SimSpace Cyber Range - acsac [PDF]

SIMSPACE CORPORATION

SimSpace Cyber Range

BOSTON (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com www.simspace.com

THE SIMSPACE CYBER RANGE Make complex and laborious network environments simple to create and provide accessible, affordable, and sophisticated solutions to meet your cybersecurity research, development, testing, and training needs

2

www.simspace.com

Required Elements for Network Cloning Network  discovery  

Network  security  

Users  

Unique  business  systems   Applica,ons   Generic Financial Institution Network Diagram Techco Inc. Internet Servers

Range Services Internet Clients

Internet  sites  &  services  

is1 200.200.200.201 Centos 5

is2 200.200.200.202 Centos 5

is3 200.200.200.203 Centos 5

is4 200.200.200.204 Centos 5

inet-exch 200.200.200.11 Windows 2008R2

inet-dc 200.200.200.10 Windows 2008R2

DHCP: 200.200.200.0/24 OS: Windows 7 Count: 15

inet-00

techco-fs 9.10.11.101 Windows 2008 R2

Techco Clients

techco-dc 9.10.11.102 Windows 2008 R2

Techco Management OS: Windows XP

Techco-FW AS 221

techco-01

techco-mgmt1 IP: 210.40.52.10

br1-teller-03

IP: 210.30.70.1/24

IP: 9.10.11.2/24

IP: 200.200.215.2/30

ISP-2 AS 220 IP: 200.200.15.1/30

IP: 200.200.115.1/30

IP: 200.200.115.2/30 IP:210.40.50.1/30

Fin-Edge-2 AS: 400 IP: 210.30.10.2/29

IP: 210.30.10.4/29

IP: 210.30.10.3/29

IPSEC Tunnel

br1-branch-srv 210.30.70.200 Windows2008R2

Infrastructure    

ATM-01

branch-web-02 branch-web-03 branch-web-01 210.40.51.102 210.40.51.103 210.40.51.101 Windows2008R2 Windows2008R2 Windows2008R2

hloan-svr-03 210.40.51.113 CentOS 5.5

ids-it-2 210.40.100.203 SecOnion

ids-it-1 210.40.100.204 SecOnion

netflow-it 210.40.100.205 CentOS 6

Administrative Business Function DHCP: 210.40.60.0/24 OS: Windows 7 Count: 35

IP: 210.40.10.3/29 core1 OSPF 0

IP: 210.40.10.5/29

IP: 210.40.10.4/29

core-2 OSPF 0

mn-dc-01 210.40.80.11 Windows2008R2

mn-file-01 210.40.80.21 Windows2003R2

mn-msmq-01 210.40.80.31 Windows2003R2

mn-av-01 210.40.80.41 Windows2008R2

mn-shrpnt-01 210.40.80.81 Windows2008R2

mn-exch-01 210.40.80.61 Windows2008R2

mn-teller-01

mn-teller-02

mn-open-sale-01

mn-hloan-01

mn-hloan-02

bank-host 210.40.80.100 IBM AS400

IP:210.40.90.1/24 core3 OSPF 0 IP: 210.40.70.1/24

Financial Line Services Network STATIC: 210.40.70.0/24

mn-open-sale-02

mn-ELK-01 210.40.80.73 CentOS 6

IP:210.40.80.1/24

IP: 210.40.10.6/29

IP: 210.40.61.1/24

Financial Line Business Network DHCP: 210.40.61.0/24 OS: Windows 7 Count: 35

netwitness-it Static: 210.40.100.201

Datacenter1 STATIC: 210.40.80.0/24

IP: 210.40.10.1/29

IP: 210.40.10.2/29

rucksack-it-01 Rucksack

svcs-02 210.40.50.142 CentOS 5.5 NTP/FTP/Telnet

IP: 210.40.50.1/24

IP: 210.40.1.2/30 hloan-svr-02 210.40.51.112 CentOS 6

IP: 210.40.60.1/24 kali-it-01 Kali Linux 2

ext-scanner 210.40.50.143 OpenVAS 7

IP: 210.30.10.1/29

fin-FW IP: 210.40.1.1/30

hloan-svr-01 210.40.51.111 CentOS 6

IP: 210.40.100.1/24

grr-it Static: 210.40.100.200

techco-web-02 210.40.52.111 CentOS 6

IP: 210.40.52.1/24

IP: 210.40.51.1/24

ATM-02

IT Department DHCP 210.40.100.0/24 OS: Windows 2008 R2, Kali Linux 2. Rucksack Count: 10 Each

