Building a Cyber-Range
Written by Peter Buxbaum
MIT 2010 Volume: 14 Issue: 11 (December)
Government and industry work to develop virtual
environments for cyber-warfare training and exercises.
Warfighters endure a battery of training and exercise experiences before being deployed to face an enemy. They need weapons ranges and training facilities to demonstrate and improve their combat skills, participate in red team/blue team exercises, and familiarize themselves with information and communications systems.
The same holds true for cyber-warriors and network defenders, who require a digital environment in which to train, evaluate and develop defensive and offensive capabilities. They want to be able to simulate attacks to assess information assurance capabilities and measure incident response procedures.
Cyber-ranges are the virtual environments that have been created for cyber-warfare training and exercises. These constructs provide critical tools for hardening the security, stability and performance of vital government, military and intelligence cyber-infrastructures.
“There are lots of similarities between kinetic and virtual ranges,” said Bob Giesler, director of cybersecurity at SAIC and former director of information operations in the Office of the Secretary of Defense. “In their simplest forms, ranges replicate operational environments in a controlled setting so you don’t have to go into the wild. You don’t have to worry about errant shots and hurting people. In a controlled environment you can replicate results and see how consistently either a defense or a weapon performs.”
Cyber-ranges can be found within the military services and agencies, other government units, as well as at private industry installations. Joint Forces Command (JFCOM) operates the Information Operations (IO) Range, and the Defense Advanced Research Projects Agency (DARPA) has been working to establish a National Cyber Range (NCR). Although the latter effort has been described as struggling in some reports, no one doubts the importance of cyber-ranges, and many are working to advance their functionality, efficiency and effectiveness.
The point of exercising on a cyber-range is to be able to report to commanders the degree of probability for success of the cyber-capabilities being tested. “On the defensive side, you want to run standard threats against the network and see if the defenses worked or not,” said Giesler. “You have more latitude testing defenses on a range than on a live network. You have to be concerned about inadvertent spillover of a test on a live network. There are also privacy issues. The range can serve as a schoolhouse as well as a certification capability for technology.”
For organizations such as the U.S. military, which operates large-scale and far-flung networks, one of the challenges is how to scale up a cyber-range to emulate the operational environment. DARPA’s NCR has been envisioned, at least in part, as a way to tackle that challenge.
“It is essential to fully understand system vulnerabilities in order to correct or mitigate them,” said a DARPA document describing the NCR. “Vulnerabilities can arise from the component to the system level, and from events such as buggy code, misconfigurations and user actions. The NCR must be able to test all of these issues by recreating the complex interactions of real integrated systems and their human users.
“The NCR will forensically collect, analyze, visualize and present data and information from the tests,” DARPA indicated. “Knowledge and insights gained during testing will assist operators and developers as they refine, research, and develop operations, technologies, policies and procedures to strengthen cyber-security.”
But industry experts have criticized the NCR for a variety of reasons, including duplication of effort and excessively long procurement cycles. These same experts do not contradict the need for venues that test cyber-capabilities, but instead propose different alternatives that address scale, costs, efficiency and the ever-changing cyberlandscape. DARPA declined to comment for this article.
The NCR was designed to broaden the scope of JFCOM’s IO Range beyond the national security community to include civilian agencies, contractors and academia, according to Giesler. “But there has been some recent congressional concern about duplication of efforts,” he added. SAIC provides engineering support to the IO range.
“DARPA was looking for a standard and a metric in the NCR, but security isn’t standard. It moves constantly and is evolving every day,” said Dennis Cox, chief technology officer of BreakingPoint. “There are always new attacks, and if you need all of the defenses certified, it is going to take 18 months and by that time they don’t work.” BreakingPoint provides cyber-range capabilities in a streamlined format.
Replic ate or Outsource Cox has observed two approaches taken by government entities in developing or using cyber-ranges. One involves replicating the network environment behind the agency firewall, an approach that can cost $30 million to $100 million. The second is to outsource the testing process by having a contractor run a generic commercial security tool, which then generates a score for network defenses. “The first approach aims to be realistic but is very expensive,” said Cox. “The second approach is very fast and has low overhead but is also expensive and not very effective.”
