By Gerard Johansen, Charles Iszard and Luke DuCharme. With the surge of ransomware attacks, information leaks and other cyber attacks in the headlines, most companies and organizations are aware that their employees need to be trained on how to stay safe online. But the real challenge lies in how to develop these pieces of training and tools in-house to build the necessary muscle memory to prevent and respond to an event. Sending an analyst or two to a distant location for training depletes travel and training budgets, and when they return, there is little time to transfer this knowledge back to colleagues or managers.
Vendor-provided training focuses on the vendor’s proprietary technology and often neglects the concepts that need to be incorporated into an organization’s ability to respond.
To address these issues, Cisco Talos Incident Response (CTIR) created an interactive Cyber Range focused on Incident Response. This immersive experience is designed and delivered by incident response professionals for security professionals who need to increase their competency and muscle memory in incident response-related tasks.
CTIR Cyber Range is a comprehensive, three-day training exercise that utilizes a crawl-walk-run methodology. Students start by being shown various tools and techniques, then apply them to a real-world scenario. This step-by-step process allows students to build the skills necessary to tackle the next challenge, a guided scenario.
On the final day, the students are tasked with responding to a real-world attack scenario, during which they are required to periodically brief key stakeholders, identify a root cause, and brief their leadership – all while working collaboratively as a team to overcome the various challenges within the scenario.
CTIR Cyber Range includes several key features that were designed to develop the skills necessary to address security incidents. First, CTIR developed a self-contained network infrastructure that is brought onsite to the customer. This allows CTIR to conduct the Cyber Range without the need to connect to external infrastructure, thereby removing latency or outage issues that often arise with those types of methods.
A second key feature is the inclusion of real-world adversary tactics, techniques, or procedures (TTPs) conducted against real targets – the same tactics that CTIR responds to on a daily basis. Customers have to work through a realistic network with production operating system targets. The incorporation of current adversary TTPs provides the students with the most realistic experience. Coupled with a completely isolated infrastructure, students examine realistic malware and exploits in a safe environment without the additional risk of unintentionally infecting their own network.
One area of concern customers often have when working within a commercial cyber range is the reliance on tools that are not included in their technology stack. But CTIR’s Cyber Range is designed to include a mix of open-source tools that provide necessary investigative features while focusing on the methodology and techniques of incident response investigations. This focus on methods and concepts instead of tools provides the students a way to transfer their newly acquired skills to their existing or anticipated tools.
Teamwork is a crucial component in any security operations environment. Likewise, the Cyber Range not only focuses on technical skills but also on those soft skills that are essential during an incident — such as answering calls from the CEO about the incident, delegating tasks, updating other stakeholders, and providing a final briefing. These tasks, along with working through the evidence as a team, build team cohesion and the ability to solve complex incident investigations together.
The final component to the Cyber Range is the immersive student experience. As students work through the various exercises, CTIR instructors are there every step of the way. First, as instructors/mentors, then as the course progresses, to provide guidance where necessary, and answer questions as incident response professionals who execute these techniques on a daily basis. Small class sizes also ensure each student is given the appropriate level of attention and each experience is beneficial leading up to the student capstone exercise at the end of the day.
The CTIR Cyber Range is a unique experience that combines the expertise of incident response professionals, realistic attacks, current TTPs, and teamwork. Through this exercise, organizations can incorporate skills and processes that will aid in the proper response to an incident and reduce its potential impact. For more information on the cyber range, inquire about a CTIR retainer.