win-it-01 Windows2008R2

techco-web-01 210.40.52.101 CentOS 6

MICR-prtr main-prtr

svcs-01 proxy-01 210.40.50.141 210.40.50.121 CentOS 6 CentOS6 SSH/SCP

wsus-01 210.40.50.131 Windows2008R2

IP: 210.40.50.2/30

Fin-Edge-1 AS: 400

branch-fw (NAT) 192.168.100.1/24

exch-edge-01 210.40.50.111 Windows2008R2

Techco DMZ STATIC: 210.40.52.0/24

IP: 200.200.15.2/30

br1-broker-01

Financial Line DMZ STATIC: 210.40.51.0/24 receipt-prtr check-rdr

corp-web-01 210.40.50.101 CentOS 6

IP: 200.200.215.1/30

ISP-1 AS 219

br1-open-sale-01 br1-open-sale-02 br1-open-sale-03

br1-hloan-02

Services  

Public DMZ STATIC: 210.40.50.0/24

Techco GRE Tunnel Source: 9.10.11.254 Destination: 200.200.15.2 Tunnel IP: 210.40.52.0/24

IP: 200.200.200.1/24

IP: 200.200.200.2/24

br1-hloan-01

Control-dhcp

techco-mgmt2 IP:210.40.52.11

IP: 9.10.11.1/24 Inet-client-rtr AS 218

Branch/Brokerage DHCP: 192.168.100.0/24 OS: Windows 7 Count:35

br1-teller-02

LARIAT92

inet-01 techco-00

br1-teller-01

techco-exch 9.10.11.103 Windows 2008 R2

DHCP: 9.10.11.0/24 OS: Windows 7 Count: 15

mn-Splunk-01 210.40.80.72 CentOS 6

mn-rh-linux-01 210.40.80.51 CentOS 5.5

mn-rh-linux-02 210.40.80.52 CentOS 5.5

Opera,ng  Systems  

Datacenter2 STATIC: 210.40.90.0/24

main-fin-prtr branch-sql-01 branch-app-02 branch-app-01 210.40.70.110 210.40.70.102 210.40.70.101 Windows2008R2 Windows2008R2 Windows2008R2

mn-dhcp mn-msmq-02 mn-dc-02 mn-file-02 210.40.90.73 210.40.90.31 210.40.90.11 210.40.90.21 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2

ln-Splunk-02 210.40.90.72 CentOS 6

trans-host 210.40.90.100 IBM AS400

mn-broker-01 wkstn-01

wkstn-02

wkstn-03

wkstn-04

wkstn-05

wkstn-06

mn-MICR-prtr

main-bus-prtr

receipt-prtr check-rdr hloan-sql-01 210.40.70.120 CentOS 6

broker-sql-01 210.40.70.130 CentOS 5

mn-shrpnt-02 mn-exch-02 210.40.90.81 210.40.90.61 Windows2008R2 Windows2008R2

ln-ELK-02 210.40.90.73 CentOS 6

mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.71 210.40.90.51 210.40.90.52 Openvas 7 Ubuntu 12.04 Ubuntu 14.04

Many  components  must  be  installed  and  configured  like  the  real  network;  fully  automated  build  process   3

www.simspace.com

Cyber Range Hosting

Cloud-Based •  •  •  •  • 

Range-as-a-service Hosted in public cloud (AWS, Google) Isolated environment Nearly unlimited capacity Rapid updates

SimSpace Hosted •  •  •  •  •  • 

Range-as-a-service Hosted at SimSpace datacenter Isolated environment Increased data assurances Rapid updates Inclusion of physical devices

4

Enterprise •  •  •  •  • 

Hosted on-premises Tied into existing infrastructure Controlled access, data and results Integrate with physical devices Integrate with internal systems

www.simspace.com

Cloud Components & Security Cyber Range

User access policies & management

Network access policies

…

High performance nested virtualization and overlay network

Nested virtualization engine

HVX

Centrally manage users, access policies, networks, test/training results and security controls

DHCP DNS

Secure capsule. Isolated self-contained environments – prevent leakage into cloud

