Cyber attacks are on the rise, I do not need to provide much proof of that, as it is in the news almost every day! There are cyber security vendors that do their best to protect organizations’ machines, but there is always gaps that result in the need for human intervention and resolution. There is a need in organizations for cyber professionals to be on the ready to respond to cyber attacks in both prevention and resolution.
Current approaches to training rely heavily on subject matter experts (SMEs) or Red Teams to provide a challenging and evolving adversary for realistic training of cyber staff. Automating this training environment using simulation is critical for meeting a growing need to develop qualified cyber staffs.
In general, it is agreed that a realistic training environment needs to include both kinetic and cyber activities. In the live, virtual, constructive (LVC) simulation training environments, the goal would be to train cyber and operational forces together. This article will go over the current state of cyber training in the commercial sector and how they are addressing the growing need for cyber training.
Commercial Cyber Training Resources
The primary audience for commercialized cyber training is IT professionals and employees in organizations. This can range from training IT professionals in anomaly detection, to being trained on detecting whether the Nigerian Prince really needs money or if it is just a phishing attack. Commercial cyber training can be about instructing individuals on how to act vigilant at work but can also be how to interpret data to detect problems that may relate to a cyber attack or vulnerabilities that could later be exploited. This results in two main areas, teaching and supplementing.
Supplementing can be about providing more information and data about the current status of the organization’s machines, networks and individual users. Teaching involves providing information on how to handle situations, detect situations, and how to act more vigilant when it comes to using the organization’s machines and networks. An example of this is sending phishing attempts to your employees as a test on how well they can detect spam after graduating from cyber security modules.
The fastest emerging technology is the use of cyber ranges. A cyber range is a virtual environment that is used to simulate cyberwarfare scenarios with the goal of training cybersecurity professionals, traditionally used in government and military agencies (Chapman et al., 2017). However, recently the commercial sector is utilizing these principles in products to train others to be better cyber security experts. An example is with ManTech who recently announced a successful ransomware defense exercise for financial sector participants within its Advanced Cyber Range Environment (ACRE) (Herndon, 2018)
After the introduction of cyber ranges into the commercial sector, cyber ranges as a service (CyRaaS) were later introduced. As of 2018 the first commercialized cyber range was announced by Cyberbit Ltd. and CloudRange (Business Wire, 2018). The “real life” scenarios are available as a web application in a closed, virtualized network. In an academic training setting, it provides the sensation of what cybersecurity professionals experience through emulated systems. These services also provide evaluation and performance metrics of students and/or IT professionals. The technology provided as a service allows distribution of the tool to expand tremendously, which is why it is a huge trend in cyber security right now.
An example of an enterprise providing CyRaaS is Circadence. This cyber security organization provides their CyRaaS on a cloud environment with templates and tools to building an emulated environment to simulate real world scenarios on. They allow duplicating “real” networks, “real” enterprises and even “real” cities by template or users can build customized environments designed to be similar to their enterprise.
In addition to cyber ranges emulating real world scenarios, there are emulated environments that reflect a gamified version of reality. This would be mission exercises aimed at increasing retention of the users’ interest. This is common in the government sector to reflect kinetic warfare in a cybersecurity context. However, the commercial sector has adopted this technique with the additional goal of financial gain as a result of greater interest and retention.
There is also the emergence of Artificial Intelligence (AI) and machine learning (ML) acting as a bridge for gaps in knowledge and capacity. While humans are skilled at finding patterns and anomalies, there is a mental limit in which they can process information. This limit is where AI and ML is used, to help process vasts amount of information in order to guide the user towards making the best decision possible. Cyber security companies are emerging with new ML based products that provide security-forensics for IT professionals called Endpoint Detection and Response (EDR), a term developed by Dr. Anton A. Chuvakin. Examples of some of these companies are FireEye, Carbon Black, Guidance, Cybereason, Symantec, RSA, Webroot, McAfee, Sophos, and VIPRE (M2 Presswire, 2018). These solutions use endpoint and network monitoring data and provide analysis, detection, investigation, reporting and alerting. However, the final decision ultimately comes down to the administrators and their decision is dependent on how helpful the EDR reporting is and how knowledgeable the administrator is. The commercial goal is to make it as simple as possible so it requires less cyber security expertise. For example, Sophos uses machine learning to provide detection of potential suspicious activity and providing detailed analytics (Schiappa, 2018).
