Options for Setting Up a Cyber Range: Organizational Considerations
Welcome to the third and final part of our series on Options for Setting Up a Cyber Range. In the first part, we discussed whether it’s better to build your own range or purchase one from an outside vendor, and in the second part we explored the pros and cons of outsourcing range administration. If you missed those articles, check them out at Options for Setting Up a Cyber Range: Build vs. Buy and Options for Setting Up a Cyber Range: External Partners or In-House Administration.
In this last article, we’re going to get into the weeds and explore the detailed considerations that your organization may encounter in the selection of a cyber range.
How many users do you need to support simultaneously?
Some organizations need to be able to support several simultaneous users. One of Aries’ clients had a requirement for 167 people to be able to train on the cyber range at the same time and was able to scale to meet their needs quickly. Whether it is ten or ten thousand, this needs to be something you consider up front and ask about.
Other companies with smaller teams may only need to be able to support a few users, or train one person at a time.
The number of users that your cyber range can support depends on a number of factors, including hardware availability, virtualization support, network capability, and administrative support. Make sure that the solution you choose is able to handle the load.
What type of cyber range licensing do you need?
The structure of your organization will be a determining factor in what type of licensing will be the best fit for your cyber range implementation. Vendors may offer various options, such as:
- Named licenses: assigned per user
- Floating licenses: assigned per seat, may be rotated among users
- Perpetual licenses: license lasts forever for the version of software purchased
When choosing a cyber range provider, make sure that their licensing options align with your needs.
If considering a DIY/FOSS solution, is your organization able to absorb the additional cost?
If you’ve already decided to purchase a cyber range from an outside vendor, this consideration isn’t an issue for you. But if you’re considering a build-your-own approach, remember to take the licensing cost of all software components into account – especially when considering multiple simultaneous users.
These costs may not be obvious up front, and they can add up quickly if you choose to build your own cyber range. Organizations must take into account operating system licenses and software licenses, and the terms and conditions of the licensing packages they choose.
How much time is your organization prepared to spend setting up their cyber range?
Purchasing a cyber range comes with certain benefits. One of those is that an outside team is available to help with setup, implementation, and administrative training, and act as an overall advisor. But for organizations that are considering a DIY solution, time is a significant factor.
Creating cyber range content takes time, expertise, and talent. Some teams are well equipped for this challenge, with in-house developers and designers who are able to manage and maintain a framework as well as create custom training on an ongoing basis. But others consist primarily of trained cyber operators who must be utilized for their specialized skills and not repurposed into specializations that they are not prepared for.
Do you need continual content updates?
Cyber professionals need to keep their knowledge up to date constantly. They may train on a monthly or even weekly basis to ensure that their skills are current. In order for this training to be effective, it must incorporate challenges that are representative of the most up to date TTP’s (tactics, techniques, and procedures) as well as refresher material to maintain readiness. If your organization has a large pool of individuals with a wide knowledge base dedicated to this then this may work for you.
Other teams train quarterly or annually, and their training is more of a refresher on basic skills. This type of training may include an overview of the most common attack vectors and defensive techniques, but it is less likely to provide the kind of constant practice teams need to maintain mission readiness. In a study sponsored by the Pentagon, Aries found users retention rate dropped by over 50% if they did not repeat exercises at least every 45 days. Cyber skills are perishable like language skills and the lack of use will reduce the proficiency.
As with all content development, providing up-to-date challenge content also takes time and expertise. Content developers not only have to build challenges, but they also have to maintain their own up-to-date knowledge and expertise in order to ensure that the training content they provide is current and relevant.
Do you have an in-house dev team?
If you’re considering building your own cyber range, this is a must. (See part 2 of our series for a deeper dive into why.) If the answer to this question is no, do not try to build your own cyber range. It will not go well.
Do you need virtualization, and if so, do you have an experienced VM team?
Virtualization is a wonderful solution for organizations with limited physical hardware and space or the need to spin up hundreds of systems in a moments notice. This convenience applies to users’ desktops as well as the systems they intend to train on. By choosing a virtualized platform, companies can provide a consistent toolset and environment across all training locations. In addition, virtual machines can be easily created and/or rolled back to a clean state in the event of mishaps. Mistakes happen in a practice environment: it’s part of the learning process. Being able to recover quickly and move forward is vital.