Software defined networking

AWS Foundation Services Compute

Storage

AWS Global Infrastructure

Database Availability Zones Regions

Networking

Edge Locations

5

www.simspace.com

Catalog: Preconfigured Networks Mini-network

Generic Small

Generic Medium

Military

Generic Financial Generic Financial Institution Network Diagram Techco Inc. Internet Servers

Range Services Internet Clients

is1 200.200.200.201 Centos 5

is2 200.200.200.202 Centos 5

is3 200.200.200.203 Centos 5

is4 200.200.200.204 Centos 5

inet-exch 200.200.200.11 Windows 2008R2

inet-dc 200.200.200.10 Windows 2008R2

DHCP: 200.200.200.0/24 OS: Windows 7 Count: 15

inet-00

techco-fs 9.10.11.101 Windows 2008 R2

Techco Clients

techco-dc 9.10.11.102 Windows 2008 R2

Techco Management OS: Windows XP

Techco-FW AS 221

techco-01

techco-mgmt1 IP: 210.40.52.10

IP: 200.200.200.2/24 br1-teller-03

br1-teller-02

IP: 210.30.70.1/24

IP: 9.10.11.2/24

IP: 200.200.215.2/30

ISP-2 AS 220 IP: 200.200.15.1/30

IP:210.40.50.1/30

Financial Line DMZ STATIC: 210.40.51.0/24

Fin-Edge-2 AS: 400 IP: 210.30.10.2/29

IP: 210.30.10.4/29

br1-branch-srv 210.30.70.200 Windows2008R2

IP: 210.30.10.3/29

ATM-01

branch-web-02 branch-web-03 branch-web-01 210.40.51.102 210.40.51.103 210.40.51.101 Windows2008R2 Windows2008R2 Windows2008R2

techco-web-02 210.40.52.111 CentOS 6

hloan-svr-03 210.40.51.113 CentOS 5.5

IP: 210.40.10.1/29

ids-it-2 210.40.100.203 SecOnion

IP: 210.40.10.5/29

ids-it-1 210.40.100.204 SecOnion

netflow-it 210.40.100.205 CentOS 6

IP: 210.40.10.4/29

core-2 OSPF 0

mn-dc-01 210.40.80.11 Windows2008R2

mn-file-01 210.40.80.21 Windows2003R2

mn-msmq-01 210.40.80.31 Windows2003R2

mn-av-01 210.40.80.41 Windows2008R2

mn-shrpnt-01 210.40.80.81 Windows2008R2

mn-exch-01 210.40.80.61 Windows2008R2

mn-teller-02

bank-host 210.40.80.100 IBM AS400

IP:210.40.90.1/24 core3 OSPF 0 IP: 210.40.70.1/24

Financial Line Services Network STATIC: 210.40.70.0/24

mn-teller-01

mn-ELK-01 210.40.80.73 CentOS 6

IP:210.40.80.1/24

IP: 210.40.10.6/29

IP: 210.40.61.1/24

Financial Line Business Network DHCP: 210.40.61.0/24 OS: Windows 7 Count: 35

Administrative Business Function DHCP: 210.40.60.0/24 OS: Windows 7 Count: 35

IP: 210.40.10.3/29 core1 OSPF 0

IP: 210.40.10.2/29

netwitness-it Static: 210.40.100.201

Datacenter1 STATIC: 210.40.80.0/24

IP: 210.40.1.2/30 hloan-svr-02 210.40.51.112 CentOS 6

IP: 210.40.60.1/24 rucksack-it-01 Rucksack

svcs-02 210.40.50.142 CentOS 5.5 NTP/FTP/Telnet

IP: 210.40.50.1/24

fin-FW IP: 210.40.1.1/30

hloan-svr-01 210.40.51.111 CentOS 6

IP: 210.40.100.1/24 kali-it-01 Kali Linux 2

ext-scanner 210.40.50.143 OpenVAS 7

IP: 210.30.10.1/29

IP: 210.40.52.1/24

IP: 210.40.51.1/24

ATM-02

IT Department DHCP 210.40.100.0/24 OS: Windows 2008 R2, Kali Linux 2. Rucksack Count: 10 Each

