Options for Setting Up a Cyber Range: Build vs. Buy
This three-part series is intended as a guide for organizations considering the use of a cyber range. There are several options, and numerous considerations which inform the decision-making process. And if you’re not sure why you need a cyber range, consider reading our article “Is Cybersecurity Training A Good Investment?
In this article, we’ll be looking at the first consideration: is it better for you to build a cyber range, or to buy one?
Build vs. Buy?
Setting up a cyber range can be overwhelming. At a high level, there are several decisions that will determine what type of implementation is best for your organization. The first major choice is whether to build your own cyber range or buy one from a reputable third-party vendor.
Building your own cyber range
Building a cyber range isn’t impossible, but it can be a very complex undertaking. At a bare minimum, a cyber range should provide training content, a training interface, an administrative interface, and reporting metrics. Putting these pieces together using open-source software and in-house development is possible – but you get what you pay for.
There are free and open-source options available that provide the building blocks to start constructing a cyber range. While none of the current offerings provide all the necessary pieces needed in a cyber range, they are an excellent starting point and can offer some training value. To list just a few: PicoCTF provides introductory content for cybersecurity beginners, primarily targeted towards middle- and high-school students. Facebook has a platform with several CTF challenges available at no cost on their GitHub repository. And CTFd is a widely adopted open-source solution for building a cyber range from scratch.
These resources exist, and they can be incredibly beneficial for organizations with the necessary time, resources and in-house technical know-how. However, they are only pieces of the puzzle. They often lack metrics and detailed reporting. And in a corporate, government, or military installation, the level and type of challenges freely available may not provide the depth or variety of training required.
Issues with free and open-source solutions
There are several factors to be aware of when using free and open-source cyber range solutions. It’s not as simple as plug-and-play.
- Limited quantity of challenges. Once your team completes the content available in the system, it’s up to you to develop new training challenges.
- Quality of the content is an unknown. Backdoors have been discovered in open-source projects in the past, as well as in some of the challenges available. An audit may be necessary prior to using these tools, which can be extremely time consuming.
- Potential FOSS license violation issues. Depending on the environment and implementation, using free and open-source cyber range content may lead to license violations, resulting in fines and copyright claims.
- Setting up and maintaining the environment is often extremely challenging and time consuming.
- Patches and updates are sometimes infrequent. In some cases, vulnerabilities have persisted in free and open-source projects for months.
- Questions and challenges may be poorly structured, and answers can easily be found with a simple Google search.
- Lack of approved hints or links to material needed to complete the challenge without Googling if users are stuck.
- FOSS solutions do not map to work role frameworks such as NIST’s NICE or the military’s JQR’s. This makes it very difficult to determine if exercises are adding measurable value in filling gaps in the knowledge, skills and abilities of the job itself.
- Limited to no reporting. Free tools often do not include detailed reporting and metrics, and some offer no reporting at all.
Hidden costs of do-it-yourself
The costs of designing and administering a cyber range in-house have implications beyond the budget sheet. Developing an interface that can run challenges, generate metrics and reporting, and provide easy administration is not a small task. In addition, building cyber range challenge content is a time-consuming process that requires development expertise. It takes ongoing labor and expertise to create new content, perform quality testing, and create updates to meet organizational needs., Not every organization has a team of developers with heavy DevOPS and security knowledge, as well as the time needed to maintain and update a cyber range.
Trying to turn cyber operators into developers is like putting your “A” players on the bench. These people want to do the jobs they were hired for and use the skills they’ve developed. And when highly skilled and talented operators leave a team, they take their specialized knowledge with them. It is entirely possible for a cyber range training plan to crumble as a result of poor knowledge transfer.
The cost of replacing these trained and skilled people is significant in terms of both time and money, and the potential for knowledge loss is very high.
Time management
Development time is a limiting factor for many organizations, even those who are able to muster the expertise necessary. One of Aries’ clients chose the build-your-own approach before selecting us as their vendor. They spent over 6 months creating training scenarios and content, and finally threw in the towel. Most of what they had developed was of limited use, was out of date, and didn’t meet their training expectations.
