Cyber Range Training. PHOTO: Cybercrime Magazine.

“Netflix Model” For Training Cyber Defenders In The Cloud

CISOs and security leaders subscribe to RangeForce

David Braue

Melbourne, Australia – Mar. 3, 2021

Red teaming, purple teaming, capture the flag: in both terminology and mindset, cybersecurity simulation sounds a lot like a competitive paintball match.

But for decades, recalls Gordon Lawson, entry was limited to an elite club for one reason: the highly specialised equipment was all but unavailable unless you worked in military intelligence.

As a former Navy officer who previously worked with the Defence Intelligence Agency, U.S. Marine Corps and Special Operations Command, Lawson had more access than most to this technology — and he knows all too well how rarefied it was.

“Traditionally, a cyber range was a dedicated environment that often involved on-premise hardware,” he recently told the Cybercrime Magazine podcast.

“It was very expensive to stand up, and typically was confined to declared personnel. This made it very, very difficult for people to really get hands-on — and learn in that sort of realistic environment — if you weren’t a part of the military or intelligence community.”

Investments by research-focused universities progressively expanded access to realistic cyber-range facilities, and as large corporates caught on they also began building their own facilities.

As president of RangeForce, Lawson now works with organizations of all sizes to help them stand up cyber-range exercises using the cloud-based Battle Fortress Cyber Range — which uses a software-as-a-service (SaaS) design to engage IT and security staff in a range of cybersecurity exercises.

Some 430 modules are already available — with 20 or more added each week — providing “a Netflix model to get a prescriptive learning path” in scenarios such as theft of intellectual property, lateral movement by malicious attackers, website defacement, distributed denial of service (DDoS) attacks, and more.

Tapping the cloud’s rapid scalability, each scenario spins up a virtual machine to build a virtual IT infrastructure and security stack — leveraging partnerships with cybersecurity leaders like Splunk, Palo Alto Networks, Cisco, Recorded Future and SentinelOne to build plug-ins that deliver what Lawson called a “very realistic environment to train their people” using real-world tools.

For cybersecurity practitioners, he said, the virtual cyber range provides a similar value to that delivered by anti-phishing companies like Cofense (formerly PhishMe) — where he was previously a senior global executive — for general employees.

Just as the anti-phishing market “was really the first cyber-focused market segment where you would do something to build muscle memory in an employee,” he explained. “It’s the same thing with incident responders: with enterprise defenders, you need to give them exercises in a realistic approach to be able to learn not only individually, but also to do it in a team-based environment.”

Closing the skills gap

Hands-on training adds an immediacy to the theory of cybersecurity defense, but it also promises to deliver even bigger benefits by allowing cybersecurity practitioners to expand and test their knowledge in a simulated “live” environment that allows experimentation with tools in a way they could never do in a live SOC.

This, Lawson said, delivers significant improvements for cybersecurity students that often struggle to translate the abstractions of university education into the practicalities of everyday cybersecurity defense – something he calls the “failure of traditional learning.”

Cybercrime Radio: Practice Makes Perfect Cybersecurity Pros

Gordon Lawson on optimizing your cyber defense

Cybercrime Radio

“A lot of times traditional university education fails to prepare people for a career in cyber because they don’t get those hand-on skills,” he explained, “or we have people that may have an aptitude to get into cybersecurity but have no idea where to start — so what we can do is a great way to expose people to see what their aptitude is like.”

In an industry where chronic skills shortages have created a gap of 3.5 million unfilled jobs and job-creation initiatives are only scratching the surface, bridging that gap remains a key priority for cybersecurity executives.

Many of RangeForce’s clients — which include around 50 of the Fortune 500 — are doing just that, setting self-guided training KPIs for employees as a way to build their skills, and to attract others who have the aptitude for cybersecurity but not the experience.

“We’re doing our community a disservice by not giving enterprise defenders a real chance to practice realistically with these evolving threats,” he said.

By adding cyber-range capabilities to the training roster, he added, companies can “expose an analyst to the tools that they’re going to use in real life in a benign, cloud-based environment … and build that muscle memory for when the real thing happens.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.