Either case involves building out largescale labs to determine the resiliency of infrastructures thanks to the size, scale and complexity of today’s networks and data centers. “Organizations were forced into this no-win situation because, historically, the only way to simulate Internet-scale realism was to invest in an enormous server farm or cyber-range,” said Cox. “As networks and data center infrastructures continue to grow in scale and importance, organizations have realized that they cannot keep up and must stop throwing massive amounts of hardware and money at the problem.”
For Hal Jones, technical director for cyber security solutions at BAE Systems, the approach currently being taken to defending networks is fundamentally flawed. “The flaw consists of the fact that individual software tools are designed to defend against specific types of threats,” he explained. “The problem is that attackers understand the tools and the space between them, and can circumvent them. A skilled attacker will simply fly by the defenses.”
It is not a weakness in the tools that compromise network defenses that bothers Jones, but a weakness in the basic concept. “The basic concept is that one can define how one will be attacked and write rules that prohibit that from happening,” he said. “The problem is that defenses are effective against prior attacks, but once attackers understand the defenses it is relatively simple to craft an offense that will go around them.”
BAE Systems was one of the original concept developers for the National Cyber Range. “Following that period we invested in test bed technology to bring together several stand-alone cyber-ranges we had around the company,” said Jones. BAE is currently working on an integrated solution that Jones says will bring the cyber-range concept to the next level.
Giesler agreed that “the secret is how to link them all together. A successful range should be able to connect and disconnect multiple participants depending on the operational scenario of the effect you want to experiment with,” he added.
Beyond that, the size and scope of cyberranges vary depending on a given organization’s needs. “A range can be anywhere from a single box to racks and racks of equipment virtualizing large numbers of nodes in a large-scale network,” Giesler said. Box-Sized Soluti on BreakingPoint has introduced one of the box-sized solutions to the marketplace. It reflects the fact that, as Cox noted, building and maintaining cyber-ranges often involves throwing hardware and personnel at the problem, which can be costly and inefficient.
“This inefficiency does not make sense in an era of flattened defense budgets and scarce human resources,” he said. “More importantly, this approach simply cannot scale to address traffic volume and attacks that are multiplying in both quantity and complexity.”
Cyber-ranges require massive amounts of disparate equipment from multiple vendors, large numbers of skilled personnel, and long development and testing cycles, according to Cox. “In the past, only this resource-intensive approach could generate the real-world conditions needed to harden defenses against the full spectrum of cyber-threats.”
BreakingPoint decided to leverage its expertise to create custom-programmed network processors that generate the same mix of applications, attacks and user load that global organizations see on their own networks. The result, the BreakingPoint Cyber Tomography Machine (CTM), can replace enormous server farms, performance labs or cyber-ranges, according to Cox.
“Our patented network processor architecture can recreate as much non-repetitive data in one hour as you would find in the entire Library of Congress,” said Cox. “This ability to unlock ultimate performance and realism in a small form factor has fundamentally changed the way organizations harden networks and data centers, conduct global cybersecurity research, and measure the performance of large application infrastructures.”
The BreakingPoint CTM is a “leapahead” technological approach that provides Internet-scale cyber-war from a single device, Cox said. “The CTM embodies the power and scope of a cyber-range, but without requiring multimillion-dollar expenditures and teams of engineers to set up and maintain.”
BreakingPoint’s patented device is used by government and military organizations, including the IO Range, as well as defense contractors, global enterprises and service providers, to harden networks and data centers to be resilient in the face of escalating application load and attack. The CTM is able to unleash Internet-scale network conditions with 40 gigabits per second of application traffic, over 4,500 live security attacks, and millions of simultaneous network sessions.
