1 Introduction
2 Related work
3 Cyber range analysis
3.1 Methodology
-
Which are the existing frameworks for the design and development of a CR?
-
Which components does a CR architecture include?
-
What are the main categories and common characteristics of CRs?
-
Is the education and training process provided through CRs, based on pedagogical methods and strategies?
3.2 Cyber range characteristics
3.2.1 Types
-
Educational CRs are used for cybersecurity education and training. They have the form of an organized learning environment aiming at teaching various cybersecurity subjects and offering opportunities for hands-on practice in cyber security.
-
Certification CRs are used for assessing and certifying the degree that distinct cybersecurity knowledge and skills are possessed by the participants. They often take the form of competitions, e.g., Cyber Defense Exercises (CDX), Capture the Flag (CTF).
-
Test CRs are used for research and development purposes, e.g., to try out cybersecurity products (cybersecurity-related technologies, tools, and measures) and assess their effectiveness.
-
Autonomous CRs, which operate independently, without the need to communicate or to be integrated into other CRs.
-
Federated CRs, which consist of interconnected autonomous CRs which involve reduced costs, as the organizers share the costs, and the information and human resources required to prepare and run the CRs [21].
3.2.2 Categories
-
Overlay CRs, which use physical network equipment and operate on physical computing devices. Overlay CRs provide a higher level of fidelity compared to simulation CRs, but they may have issues regarding hardware cost and network infrastructure breaching [5].
-
Emulation CRs, which replicate the physical infrastructure of specific business networks. They involve a high degree of fidelity and realism, and they demonstrate repeatability of execution. They are not as scalable as simulation CRs, and they generally have a higher cost. The high costs are reduced by the sharing of resources and the use of virtualization technologies [5, 18, 23].
3.2.3 Didactics
-
Learning objectives, which are brief descriptions of the knowledge and skills that learners are expected to acquire and practice during CR.
-
Theoretical background, which includes specific teaching materials (e.g., text, videos) that learners need to assimilate to be able to perform the activities of a CR project.
-
Teaching strategy, which determines the educational methodology applied to aid participants achieve the learning objectives.
-
Scaffolding, which defines the manner the participants’ efforts are supported in performing the CR activities and fulfilling the learning objectives.
-
Environment, where the CR project is performed such as a laboratory with the participants’ physical attendance or a cloud infrastructure which participants access remotely.
-
Assessment strategy, which determines the plan followed for the evaluation of the learner’s performance. Learners’ efforts are evaluated both during the CR project (formative assessment) and after the end of the CR project (summative assessment). The assessment strategy defines the manner learners’ efforts are measured (grading) and the manner feedback is provided to the participants. Furthermore, the assessment strategy determines when participants earn reward points, when they are given penalty points, and when they are signified that they repeat the same mistakes, even after periodic training and reinforcement of the same knowledge and skills being assessed [24].
3.2.4 Participants
-
learners or trainees using a project in the context of an education and training program or a certification process,
-
researchers and scientists who perform research and development,
-
cybersecurity experts working in the public or private sector and evaluating cyber security technologies, tools and measures set up in the CR for evaluation of their effectiveness.
-
Their background and experience in cyber security, and the level of the participant (i.e., beginner, intermediate, advanced or professional) according his/her knowledge and skills in cyber security.
-
Their needs and expectations.
-
Their profession (e.g., military, police, students, government officials, cybersecurity professionals working in public and private agencies, researchers) [20].
-
Their cognitive, social and cultural background.
-
Their ability to assimilate new knowledge and skills [25].
3.2.5 Infrastructure
-
Equipment of the physical layer (hardware & software), which constitutes the physical infrastructure on which the CR is developed. Infrastructure consists of physical computing devices of all kinds (workstations, servers, mobile devices, etc.), network devices (e.g., routers, switches, firewalls), operating systems (e.g., Linux, Windows, Mac OS) database management systems, etc. Some CRs rely solely on physical infrastructure, but this is usually an expensive solution, which does not scale well when the number of the participants changes.
-
Cloud computing technologies, especially the Infrastructure as a Service (IaaS) type, as it facilitates the construction of CRs, reduces the costs, and eases the CR’s scalability.
-
Virtualization technologies which allow the creation of virtual machines and networks “hiding” the complexity of the physical layer operation.
-
Isolation technologies of the CR from other systems, to provide the possibility of forming a fully configurable and integrated environment not causing damage to external systems.
