ability to correctly setup an operating system or firewall, use IDS/IPS solutions, analyse malicious software, or efficiently update software is as important as exchanging information with other team members, prioritising various activities, dividing tasks according to competences and having a common vision of protecting the entrusted resources. A similar approach also applies to offensive activities, which may have a precisely defined primary objective, but the way of achieving it may lead along different paths, so the correct approach is to analyse potential attack directions at the level of the entire infrastructure, rather than focusing on specific machines.

Since the trainings within such a platform concern the whole team, there must be a second team with completely different goals. These teams are usually called “Blue Team” and “Red Team”. Blue Team is a team whose task is to protect the infrastructure, while the Red Team is a team whose task is to take over the infrastructure of the Blue Team. The very idea of a Red Team is not new, it dates back to the Second World War. It is easy to see that the increase in the skills of the Blue Team is closely linked to the quality of the team that participates in the training session. That’s why Red Team must be a team of experts in their area. Training with a poor level of quality Red Team may not bring anything to Blue Team’s skills, and what’s worse, it may bring a false state of self-assurance to your skills.

What distinguishes a cyber range from a range known from the other three areas of activity is significantly better possibilities to use real attacks, tools and software during training. A cyber range can be filled with “live ammunition” by isolating it from other networks. When the whole infrastructure of such a training range is based on virtualization mechanisms, one can be tempted to perform even the most destructive actions, because the virtualization will allow to restore the infrastructure to its initial state. However, the appropriate use of virtualization technology allows for multiple attempts to go through exactly the same scenario in order to work out the most effective way of working.

The name “cyber range” reflects the nature of such a solution, however, its meaning may quite wrongly suggest that it is a solution intended exclusively for the military sector. Meanwhile, in the absence of a strong separation between military and civil technologies in the area of cyber security, this is also a good place to improve the skills of employees of banks, critical infrastructure sector, public administration and private companies no matter their size. After all, the same attack techniques are used in both military and civil operations.

Due to the serious tone of the term “cyber range”, projects which are rather closer to a cyber laboratory for individual users or a network simulator, use this name to attract interest. Only a thorough analysis of the possibilities of a given solution allows to determine whether a given project can be described as a cyber range.

CDeX — a step further from the simple implementation of the cyber range idea

Development works on creating a cyber range allowing for comfortable and effective improvement of skills are also in progress in our country. An example of such an implementation is the CDeX platform (Cyber Defence eXercise Platform), which has been operating for quite some time and is being developed by Vector Synergy company based in Poznań. This project has several unique solutions aimed at increasing the reality of training and comfort of use, while reducing costs.

Figure 4. Areas of interest for Blue and Red Team during the training.

Source: own analysis.

The idea, which helped to raise realism to a higher level, was to create another team next to the Blue and Red ones — the Grey Team which is neutral in relation to the others. This team performs activities similar to those performed by the ordinary computer users, such as receiving and sending e-mails, visiting websites and forums, downloading files, or using Instant Messenger programs. Basically, this team fills both the Blue Team network and the shared network with the neutral Internet traffic. In order to reduce costs there is no need to involve real people within this team. The platform has its delegate on most of the machines involved in the training — the Agent program, which the CDeX platform sends to perform the task, and the Agent returns the result of these operations. Some of the tasks are also used to report on the activities of the Blue Team. This applies, for example, to the availability of certain services — if an Agent cannot visit the page that the Blue Team should be making available outside their network according to the scenario, the Blue Team will get negative points for this.

The second, very important feature, is the strong emphasis on the highest possible automation of the project. On the one hand, this means reducing the installation time of a new, fully functional copy of the platform to one hour for cloud computing installations and to several hours for physical machines. Automation also applies to the management of training environments. Depending on the size and type of scenario, the time to launch such an environment consisting of tens or hundreds of machines is several or several dozen minutes. The last and most important way to use automation is to create fully automatic training scenarios.

The idea of creating automated training scenarios is a result of the conclusions from the company’s Red Team, which, taking part in many training sessions using the CDeX platform, started to automate more and more of their attacks. In combination with the idea of the agent programs, this allows to create training scenarios in which the actions of the Red Team and the generation of the final report are 100% automated. This gives an unimaginable effect of scale, because it allows a huge number of people to go through such training in a short time at an acceptable individual cost.

The CDeX platform is not only a cyber range, but also a set of tools for creating new training scenarios and modifying the existing ones in a convenient way. An important factor is the high re-usability of machines created for the scenarios. If, in a new scenario, it is necessary to use a machine with a configuration similar to one of the existing machines, it is possible to reuse the existing one. This approach reduces the workload of creating next training scenarios. The platform also allows the creation of entire infrastructures from such single machines, and from many infrastructures it is possible to create training scenarios. At the training scenario stage, the platform user can also design the actions that the agents will perform during the scenario.

Figure 3. Cascade process of creating machines, networks and scenarios on the CDeX platform

Source: own analysis.

Since, in the age of a global network, it seems ridiculous to require that people taking part in the training are physically present, the CDeX platform has two convenient ways of remote use from any location. First of all, the person participating in the training can use the web application. In this case, interaction with individual VMs is possible by embedding the VM image streams directly into the web application. Another way of participation is to use a VPN connection, which will allow direct access at IP level from the trainee’s machine to the VMs launched in the scenario.

Summary

As this study shows, both cyber security and ways of acquiring practical skills in this area have come a long way. Successive stages of development in the field of competence-enhancing solutions have led to the idea of cybernetic training range, which is now a top achievement in this matter. There is no doubt that the war in cyberspace has been going on for a very long time, although no one has officially declared it to anyone. This is due to the nature of cyberspace itself as a new dimension in the theatres of action. An old Roman saying: Si vis pacem, para bellum (“If you want peace, prepare for war”) is still valid, and the right place to prepare is at cybernetic training range.

BIBLIOGRAPHY

[1] Gen. Welch Larry, Cyberspace — The fifth operation domain, Institute for Defense Analyses, 2011.

[2] Clifford Stoll, Cuckoo’s egg, Rebis Publishers, 1998.

[3] Zetter Kim, Countdown to Zero Day. Stuxnet and the Launch of the World’s First Digital Weapon, Helion Publishers, 2017.

[4] McCartney Robert, Computer hackers face spy charges, The Washington Post, 1989.

[5] Stone Maddie, The Trillion Fold Increase In Computing Power, Visualized, Gizmodo, 2015.

[6] Morchu Liam, Stuxnet Using Three Additional Zero-Day Vulnerabilities, Symantec Official Blog, 2010.

[7] Efforts of Retail Companies and Financial Services to Improve the Time to Detect and Contain Advanced Threats, Ponemon Institute, 2015.

[8] Yagoda Ben, A Short History of “Hack”, The New Yorker, 2014.

[9] Gutierrez Karla, 10 Great Moments in eLearning History, Shift, 2014.