CYBER RANGES Glossary
Below is a definitive guide of CYBER RANGES terms.
Attack simulation refers to the ability to simulate attacks targeting both computer networks, systems and applications as well as users and it is more generally referred to breach and attack simulation. While traditional vulnerability scanning technology focuses on the identification of systems, networks and application vulnerabilities, attack simulation tools go the extra mile by allowing to simulate the different phases of the security kill-chain while at the same time providing recommendations on how to secure the organisation. More recently, breach and attack simulation has been focusing more and more on the MITRE ATT&CK™ knowledge base of adversary tactics and techniques, moving away from the traditional security kill chain model.
In the context of cyber ranges, attack simulation is somewhat different from breach and attack simulation solutions, which focus on the delivery of (semi) automatic testing and remediation of a corporate security posture. The main objective of attack simulation within cyber ranges is to add to the realism of the simulation environment with which users interact.
Computer Network Operations (CNO)
These are units located within a state’s military structure that are tasked to engage in operations involving computer networks. CNOs have three main components related respectively to the defence from malicious users, attack and exploitation of target computer networks and systems
Cyber capabilities are the resources and assets available to a state to resist or exercise influence through cyberspace onto both the cyber space and the information space.
A cyber exercise is a planned event during which an organisation simulates cyber-attacks or information security incidents or other types of disruptions in order to test the organisation’s cyber capabilities, from being able to detect a security incident to the ability to respond appropriately and minimise any related impact.
A cyber range can be defined in different ways. In fact, while more and more cyber ranges technologies and products are coming into the international market today, cyber ranges tend to differ considerably from one another. Broadly speaking, cyber ranges are defined in one of the following two ways:
- A simulation environment – This view of the cyber range focuses on what cyber ranges have traditionally provided, which is a simulation of ICT and/or OT environments to be used for a wide set of purposes. This for instance, is the interpretation provided by the US National Institute of Standards and Technologies (NIST), which refers to a cyber range by referring to it as a simulation environment, making no reference to services and/or functionalities to be provided by the cyber range other than referring to the general purpose of the simulation environment for product development and security posture testing. NIST defines cyber ranges as:
“..an interactive, simulated representations of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing. A cyber range may include actual hardware and software or may be a combination of actual and virtual components. Ranges may be interoperable with other cyber range environments. The Internet level piece of the range environment includes not only simulated traffic, but also replicates network services such as webpages, browsers, and email as needed by the customer.”
- A platform – In the context of cyber ranges, a platform can be intended to be a group of technologies that are used to create and use a simulation environment. The emphasis here is on the word “use” since for a cyber range to be used for specific purposes, the cyber range must have additional capabilities and expose specific functionalities to the end user. This for instance, is the interpretation provided by the European Cyber Security Organization (ECSO) which, uses the following definition:
“A Cyber Range is a platform for the development, delivery and use of interactive simulation environments. A simulation environment is a representation of an organisation’s ICT, OT, mobile and physical systems, applications and infrastructures, including the simulation of attacks, users and their activities and of any other Internet, public or third-party services which the simulated environment may depend upon. A cyber range includes a combination of core technologies for the realisation and use of the simulation environment and of additional components which are, in turn, desirable or required for achieving specific cyber range use cases.”
Whether one should define a cyber range as a simulation environment or a platform, it is a fact that most cyber range use cases require one or more capabilities beyond the mere simulation environment.
Cyber Range Orchestration
Orchestration is the automated configuration, coordination, and management of computer systems and software. When talking cyber ranges and to virtualization technologies, orchestration refers to the technology responsible for the creation of automation workflows including the mass configuration, creation, modification and deletion of virtual machines, self-provisioning, and automation of tasks between the virtual infrastructure and other cyber range components or other systems interfacing with the cyber range.
A cyber range with orchestration capabilities can support additional functionalities, which would otherwise require additional manual effort and coordination and hence additional costs for the cyber range users.