3.2.6 Policies and mechanisms
3.3 Weaknesses
3.3.1 High preparation costs
3.3.2 High testing requirements
3.3.3 Learning strategy neglection
3.3.4 Fixed workspace
3.3.5 Ineffective assessment
3.3.6 Participants profiles
4 The proposed cyber range design framework
4.1 Foundations
4.1.1 COFELET framework and architecture
-
Gaming Context, which contains the learner’s user interfaces (UI), the cyberspace in which learners perform their tasks and the feedback provided according to the performed tasks.
-
Task Engine, which validates and performs the learner’s tasks in the cyberspace by affecting the entities’ state (e.g., payload creation, starting a remote connection to a host) and changing conditions (e.g., learner acquired the information related to a vulnerable service running on a target host such as service name and version).
-
Instructor, which monitors and assesses the learner’s tasks and scaffolds learners’ efforts.
-
Learner Profile and History, which stores the learner’s details and the learning history.
4.1.2 Exercise life-cycle
4.2 CR architecture
-
CR Workspace is defined in analogy to the Cyberspace of the COFELET game architecture, but the CR Workspace features the formation of a realistic cyberspace consisting of real devices and virtual machines.
-
The Coach and the Registry components of CR Platform encompass the functions of the Instructor and Learner Profile and History components of the COFELET game architecture respectively.
-
The User Interfaces, Feedback and Reports components of CR Platform adopt the functionality of the UI and feedback of the COFELET game architecture, but they also extend it by including more capabilities (e.g., integration of user interfaces for the instructors, inclusion of reports)
-
As in the COFELET game architecture, CR Architecture involves a repository of scenarios and scenarios’ elements.
-
CR Architecture does not require a Task Engine which validates and performs the learners’ tasks performed in CR Workspace, as it is a realistic environment and not an emulated one.
-
CR Architecture requires a component (i.e., the Tracker component) which monitors the state of the components of CR Workspace. In the COFELET game architecture such a component is not required, as the cyberspace and its entities are interconnected and managed by the Task Engine.
-
CR Architecture requires components (such as the Automations component) that will automate procedures and functions (e.g., the setup of devices and VMs) in order to mitigate the set up and the running demands, and to enhance the realism aspect of the CRDF approach (e.g., generation of network traffic). In the COFELET game architecture the cyberspace is accountable for the setup and operation of the emulated hosts and devices according to the entities and the conditions specified in the game’s scenario.
4.2.1 CR projects
4.2.2 CR platform
-
the state of services, processes, and applications,
-
the existence of files, and their creation/deletion and modification,
-
rules of firewalls and Intrusion Detection Systems (IDS),
-
network data traffic,
-
creation/deletion of users, user rights and sessions,
-
updates of software and device drivers.
-
receives information from the Tracker’s components regarding the participants’ actions, their response times to the scenario’s challenges and the number of actions they perform,
-
compares the learners’ actions with scenario’s solutions,
-
checks whether the learners have managed to perform the appropriate actions within the time frame provided by the assessment rubric,
-
displays hints and related teaching contents, and alerts the instructor, when learners achieve a goal, it utilizes the assessment rubric to assess and grade the learners’ performance based on:
-
the time it took the learners to perform the necessary actions,
-
the total time it took the learners to achieve the goal,
-
the number of actions the learners performed,
-
the number hints provided to the learners,
-
details from the learners’ learning history regarding the number of times they participated in a CR Project that had the same or a similar scenario, the number of times they exercised the associated knowledge and skills.
-
-
communicates the assessment results to the sibling components of CR Platform (i.e., the Registry, and Feedback and Reports components).
-
the expertise and type of services they provide (e.g., cyber security audits, digital forensics, protection against Denial-of-Service cyber-attacks),
-
a list of employees,
-
the time required to respond to service requests,
-
the length of time it can provide services,
-
indicative costs per service,
-
the background (age, profession, etc.),
-
the learning history in CR Projects:
-
scenarios participated,
-
the achieved goals,
-
the exercised knowledge and skills,
-
scores,
-
the times learners/trainees required to achieve the scenarios’ goals,
-
the number of actions performed to achieve the scenarios’ goals,
-
the amount of assistance needed in Educational CRs
-
-
the knowledge and skills they possess,
-
the target knowledge and skills,
-
the teams participated in (e.g., blue, red, white, etc.)
