Noob alert & questions :)


#1

Hi all,

I’m a project manager for a SOC and we pretty interested into Cyber ranges. So far what we’ve seen as am out-of-the-box solutions are pretty expensive or do not fit our needs. We are also thinking of what it’s going to cost us money and resource wise to build one ourselves. Has anyone of you researched the field or been part of cyber range development? Any advice is welcome

Best regards,
Krasi


#2

Hey Krasi,

I’ve built a few cyber ranges, while also under similar money/resource constraints. You really have two ways of approaching this: Cloud (AWS, Google, etc) OR deploying it yourself on physical gear. I personally believe for a cyber range it’s best to build it on your own physical gear. You’ll be in complete control of the environment, malware can be thrown inside your own physical gear with less worry, and it can be a better long-term solution.

I built a cyber range from a few old Dell PowerEdge’s and some towers that I procured from DRMO’d gear & GovDeals. Really what you’re after are decent cheap servers that you can install VMware ESXi on. ESXi is a fantastic hypervisor that is essential for making a cyber range. Internally it can do virtual switching for networking virtual machines. Anyone that uses your cyber range can connect these virtual machines using VMware vSphere. In order to create a mock network I also used pfSense, which you can deploy as a VM and it acts as a router/firewall combo.

In terms of what you want your cyber range to accomplish, there’s lots of handy resources out on the internet. I was creating cyber ranges for cyber warfare and typically wanted to create a network with a classical Red Team vs Blue Team style. For the Red Team enclave we deployed several Kali Linux virtual machines, these are Linux machines that come with a lot of penetration testing tools.

The Blue Team would then be defending a virtual network that was created to look somewhat like a small/medium sized business network. We created pseudo-“defense in depth” by creating a network with a DMZ and an internal network (separated by pfSense routers). The DMZ typically housed several purposely vulnerable virtual machines for the red team to exploit, and the internal network would have Windows user machines and other systems for the red team to pivot too. One great resource is VulnHub, which hosts virtual machines that are vulnerable by design. We’d modify a few of those and thrown them in the DMZ. The Red Team would exploit and pivot, the Blue Team would patch them and try to get them out of the network.

Hopefully this helps, I’m happy to answer more questions.
~Jackson


#3

Hey Austin,

Thank you very much for the info.
This is a great information to start with.
If I have some other questions further along I’ll make sure I ask you.
Thank you one more time :slight_smile:

Best regards,
Krasi