grr-it Static: 210.40.100.200

techco-web-01 210.40.52.101 CentOS 6

MICR-prtr

IPSEC Tunnel

svcs-01 proxy-01 210.40.50.141 210.40.50.121 CentOS 6 CentOS6 SSH/SCP

wsus-01 210.40.50.131 Windows2008R2

IP: 210.40.50.2/30

Fin-Edge-1 AS: 400

branch-fw (NAT) 192.168.100.1/24

exch-edge-01 210.40.50.111 Windows2008R2

Techco DMZ STATIC: 210.40.52.0/24

IP: 200.200.15.2/30

br1-broker-01

main-prtr

win-it-01 Windows2008R2

corp-web-01 210.40.50.101 CentOS 6

IP: 200.200.215.1/30

ISP-1 AS 219

IP: 200.200.115.1/30

IP: 200.200.115.2/30

receipt-prtr check-rdr

Public DMZ STATIC: 210.40.50.0/24

Techco GRE Tunnel Source: 9.10.11.254 Destination: 200.200.15.2 Tunnel IP: 210.40.52.0/24

IP: 200.200.200.1/24

br1-open-sale-01 br1-open-sale-02 br1-open-sale-03

br1-hloan-02

Control-dhcp

techco-mgmt2 IP:210.40.52.11

IP: 9.10.11.1/24 Inet-client-rtr AS 218

Branch/Brokerage DHCP: 192.168.100.0/24 OS: Windows 7 Count:35

br1-teller-01

LARIAT92

inet-01 techco-00

br1-hloan-01

techco-exch 9.10.11.103 Windows 2008 R2

DHCP: 9.10.11.0/24 OS: Windows 7 Count: 15

mn-Splunk-01 210.40.80.72 CentOS 6

mn-rh-linux-01 210.40.80.51 CentOS 5.5

mn-rh-linux-02 210.40.80.52 CentOS 5.5

Datacenter2 STATIC: 210.40.90.0/24

mn-open-sale-01

main-fin-prtr mn-open-sale-02

mn-hloan-01

mn-hloan-02

branch-sql-01 branch-app-02 branch-app-01 210.40.70.110 210.40.70.102 210.40.70.101 Windows2008R2 Windows2008R2 Windows2008R2

mn-dhcp mn-msmq-02 mn-dc-02 mn-file-02 210.40.90.73 210.40.90.31 210.40.90.11 210.40.90.21 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2

ln-Splunk-02 210.40.90.72 CentOS 6

trans-host 210.40.90.100 IBM AS400

mn-broker-01 wkstn-01

wkstn-02

wkstn-03

wkstn-04

wkstn-05

wkstn-06

mn-MICR-prtr

main-bus-prtr

receipt-prtr check-rdr hloan-sql-01 210.40.70.120 CentOS 6

broker-sql-01 210.40.70.130 CentOS 5

Size: 15 hosts Difficulty: -

Size: 40 hosts Difficulty: -

Size: 80 hosts Difficulty: 0.91

Size: 150 hosts Difficulty: 1.26

Size: 280 hosts Difficulty: -

•  Internet emulation •  Mini network enclave

•  Internet emulation •  1 Simple network •  Red Team hosts

•  Internet emulation •  4 Simple networks •  Red Team hosts

•  •  •  • 

•  •  •  • 

6

Internet emulation Island defense Tri-service network Military critical system

mn-shrpnt-02 mn-exch-02 210.40.90.81 210.40.90.61 Windows2008R2 Windows2008R2

ln-ELK-02 210.40.90.73 CentOS 6

mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.71 210.40.90.51 210.40.90.52 Openvas 7 Ubuntu 12.04 Ubuntu 14.04

Internet emulation Financial business units Core financial services 3rd Party network

www.simspace.com

RANGE BUILDOUT 7

www.simspace.com

Cloud-Based Cyber Range •  Creation of new network blueprints: up to 30 mins •  Time to copy blueprint: less than 1 min •  Number of network blueprints and variations (e.g. A/B testing, individual networks per team): nearly unlimited (AWS S3) •  Time to deploy range to computing infrastructure: up to 30 mins •  Range costs: only pay for range use (execution time) not infrastructure or number of copies •  No user scheduling or resource allocation concerns 8

www.simspace.com

Generic Financial Network Overlay Internet

Range#

3rd Party Techco Inc.