-
the roles assumed in CR Projects (e.g., penetration tester, forensics investigator, malware analyst, etc.),
-
certifications,
-
readiness level according to:
-
the number of CR projects participated in,
-
the frequency of updating and reinforcing their knowledge and skills.
-
-
representations of the evolution of cyber-attacks occurring in a CR Project (unleashed or about to be unleashed),
-
the score changes of teams participated in a CR Project,
-
the display of the team score,
-
the elements of CR Workspace (e.g., representation of the network topology).
-
assignment of graded access levels for participants and instructors and granting of access from all types of devices (e.g., computers, tablets and mobiles),
-
connection and configuration of the CR Platform’s components,
-
connection and configuration of the CR Workspace’s components,
-
access to the details of the participants stored in Registry,
-
monitoring of the participants’ activities,
-
presentation of the CR’s results in real time and sorting of results by participant, by team, by role, by organization or company,
-
review of the CR Workspace status (e.g., infected files, non-functional services),
-
communication with the participants (e.g., through a chat system), and provision of help, guidance and feedback (e.g., brief instructions, animations, teaching content etc.),
-
communication with colleagues and organizers,
-
elaboration of reports and completion of assessment forms regarding the participants’ performance and the efficiency of a CR Project,
-
printout of certificates.
-
overview of the CR Project status through a subsystem (dashboard), which will present information such as the scoreboard, the CR Project goals and the percentage of goal achievement, teaching contents etc.
-
access to the computing and the network devices of CR Workspace,
-
access to the participant profile and learning history stored in the Registry,
-
presentation of results in real time and sorting of results by participant and by team,
-
printout of certificates,
-
communication with teammates and instructors, through a subsystem which will provide facilities for reading and sending messages, for requesting help, etc.
-
Virtual machines and network devices, utilized as templates during the CR Workspace creation,
-
IaaC scripts for CR Workspace creation and deployment,
-
COFELET ontology elements (e.g., SEFs, entities),
-
Configuration files of the CR Platform components (e.g., the assessment rubric files of Coach, setup files of Tracker defining sources of information, traffic to be monitored etc.). Scenarios are categorized according to their features such as the target learning objectives, the characteristics of the participants, the features of the environment where a CR Project will be executed, and the learning strategy to be employed. The scenario’s elements are grouped according to their features such as the type of element (e.g., computers, devices, scripts), the scenarios in which they were utilized, the software and firmware included, etc. The Scenario Repository component also provides a search facility for the scenarios and the scenarios’ elements based on the previously mentioned features of scenarios and scenarios’ elements.
4.2.3 CR workspace
4.2.4 CR infrastructure
4.3 CR life-cycle
-
A Cyberspace which is a blueprint for the development of CR Workspace, as it defines the entities (e.g., computers, devices, services etc.) describing the CR Workspace components it must contain (e.g., virtual machines and devices, services), and the conditions it must involve (e.g., vulnerabilities that must infused in the CR Workspace components).
-
Steps which define the stages participants must follow to accomplish the CR Project’s mission and fulfill the CR Project’s objectives. Each step includes sub-goals, a set of conditions (i.e., pre-conditions and post-conditions) and a set of pedagogical elements analytically described in [8]. According to the COFELET framework, the Steps’ goals match the SEFs’ goals, while the SEFs define the sequence of tasks the participants must perform to achieve the Steps’ goals. The step’s pedagogical elements associated with the learning perspective include the learning objectives defined in a formal and detailed manner, along with the related pedagogical elements associated with the instructional perspective for the provision of help, guidance, and feedback to the participants (e.g., instructors’ tips, scenario’s hints, and teaching contents).
-
Attributes which describe the details of the scenario including name, description, difficulty level and complexity.