When combining AI and cyber ranges, the additional information provided by AI tools are used in cyber ranges to help users make decisions during the simulation. Furthermore, AI chatbots are used to help instruct users during the simulation on how to respond or to provide more information on how to implement the chosen response. For example, Circadence has an in-game advisor in their gamified cyber range simulator that relies on AI technology.
Challenges in Cyber Training
Although cyber ranges are useful in awareness training and the sharpening of skills, there are still many challenges with its commercial use. A group of researchers discuss some of these challenges including third party software licensing, remote access management, credential management, network configuration management, automation, and experimental integration (V. E. Urias et al., 2018). There is also the potential of an attack on the virtual environment itself, another security scenario. For example, hyperjacking is where hackers take control of the hypervisor creating the virtual environment on a virtual machine (Wojtkowiak, 2012; Tank et al., 2019). Tank et al. (2019) discusses some of these issues that can extend to cloud-based attacks. Although they address how to handle many of these situations, it can be assumed that there will be new vulnerabilities in the emerging platforms and software that will constantly need to be monitored. These issues call for more research in the field on the details related to the technology of emulating networks securely while also as accurate as possible for the purpose of cyber training.
AI and ML in cyber security not only has its own security issues, such as adversarial attacks, but also have other issues such as transparency, clean and realistic training data, and data privacy (Hernandez, 2018). Transparency is an issue in deep learning that is further being addressed in research because of its implications. With more explanation on why an anomaly was detected or while a file is labeled suspicious, the more confident and better informed the decisions by users are made. An example of this is a tool called LIME which highlights the features of input into a model that led to the model’s classification, something Richard Harang from Sophos discusses in the industry as a useful tool in their own research (Brenner and Harang., 2017; Ribeiro et al., 2017).
Conclusions and Recommendations
When using ML and/or AI in your cyber training program, ensure that it provides as much transparency as possible. There is a good deal of research on how to make models interpretable that should be utilized even if there is a slight cost to accuracy, because in the end, the humans make the final decisions. Some of these methods rely on the particular model of choice, such as a Random Forest Model is more interpretable than neural networks. While others require some modification to the model or the input and output that provide additional information, commonly the case in deep learning. Some examples are Layer-Wise Propagation, Sensitivity Analysis, LIME, DeepRed and more (Gilpen et al., 2018; Samek et al., 2017).
Much research has indicated that gamified versions of cyber ranges and simulations increase retention and interest in the cyber training modules (Brull and Finlayson, 2016; Krause et al., 2015; Treiblmaier et al. 2018). As a result of these studies, it is recommended to incorporate gamification in cyber training modules in order to foster higher rates of retention and motivation. Gamified modules would provide rewards and incentives for maintaining good behavior, encouragement to discuss lessons learned with peers, to be held accountable for knowledge they have yet to learn or struggle with, and are engaged in their progress through monitoring.
Although cyber ranges are designed to emulate real scenarios and real enterprises, they still pose security risks. It is important to evaluate potential vulnerabilities and exposures based on the cyber range you utilize. Cloud infastructure is generally more secure than local virtualization (Rivera, 2018; Sabahi, 2011), leading to using cyber ranges as a service to be a more secure choice at the cost of data privacy (Sun et al., 2011). So it is also recommended to research in detail the vendor’s data policy and how the vendor keeps their security measures up to date.
Brenner, Bill and Harang, Richard. (2017). “For better machine-based malware analysis, add a slice of LIME”. Naked Security by Sophos. Retrieved from: https://nakedsecurity.sophos.com/2017/07/25/for-better-machine-based-malware-analysis-add-a-slice-of-lime/
Brull S., Finlayson S.(2016). Importance of Gamification in Increasing Learning. J Contin Educ Nurs. 47(8) 372–375. doi: 10.3928/00220124–20160715–09
S. Chapman, R. Smith, L. Maglaras, H. Janicke, “Can a network attack be simulated in an emulated environment for network security training?”, J. Sens. Actuator Netw., vol. 6, pp. 16, 2017.