At its most fundamental level, orchestration includes the orchestration of the virtual environment. At its finest, orchestration may also be used to automate tasks and interactions across different components of the cyber range such as the ability to schedule attacks and user simulation, events injection, to initiate the collection of user activities and more, depending on the specific use cases. At a glance, any cyber range scenario involving hundreds to thousands of virtual machines, regardless of the use case, has a de-facto requirement for orchestration. Technically speaking, orchestration falls under the technology section of a cyber range and would be transparent to an end user accessing a cyber range.
Cyber resilience refers to the capability of an organisation to respond and be able to sustain a security incident or cyber-attack while maintaining its ability to deliver its core business services. NIST defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources” *. Gartner defines it as “…the degree of adaptiveness and responsiveness to a threat to or failure of digital business ecosystems” **. Overall, cyber resilience applies to any process, system, business and organisation where there is a reliance on IT, OT, IoT which pretty much covers the majority of organisations in a nation, including critical infrastructure. Some cyber ranges can be effectively used to develop and assess cyber resilience. Specifically, delivering cyber exercises on a cyber range allows an organization to identify how people, processes and the use of technology come together in responding and withstanding cyber attacks and security while ultimately protecting the organization’s critical information, services, and assets.
*NIST (2019), Developing Cyber Resilient Systems: A Systems Security Engineering Approach, https://csrc.nist.gov/CSRC/media/Publications/sp/800-160/vol-2/draft/documents/sp800-160-vol2-draft-fpd.pdf
** Gartner (2018), Organizational Resilience Is More Than Just the Latest Trend, https://www.gartner.com/en/documents/3875514/organizational-resilience-is-more-than-just-the-latest-t
While there is no internationally accepted definition of cyberspace, numerous definitions exist, which illustrate the difficulty in defining the term. The US Department of Defence (DoD) defines cyberspace as:
“a global domain consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers”*
The concept of cyberspace is generally regarded as less encompassing than the concept of information space.
*Cyber Operations in DOD Policy and Plans: Issues for Congress http://fas.org/sgp/crs/natsec/R43848.pdf
A hypervisor is the software layer between the hardware and the virtual machines (VMs). It coordinates the VMs ensuring they don’t interfere with each other and that each has access to the physical resources it needs to execute. There are two types of hypervisors:
- Type 1 or “bare-metal” hypervisors interact with the underlying physical resources, replacing the traditional operating system altogether. They most commonly appear in virtual server scenarios and therefore for the development of data centres.
- Type 2 hypervisors run as an application on an existing OS. They are most commonly used on endpoint devices to run alternative operating systems and carry a performance overhead because they must use the host OS to access and coordinate the underlying hardware resources.
Sample hypervisors are listed in the following table:
|Type 1||Type 2|
|Commercial||· VMware’s ESXi (data center-focused)|
· Microsoft Hyper-V
· XenServer, now known as Citrix Hypervisor
· IBM z/VM
|· VMware Workstation (Player or pro)|
|Opensource||· KVM (kernel-based virtual machine)||· VirtualBox|
The information space is the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure and information itself*. The definition of information space is wider and more encompassing of that of cyber space especially in regards to how the information space is protected compared to the protection of the cyber space. A modern example to attacks to the information space if represented by fake news which can be created and spread without any attack to the cyber space but which can have devastating effect on a society comparable or even higher than an attack to the cyber space.
*Keir Giles and William Hagestad, “Divided by a Common Language: Cyber Definitions in Chinese, Russian, and English,” 2013 5th International Conference on Cyber Conflict, (NATO: CCD COE Publications).
Live-Fire Cyber Exercises
A live-fire cyber exercise is a special type of cyber exercises where participants are exposed to live attacks simulating malicious users. The attacks are simulated by specific participants of the cyber exercise, grouped under the name of red team. Examples include the “Locked Shields” and “Crossed Swords” live-fire cyber exercises organised annually in Estonia by the NATO Cooperative Cyber Defence Centre of Excellence. Other examples include the ENISA Cyber Europe exercises, simulating large-scale cybersecurity incidents that escalate to become cyber crises.
Offensive Cyber Capabilities (OCC)
Offensive Cyber Capabilities are the subset of cyber capabilities, which are used to attack or gain unauthorized access to the cyber space. It can be argued that offensive cyber capabilities may also refer to the abilities to attack and impact the information space.