However, as with all things, virtualization has a cost. Setting up a virtual environment on-site still requires hardware capable of handling the load. Outsourcing cyber range operations to a massive VM farm may reduce the amount of immediate control that an organization has over their training network environment. Virtual desktops also require reliable network access and Internet connectivity, which are not achievable under all conditions.
Some teams have SMEs that are experienced with virtualization and are well able to manage the load that a cyber range implementation will require. But if this isn’t the case, and virtualization is a must, consider finding a vendor that can support this need.
Is your organization government or military with specific security requirements?
There are a number of issues specific to the government and military sector that must be addressed as part of the range selection process. These considerations may include the following:
Do you need ATO?
An Authorization To Operate (ATO) is a formal declaration from an approving authority, certifying that a product works with existing systems and has no flaws that may compromise data. The hardware associated with this solution must be TAA compliant. This requirement is common in government and military installations.
If you require an ATO, this can pose a significant barrier to a build-your-own cyber range solution. Obtaining an ATO requires appropriate certification, and the amount of time this takes can cause significant delays – in some cases, implementation may be delayed for over a year. We highly recommend seeking a solution that has an existing accreditation that can be used to speed up the overall process.
Do you need to integrate with PCTE?
Persistent Cyber Training Environment (PCTE) is a joint force training platform currently run by the US Army PEO STRI. It supports standardized cybersecurity training, mission rehearsal, and provides a foundation for collective training exercises. PCTE enables realistic training with variable conditions to increase readiness and lethality of US military cyber operators, while standardizing, simplifying, and automating the training management process.
For military and government clients, this is a relevant consideration that must be taken into account when choosing a vendor, or when deciding to build a cyber range from scratch.
Do you need to comply with FedRAMP?
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This is typically required if your organization is intending to utilize a solution that allows classified processing via the cloud. Sensitive installations and organizations that deal with highly secure data may have to take this into consideration as part of their selection criteria.
Many cyber ranges can provide a tremendous amount of value on the unclassified side. And in some cases, vendors have the capability to have classified discussions regarding training needs and create custom content to exercise the same TTPs (tactics, techniques, and procedures) without requiring the additional expense and complexity of FedRAMP compliance.
Not every organization has to worry about FedRAMP. But for those that do, make sure that the cyber range provider you select is able to meet this standard.
Do you need to map training to a framework like NICE or JQR?
Depending on your organization’s requirements, it may be very important to be able to map challenges and training to a job skills framework in order to prepare cyber operators for specific functions and ensure that their skills meet the requirements.
However, successfully mapping training to a framework such as NIST’s National Initiative for Cyber Education (NICE) or the military’s Job Qualification Record (JQR) can add a layer of complexity to content creation. This is a situation where off-the-shelf or free content may be unsuitable for your implementation.
Do you need a vendor based in your country?
If you’re choosing to purchase a cyber range, whether you’re planning to administer it in-house or outsource the administrative load, the physical location and national allegiance of your provider may be a consideration.
Depending on the environment in which your cybersecurity training takes place, and on the specific requirements of your cyber operators, it may be necessary that all products and services be provided by a vendor based in your country. This is not unusual in classified operations or government organizations.
If this is an issue for your organization, ensure that all staff working on your cyber range solution are US citizens. And if this is not possible, make sure that your vendor can show that there is proper isolation and segmentation of your data, and that all work is done by the appropriate individuals.
Does your organization have specific security clearance requirements?
Several of Aries’ clients require the ability to hold classified discussions about the details of their requirements to meet their needs. This is a key consideration for military and government organizations that need highly tailored exercises developed.
Security classification requirements may significantly limit the pool of vendors that your organization is able to work with. Not all vendors are able to hold classified discussions, and among those who are, the level of classification that they are able to discuss may vary.
Now that you’ve had the chance to consider the numerous factors that go into selecting a cyber range solution, it’s time to sit down and make a choice. Building a cyber range is a viable option for some organizations, while others will benefit from working with a seasoned and capable partner. Every situation is different, and every team has different needs. Making the best overall choice for your organization is the most important factor.
We hope this guide helped to organize the decision-making process and provide an outline of the relevant considerations, questions, and potential pitfalls. Cyber range training is beneficial to every team of operators, and no matter what solution your organization ultimately chooses, it needs to be the right .
If you need assistance finding the right solution for you, please reach out to our expert staff. We are able to advise organizations of any size and complexity, and capable of having both classified and unclassified discussions to ensure that your cyber range implementation results in the best possible outcome.