Presentation given at ICMCIS2019, Budva, Montenegro

1. Building a Cyber Range for
training CyberDefense
Situation Awareness
Thibault Debatty, Wim Mees
Cyber Defense Lab, Royal Military Academy, Belgium
ICMCIS2019

2. Building a Cyber Range for training Cyber Defense Situation Awareness 2
Context
Cyber is
●
Complex
●
Rapidly evolving
●
Highly concurrent

3. Building a Cyber Range for training Cyber Defense Situation Awareness 3
Context
Efficient Cyber Defense training requires:
●
Simulate large and complex networks and
situations
●
Train more than just technical skills

4. Building a Cyber Range for training Cyber Defense Situation Awareness 4
What should be trained?
Boyd and Endsley decision making model

5. Building a Cyber Range for training Cyber Defense Situation Awareness 5
Boyd and Endsley decision making
model

6. Building a Cyber Range for training Cyber Defense Situation Awareness 6
Boyd and Endsley decision making
model
Level 1 : perception
●
Correct, real-time perception of the situtation
●
E.g. SIEM
●
Can be insufficient due to:
– Information unavailable
– Misinterpreted
– Forgotten
– Not seen...

7. Building a Cyber Range for training Cyber Defense Situation Awareness 7
Boyd and Endsley decision making
model
Level 2 : comprehension
●
Impact on our goals and objectives
●
E.g. High-level report
●
Can be insufficient due to:
– Missing model (lack of technical training or
experience)
– Incorrect model (self-confidence or reliance on
defaults)

8. Building a Cyber Range for training Cyber Defense Situation Awareness 8
Boyd and Endsley decision making
model
Level 3 : projection
●
Extrapolate into the future
●
Can be insufficient due to:
– Missing model (lack of technical training or
experience)
– Incorrect model (self-confidence or reliance on
defaults)
– Reliance on current trends

9. Building a Cyber Range for training Cyber Defense Situation Awareness 9
Individual CDSA training
●
Perception (technical) skills
●
Task management skills
●
Comprehension skills
●
Projection skills

10. Building a Cyber Range for training Cyber Defense Situation Awareness 10
Team CDSA training
●
Communicate actions
●
Communicate intentions
●
Actively gather more information
●
Manage peak workloads
●
Shift responsabilities

11. Building a Cyber Range for training Cyber Defense Situation Awareness 11
Cyber Range Implementation

12. Building a Cyber Range for training Cyber Defense Situation Awareness 12
Cyber Range Implementation

13. Building a Cyber Range for training Cyber Defense Situation Awareness 13
Cyber Range Implementation
●
Text definition of scenarios
●
Variable number of trainees
●
Vagrant images
●
Extensive VM configuration
(hardware, OS, software)

14. Building a Cyber Range for training Cyber Defense Situation Awareness 14
Example : individual CDSA

15. Building a Cyber Range for training Cyber Defense Situation Awareness 15
Example : team CDSA

16. Building a Cyber Range for training Cyber Defense Situation Awareness 16
Future work
●
Other hypervisors
●
Better interface
●
More scenarios
●
Federated cyber ranges
●
Scripted events and attacks
●
Automatic and non intrusive evaluation

17. Building a Cyber Range for training Cyber Defense Situation Awareness 17
Questions...