The device stays current with weekly updates that deliver the latest application protocols and security attacks directly to the device. “We research all strikes, vulnerabilities, exploits and malware that a network can be exposed to, and release them constantly to the device,” said Cox. “The box automatically connects back home to install virus updates.”
The output of the CTM is the BreakingPoint Resiliency Score, which provides measurements of the security, stability and performance of networks components and data centers using standards developed by organizations such as the U.S. Computer Emergency Readiness Team, the Institute of Electrical and Electronics Engineers, and the Internet Engineering Task Force, an international community of network designers, operators, vendors and researchers. The core is designed to provide insight into network environments by changes in peak user load, reconfiguration and new security attacks.
“A user running a resiliency score on the CTM can be assured it is dealing with the latest problems,” said Cox. “One of the biggest problems with cyber-ranges is that it is hard to guarantee that they are facing the latest threats.”
Integrated Human Analysis BAE is taking a different approach to the cyber-range challenge, one that keeps the enterprise scale of the construct and that integrates human analysis to provide real-time intelligence on the state of the network.
“It has become apparent that the only way to build these types of solutions is to test them in a large-scale environment,” said Jones. “The solution we are working on is to do a rather expansive collection of all absorbable data in the network and provide human analysts with processing and analytic power, so they can do detective work in real time and develop processes and tools to identify and defend against attacks.”
Such activities must be performed at an enterprise scale and not in a small lab, according to Jones. “That is why cyber-ranges are so important,” he said. “We do experiments on data with a 50,000- node network.”
BAE’s approach is a departure from the tool-based concepts that Jones sees as flawed. “We are focusing on a concept called real-time network forensics, which allows analysts to rapidly see everything going on in the network and focus on anomalies inside the network,” he explained. “We believe that this will tip the scales in favor of the defenders.”
Jones views this approach as harnessing the intellectual power of analysts toward understanding the state of a network. “What is needed is to be able to extract from a network in real time any artifact that might be unusual,” he explained. “If that ends being a terabyte of information, the analysts need tools to massage that information and to present it to them as a set of plausible scenarios. The analysts can apply their own judgment to query the system and direct the analysis. This involves putting the analysts on the network and in the data.”
The approach taken by BAE System compares to the techniques that the U.S. intelligence community has deployed in the last 10 to 15 years in combating terrorism, according to Jones. “There are proven techniques that allow intelligence analysts to sift through massive amounts of data to come up with telltale signs of an attack,” he said. “What we are doing is borrowing tools, techniques and procedures that come out of the intelligence community.”
Jones argues that large scale test beds are required to develop tools that allow analysts to sift through massive amounts of data. BAE Systems uses two modes in order to accomplish that task. “In the live mode, we pull real data off BAE networks so we can have the complexity of true network traffic,” he explained. “Then we have move into emulation because we can’t do live fire testing or inject an attack into a BAE network. The emulated network represents several thousand nodes. We go back and forth between the two nodes to ensure that we develop metrics on how well these concepts can defend a network.”
At this point, the project is in the development and testing phase, and has already had a secondary benefit in improving the security on BAE networks. But the company’s primary objective is to market the company’s techniques and approaches to government customers.
Jones believes these techniques can scale to levels that would benefit Department of Defense services and agencies. “We do live testing on a 50,000-node network,” said Jones, “which is equivalent to what you would find in many agencies. The Navy is 10 to 15 times larger than that, but its network is segmented into subnets of the size we are talking about. Our emulated environment scales to between 20,000 and 30,000 nodes, which is a mission- sized network.” The company is marketing its concepts to agencies in and out of DoD. BAE has begun joint testing with one key customer and expects to be deploying a defensive suite by the end of this year to an initial customer within DoD.
For all of the complexity of the issues surrounding cyber-ranges, Giesler believes they are pretty straightforward from a mechanical perspective. “But I think it is an absolute requirement to have them at a high degree of sophistication as you possibly can,” he said, “in order to give some assurance to decision-makers that what you’re doing isn’t going to cause harm and that it will promote the national security objectives placed on users.” ♦