The build-your-own approach can be a good option for organizations that have sufficient time, resources, and dedicated in-house development talent to continuously and rapidly create a pipeline of training content. But if this isn’t the case, then building a cyber range from scratch may not be the best use of your team’s time, budget, and resources.
Purchasing a cyber range solution
Shopping for a cyber range can be a challenge. There are a number of cyber range vendors on the market, and plenty of possibilities. Our article “What is a Cyber Range? A Definitive Guide and Definition” provides a convenient overview of the common features of cyber ranges, and the features that a prospective buyer should look for. We’ll summarize the most important things to look for below.
Professional cyber ranges contain a number of core components common across most implementations. The most common of these are:
- Learning management system: allows range administrators to control training, manage teams, and generate reporting
- Realistic training environment: may include simulated network configuration, routing information, and traffic
- Reporting: the ability to assess performance, improvement, and effectiveness of trainees
- Gamification: increases trainee engagement while also improving knowledge absorption and retention
- Curriculum: cyber ranges often provide a pre-packaged curriculum, and some vendors allow organizations to customize their own training regimen
In addition to these core components, there are several capabilities that an ideal cyber range solution should include. We’ll touch on some of these here in part 1 of this series and expand on what features best suit different implementations in part 3.
Every organization is different, and every team will have distinct needs. From a high-level standpoint, the following feature set is what we recommend at a minimum for any purchased cyber range.
Tools-agnostic
Every environment is different, and every team is different. A good cyber range solution will allow trainees to use the same tools and software during training that they use every day on the job to complete exercises.
Focus on comprehension and competency
Book learning has plenty of value, but when a real-world cyberattack strikes, professionals have to be able to solve problems quickly and without checking the answer key. The training offered by a cyber range needs to focus on ensuring total comprehension, rather than memorization.
Replay value
Cyber professionals need to maintain their readiness. And in order to do so, they must train in a way that provides functional learning and skills development. An ideal cyber range ensures that no trainee will ever see the exact same question twice.
At-a-glance reporting
Cyber range administrators must be able to track training and advancement, provide feedback, and show results. A good cyber range will offer a variety of reporting and metrics tools to provide objective, measurable results.
Customizable and scalable
All organizations can benefit from cyber range training, but one size does not fit all. A cyber range needs to be customizable and scalable to any environment, including environments of differing architecture, security, and clearance levels. When choosing a cyber range, ask: how will this scale to our environment? What customizations are possible – or impossible?
Internet connection not required
It may seem counter-intuitive to think of cybersecurity training in an offline environment. But there are many real-world scenarios where this is necessary, including organizations with specific security requirements, and field military deployments. The ideal cyber range can be used under any circumstances, including without an internet connection.
Easy to set up and deploy
Cyber range training should mitigate problems, not cause them. Look for a cyber range solution that can be deployed efficiently, without requiring additional staff or extensive training. In the words of one of Aries’ clients, “The system needs to be so simple someone just out of boot camp can use it.”
Offers a variety of cybersecurity skills
Not all cyber ranges offer the same depth or breadth of cybersecurity training. Some ranges narrowly focus on perfecting specific skills, where others may offer a broad selection of many skills with only some specialization. Ensure that your organization selects a cyber range with a well-rounded cybersecurity range that meets your organization’s needs, both now and in the future.
Job role mapping
For organizations that use job frameworks such as NICE or JQR, a cyber range that provides training specifically mapped to these frameworks will be invaluable. This will make it possible to address specific skill gaps.
Ability to award CPE credits
Many regulations, both commercial and government, require staff to maintain specific cybersecurity certifications, such as CISSP, Security+, GSEC, CEH, CISM, and CISA. To maintain these, professionals need to acquire a large number of continual professional education credits (CPEs). A good cyber range gives an organization the ability to award CPEs to their staff.
This is not intended to be an exhaustive list of the features available across cyber ranges, but this set will provide an excellent framework for any organization to build on.
Now that you know more about the options available when choosing to build or buy a cyber range, stay tuned for the next part of this series. We’ll talk about the options for administering a cyber range, and whether it’s best to administer locally or to outsource. And in part 3, we’ll provide a flowchart to help guide your cyber range implementation, and choose the solution that’s best for your organization, be it corporate, military, or government.