•  280 nodes •  15 span ports

Operating Systems

•  Windows 2008 R2, •  Windows 7 •  CentOS, Ubuntu, Kali

Applications

•  •  •  • 

MS Office, IE, Chrome, Firefox Active Directory, Exchange IIS, Apache

Security Tools

•  •  •  •  • 

Symantec SEP Splunk, Tanium, Qualys RSA Netwitness Security Onion ELK, GRR

Network Instances

•  Copies for team training •  Copies for new products (A/B testing)

Public# DMZ

Branch/# Brokerage Financial# Line#DMZ

ATMs

Data#Centers

IT#Dept Financial#Line#of# Business#Network

General

Financial#Line# Services

9

www.simspace.com

Enterprise User Emulation Traffic generation via intelligent host-based agents to accurately emulate enterprise activity VIRTUAL USERS •  Unique personas with their own accounts, documents, user behaviors, application biases, social groups, projects •  Interact with real applications on each host (e.g. MS Office, IE, Firefox) like a typical user •  Collaborate with other users to accomplish broader tasks •  Can scale to thousands of users across platform types •  Generate realistic workload on each host & network •  Create means for attackers to exploit clients & hide in enterprise traffic

10

www.simspace.com

Attack Tools Attack tools to simulate sophisticated attacks, APT1, CyberSnake, etc... Run attack scenarios automatically by combining discrete attacker tasks to form a full attack Custom malware exercising blue’s ability to identify and contain malware communications and persistence utilizing all common techniques

BREACH: Attack Platform, Reports OPFOR: Opposing Force, Attacker WORMHOLE: 0-day attack surrogates

11

www.simspace.com

Assessment Tools Network Monitoring & MISSION REPLAY Visualize traffic flows; replay attacker actions

Traffic Generation STATUS Monitor emulated user activity

Event TRACKING

Mission Impact DISPLAY

Coordinate, record actions from Red & Blue

Business function dependencies on IT assets

www.simspace.com

Data Collection and Reporting Data collected from multiple sources to provide reports, mission impact and scorecards Detailed information collected from each emulated user about application and host performance

13

www.simspace.com

Example Uses R&D

TESTING

On-demand network environments and tools to develop novel cybersecurity solutions

TRAINING Team-based training against sophisticated adversaries in a safe and controlled environment

Assess products across suite of network environments and attack scenarios

ANALYSIS

ASSESSMENTS

Run the latest malware and attacks for analysis in a safe laboratory environment

Test your tools, people and processes against a suite of attack scenarios to identify areas for improvement

EXERCISES

COMPLIANCE

SALES & POCs

For regulated industries leverage the network clone for compliance stress testing

Showcase product capabilities in a realistic and representative enterprise environment

Test your organizational preparedness to withstand sophisticated attacks and disruptive events

14

www.simspace.com

CONTACT US

Boston, MA (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com

William Hutchison, CEO [email protected] Lee Rossey, CTO [email protected] Bart Gray, COO [email protected]

Sales & Business [email protected] General Inquiry [email protected] Tech Support [email protected]

www.simspace.com

Example Products Used in the Range Example software that can be deployed

•  Any tool that can run in VMWare •  Operating Systems: •  Windows servers & clients, Ubuntu, Kali

•  Applications •  MS Office, IE, Chrome, Firefox •  Active Directory, Exchange, IIS, Apache, …

•  Security Tools: •  •  •  •  • 

Symantec SEP, McAffee ePO RSA Netwitness, Tanium, GRR Splunk, Kibana, Snort, Bro, Alien Vault CyberReason, Carbon Black - Bit9 Many others … 16

GoogleChrome flashplayerplugin git.install notepadplusplus.install javaruntime 7zip.install adobereader vlc dotnet4.5 vcredist2010 winpcap wamp-server atom nodejs.install ccleaner sysinternals filezilla vim putty.install libreoffice mysql.workbench paint.net svn hg curl pdfcreator wget calibre

wireshark gimp sourcetree dotnet3.5 python2 cdburnerxp baretail foxitreader firefox 0ad microsoftsecurityessen tials audacity defraggler steam speccy tor-browser 1password jdk7 nmap pidgin googleearth emacs cpu-z innosetup powergui ffmpeg eclipse

make sudo awscli autoit openoffice logparser directorymonitor popcorntime spybot ie11 mobaxterm openvpn redis autoruns vmwareplayer aimp packer cyberduck.install intellijidea-community bginfo filezilla.server bleachbit xbmc nscp vmwarevsphereclient hxd sharex btsync

cygwin malwarebytes nant console2 chromium windirstat Tortoisesvn blender jenkins nxlog lastpass combofix ultravnc r.Project golang openssl.light poweriso clamwin pycharmcommunity webstorm logmein.client httrack.app Jrt keepass.install silverlight rsat sqlite

www.simspace.com