Red, Blue and Other Colour Teams
Taking Sides in a Cyber Exercise or just Observing.
A typical cyber exercise involves different types of participants, usually grouped into teams according to the specific roles they play in the cyber exercise. The following are the typical teams involved cyber exercises. Depending on the cyber exercise, not all the teams may be involved.
- Red Team – This is the team simulating the attackers trying to gain unauthorized access to the. The role of the Red Team is traditionally played by real users using real security tools thus simulating realistic attacks and security incidents. The Red Team can simulate both external attackers and insider threats such as disgruntled employees. A Red Team can also be sometimes simulated programmatically, through scripted attacks or other more realistic techniques.
- Blue Team – This is the team responsible for the response and protection of the organization, trying to detect and respond to the attacks and breaches introduced by the Red Team. Depending on the type and purpose of the cyber exercise, the Blue Team may involve only the SOC team or include also staff from the IT and operations. Ultimately, the role of the Blue Team to detect, defend from and respond to security attacks.
- White Team – This is the ream responsible for overseeing the execution of the cyber exercise ensuring the respect for the rules and assisting the active teams with support issues. The White Team also ensures that the results of the cyber exercise are correct and in accordance with the scoring rules and the actions taken by the different teams. This team may include the authors of the cyber exercise scenario, administrators of the cyber range platform and professionals who have managed the execution of other cyber exercises.
Besides the above colours, there exist other team colours to represent different roles within an organization. However, such colours are usually used to identify teams within an organization’s day to day security activities rather than within the context of a cyber exercise. That being said, depending on the size and complexity of the cyber exercises, there may be occasions where such additional team colours are also used in the context of a cyber exercise. The additional team colours are are the following:
- Purple Team – This team identifies those people who facilitate the communication between the Red Team and the Blue Team ensuring the continuous integration and collaboration between the two groups, in order to address the common problems associated to miscommunication or lack of information sharing. In the context of a cyber exercises, the Purple Team plays the role of the management team who has to deal with legal and media matters and/or interaction with third parties (e.g. media or legal team);
- Yellow Team – This team represent the “builders” of the organization, i.e. those users in charge of developing applications, setting up ICT infrastructures, deploying applications etc., Naturally, in the context of a cyber exercise, the Yellow Team represents those legitimate users who introduce vulnerabilities into the environment and/or are responsible for security breaches due to human error.
- Green Team – This team is to the Yellow Team as the Purple Team is to the Red Team. While the role of the Purple Team is to facilitate the communication between the Red and Blue Teams, the Green Team is responsible for improving the communication between the Yellow and the Blue Teams. In the context of a cyber exercise, the Green Team represents legitimate users of the organizations, thus introducing legitimate and realistic network traffic, application logs etc. In many cases the Green Team is simulated through traffic replay, web browser simulators and more advanced techniques and tools.
- Orange Team – This team facilitate the communication between the Red Team and the Yellow Team (the builders) who need to engage the Red Team in order to learn how to better build their applications, systems, networks etc. In the context of a cyber exercise, the Orange Team also represents legitimate users of the organization.
Aside from the team who are actively involved in the cyber exercises either as participants or as enablers of the exercise, another role sometimes available sometimes is that of the Observer or Spectator. As the name imply this role is not an active one and it limited to the ability to view part or all of the cyber exercise activities. For example, one Observer role may be limited to only observing the Red Team Activities, while another Observer role may be confined to being able to only observe the actions from Blue Team. Finally, and just as another example, one Observer role may have the ability to observe every action in the cyber exercise.
A scenario is content that is used on a cyber range. A scenario may contain only a simulation environment for users to interact with or it may also include a storyline with specific objectives, some practical or theoretical challenges, or different types of questions.
Self-provisioning is a feature most commonly found in cloud service providers, through which users can automatically and without the need of interacting with specialized IT personnel, provision their own hardware and specifically virtual machines. For instance a user can easily and independently buy and provision a number of virtual machines to meet specific requirements and then start using them.
In the context of cyber ranges, self-provisioning, combined with orchestration can greatly simplify the creation and use of simulation environments.
A virtual machine (VM) is a software programme emulating and providing the functionalities of a physical computer.