Cyberbit and CloudRange Cyber Announce the First Cyber Range “As a Service” in North America. (2018). Business Wire.
Endpoint Detection & Response (EDR) Software Market — Global Industry Analysis, Size, Share, Growth, Trends and Forecast 2018–2025. (2018). M2 Presswire. Retrieved from https://search-ebscohost-com.ezproxy.net.ucf.edu/login.aspx?direct=true&db=edsggo&AN=edsgcl.565246030&site=eds-live&scope=site
Herndon, Va. (2018). Financial Industry Rehearses Defenses Against Ransomware Within ManTech’s Advanced Cyber Range Environment; “Hands On” Cyber Range Exercise on Replicated Bank Network Trains Financial Cyber Experts in Tactical Response to Ransomware. ENP Newswire.
Gilpin, L. H., Bau, D., Yuan, B. Z., Bajwa, A., Specter, M., & Kagal, L. (2018, October). Explaining Explanations: An Overview of Interpretability of Machine Learning. In 2018 IEEE 5th International Conference on Data Science and Advanced Analytics (DSAA) (pp. 80–89). IEEE.
Hernandez, P. (2018). Microsoft Stresses Security, Responsible AI in Cloud Policy Updates. EWeek, 1. Retrieved from https://search-ebscohost-com.ezproxy.net.ucf.edu/login.aspx?direct=true&db=aci&AN=127222976&site=eds-live&scope=site
Krause, M., Mogalle, M., Pohl, H., & Williams, J. J. (2015, March). A playful game changer: Fostering student retention in online education with social gamification. In Proceedings of the Second (2015) ACM Conference on Learning@ Scale (pp. 95–102). ACM.
Marshall, H. et. al. (2017). “A Cyber Warfare Prototype for Live, Virtual, & Constructive Simulations.” Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC). Orlando, FL, Dec 2017.
Moore, S., Chaney, M., and Flint, L. (2018). “Cyber Training Experimentation through Operation Blended Warrior” Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC). Orlando, FL, Dec 2018.
Ribeiro, M. T., Singh, S., & Guestrin, C. (2016, August). Why should i trust you?: Explaining the predictions of any classifier. In Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining (pp. 1135–1144). ACM.
Sabahi, F. (2011, May). Cloud computing security threats and responses. In 2011 IEEE 3rd International Conference on Communication Software and Networks (pp. 245–249). IEEE.
Schiappa, Madeline. (2018). “Machine Learning: How to Build a Better Threat Detection Model”. Sophos. Retrieved from: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/machine-learning-how-to-build-a-better-threat-detection-model.pdf
Sun, D., Chang, G., Sun, L., & Wang, X. (2011). Surveying and analyzing security, privacy and trust issues in cloud computing environments. Procedia Engineering, 15, 2852–2856.
Tank, Darshan & Aggarwal, Akshai & Chaubey, Nirbhay. (2019). Virtualization vulnerabilities, security issues, and solutions: a critical study and comparison. International Journal of Information Technology. 10.1007/s41870–019–00294-x.
Treiblmaier, Horst & Putz, Lisa-Maria. (2018). Increasing Knowledge Retention through Gamified Workshops: Findings from a Longitudinal Study and Identification of Moderating Variables.
W Samek, T Wiegand, KR Müller. (2017). Explainable Artificial Intelligence: Understanding, Visualizing and Interpreting Deep Learning Models ITU Journal: ICT Discoveries — Special Issue 1 — The Impact of AI on Communication Networks and Services, 1(1):39–48, 2018
Wojtkowiak A (2012) Protection for virtual environments ? IBMVirtual Server Protection. IBM Corporation
Wells, D. and Bryan, D. (2018). “Cyberspace Training — Is This Even Legal?” Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) Tutorial. Orlando, FL, Dec 2018.