5 Preliminary evaluation
Weaknesses | Addressed | Design guidelines | |
---|---|---|---|
Preparation demands | High budget | ✓ | CRDF foresees economically feasible CRs, as they consist of predefined components (e.g., template VMs, IaaC scripts, reusable scenario elements), and they include automation mechanisms for the creation and the execution of CR projects. The proposed CR Life-cycle presents the manner that economically feasible CR approaches can be designed and deployed |
Resources | X | CRDF compliant CRs utilize virtualization, isolation and cloud technologies, which facilitate their development. However, this guideline is not a new feature, as it is already applied in the majority of modern CRs | |
Specialized personnel | X | CRDF-compliant CRs require the involvement of specialized personnel. This guideline is not a new feature, as it is already applied in all modern CRs | |
Workspace requirements | ✓ | CR Workspace’s creation is prescribed by the scenarios stored in the Scenario Repository component. CR Workspace’s creation includes on demand installation of applications, deployment of services, provision of controlled internet access, and generation of network data traffic | |
Testing requirements | X | CRDF-compliant CRs demand high testing requirements. This guideline is not a new feature, as it is already applied in the majority of modern CRs | |
Fixed workspace | ✓ | The CR Workspace’s components are dynamic, as they are created according to the scenarios, and they vary according to the type and the characteristics of the CRs, and the characteristics of the participants and their learning history (stored in the participants’ records in Registry) | |
Modern learning theories | ✓ | CRDF is based on the COFELET framework, which embraces a rich repertoire of modern learning theories and strategies [7], particularly focusing on the learning and instructional aspects of CRs | |
Layered learning | ✓ | CRDF envisages CRs as multi-layer learning environments through (1) provision of a wide range of scenarios, (2) scenario selection according to the participants characteristics and the envisaged learning strategy, (3) dynamic creation of educational CR Workspaces | |
Continuous learning | X | CRDF compliant CRs do not embrace the always available environment for cyber security training and education | |
Ineffective assessment | ✓ | CRDF foresees approaches with advanced assessment capabilities, as they continually monitor the participants’ actions and evaluate their efforts. Tracker monitors the actions performed in CR Workspace, whereas Coach dynamically assesses the efforts of the participants by comparing the participants’ actions with the scenario’s solutions | |
Participants profiles | ✓ | The Registry component of the proposed CR Architecture, maintains analytical records of the participants, organizations and companies |
6 Discussion
6.1 Strengthening of cyber security education and training
6.2 Conformance with standards
6.3 Architectural design
-
Creation of high-fidelity CR Workspace
-
Installation of software and services.
-
Creation of complex infrastructure consisting of different networks and topologies.
-
Configuration of the infrastructure.
-
Automated creation of virtual machines and virtual devices.
-
-
Injection of vulnerabilities.
-
Repository of scenarios for the preparation, the operation and the evaluation of CR Projects.
-
Maintaining a back-end storage facility (the participants’ registry) of the participants’ profiles and their learning and training history.
-
Dynamic assessment of participant’s performance.
-
Communicating and visualizing the results of CR Projects (e.g., teams’ scores, degree of success of cyber-attacks, etc.).
-
Provision of elevating scaffolding facility to support the learners’ efforts (Educational CRs).
6.4 Layered learning environment
6.5 Online learning environment
6.6 Adaptive learning environment
6.7 Scenario-based learning
6.8 Dynamic assessment
6.9 Multi-role user support
-
Learners or trainees (especially military personnel, law enforcement officials, personnel working in critical infrastructures in the public and private sector) have the opportunity to apply and update their theoretical and practical knowledge in a suitable CR Workspace [44]. Learners, in addition to participating in courses and exercises, have the opportunity to participate in specially designed test and certification CRs to obtain recognized certificates in the field of cyber security (e.g., CEH, CISM, CISSP, CCSP, CASP, GSEC, SSCP, CISA, GCIH) [45]. These CRs help to identify talents and create “talent pools” from which members can be drawn to form national cybersecurity frontlines.
-
Trainers utilize suitable CR Workspaces for the education and training of learners, for the evaluation of the learners’ knowledge and skills they have acquired through the activities offered. The trainers also contribute to the development of the learning objectives, the scenarios, and the teaching content of CR Projects.
-
Academic community (scientists, researchers) contribute to the development of new CR Project scenarios or the exploitation of the existing ones [46]. Members of the academic community also contribute to the creation of a digital library with:In addition, the contribution of the academic community may include the organization of competitions and events, with topics related to cyber security [47], but also conducting research to understand the ways the CRs are used by the instructors [48].
-
specially designed educational material,
-
tools for carrying out offensive and defensive ethical hacking actions,
-
prefabricated virtual environments [47],
-
serious games specially designed for education and training in CR Projects.
-
-
Professionals and specialized personnel working in various organizations and fields such as cyber security, information technology (IT), law enforcement, forensic investigation and cyber security incident response [44]. Skilled professionals may contribute to the testing and the evaluation of products, tools, and settings related to the cyber security of the organizations’ actual network infrastructure.