SIMSPACE CORPORATION
SimSpace Cyber Range
BOSTON (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com www.simspace.com
THE SIMSPACE CYBER RANGE Make complex and laborious network environments simple to create and provide accessible, affordable, and sophisticated solutions to meet your cybersecurity research, development, testing, and training needs
2
www.simspace.com
Required Elements for Network Cloning Network discovery
Network security
Users
Unique business systems Applica,ons Generic Financial Institution Network Diagram Techco Inc. Internet Servers
Range Services Internet Clients
Internet sites & services
is1 200.200.200.201 Centos 5
is2 200.200.200.202 Centos 5
is3 200.200.200.203 Centos 5
is4 200.200.200.204 Centos 5
inet-exch 200.200.200.11 Windows 2008R2
inet-dc 200.200.200.10 Windows 2008R2
DHCP: 200.200.200.0/24 OS: Windows 7 Count: 15
inet-00
techco-fs 9.10.11.101 Windows 2008 R2
Techco Clients
techco-dc 9.10.11.102 Windows 2008 R2
Techco Management OS: Windows XP
Techco-FW AS 221
techco-01
techco-mgmt1 IP: 210.40.52.10
br1-teller-03
IP: 210.30.70.1/24
IP: 9.10.11.2/24
IP: 200.200.215.2/30
ISP-2 AS 220 IP: 200.200.15.1/30
IP: 200.200.115.1/30
IP: 200.200.115.2/30 IP:210.40.50.1/30
Fin-Edge-2 AS: 400 IP: 210.30.10.2/29
IP: 210.30.10.4/29
IP: 210.30.10.3/29
IPSEC Tunnel
br1-branch-srv 210.30.70.200 Windows2008R2
Infrastructure
ATM-01
branch-web-02 branch-web-03 branch-web-01 210.40.51.102 210.40.51.103 210.40.51.101 Windows2008R2 Windows2008R2 Windows2008R2
hloan-svr-03 210.40.51.113 CentOS 5.5
ids-it-2 210.40.100.203 SecOnion
ids-it-1 210.40.100.204 SecOnion
netflow-it 210.40.100.205 CentOS 6
Administrative Business Function DHCP: 210.40.60.0/24 OS: Windows 7 Count: 35
IP: 210.40.10.3/29 core1 OSPF 0
IP: 210.40.10.5/29
IP: 210.40.10.4/29
core-2 OSPF 0
mn-dc-01 210.40.80.11 Windows2008R2
mn-file-01 210.40.80.21 Windows2003R2
mn-msmq-01 210.40.80.31 Windows2003R2
mn-av-01 210.40.80.41 Windows2008R2
mn-shrpnt-01 210.40.80.81 Windows2008R2
mn-exch-01 210.40.80.61 Windows2008R2
mn-teller-01
mn-teller-02
mn-open-sale-01
mn-hloan-01
mn-hloan-02
bank-host 210.40.80.100 IBM AS400
IP:210.40.90.1/24 core3 OSPF 0 IP: 210.40.70.1/24
Financial Line Services Network STATIC: 210.40.70.0/24
mn-open-sale-02
mn-ELK-01 210.40.80.73 CentOS 6
IP:210.40.80.1/24
IP: 210.40.10.6/29
IP: 210.40.61.1/24
Financial Line Business Network DHCP: 210.40.61.0/24 OS: Windows 7 Count: 35
netwitness-it Static: 210.40.100.201
Datacenter1 STATIC: 210.40.80.0/24
IP: 210.40.10.1/29
IP: 210.40.10.2/29
rucksack-it-01 Rucksack
svcs-02 210.40.50.142 CentOS 5.5 NTP/FTP/Telnet
IP: 210.40.50.1/24
IP: 210.40.1.2/30 hloan-svr-02 210.40.51.112 CentOS 6
IP: 210.40.60.1/24 kali-it-01 Kali Linux 2
ext-scanner 210.40.50.143 OpenVAS 7
IP: 210.30.10.1/29
fin-FW IP: 210.40.1.1/30
hloan-svr-01 210.40.51.111 CentOS 6
IP: 210.40.100.1/24
grr-it Static: 210.40.100.200
techco-web-02 210.40.52.111 CentOS 6
IP: 210.40.52.1/24
IP: 210.40.51.1/24
ATM-02
IT Department DHCP 210.40.100.0/24 OS: Windows 2008 R2, Kali Linux 2. Rucksack Count: 10 Each
win-it-01 Windows2008R2
techco-web-01 210.40.52.101 CentOS 6
MICR-prtr main-prtr
svcs-01 proxy-01 210.40.50.141 210.40.50.121 CentOS 6 CentOS6 SSH/SCP
wsus-01 210.40.50.131 Windows2008R2
IP: 210.40.50.2/30
Fin-Edge-1 AS: 400
branch-fw (NAT) 192.168.100.1/24
exch-edge-01 210.40.50.111 Windows2008R2
Techco DMZ STATIC: 210.40.52.0/24
IP: 200.200.15.2/30
br1-broker-01
Financial Line DMZ STATIC: 210.40.51.0/24 receipt-prtr check-rdr
corp-web-01 210.40.50.101 CentOS 6
IP: 200.200.215.1/30
ISP-1 AS 219
br1-open-sale-01 br1-open-sale-02 br1-open-sale-03
br1-hloan-02
Services
Public DMZ STATIC: 210.40.50.0/24
Techco GRE Tunnel Source: 9.10.11.254 Destination: 200.200.15.2 Tunnel IP: 210.40.52.0/24
IP: 200.200.200.1/24
IP: 200.200.200.2/24
br1-hloan-01
Control-dhcp
techco-mgmt2 IP:210.40.52.11
IP: 9.10.11.1/24 Inet-client-rtr AS 218
Branch/Brokerage DHCP: 192.168.100.0/24 OS: Windows 7 Count:35
br1-teller-02
LARIAT92
inet-01 techco-00
br1-teller-01
techco-exch 9.10.11.103 Windows 2008 R2
DHCP: 9.10.11.0/24 OS: Windows 7 Count: 15
mn-Splunk-01 210.40.80.72 CentOS 6
mn-rh-linux-01 210.40.80.51 CentOS 5.5
mn-rh-linux-02 210.40.80.52 CentOS 5.5
Opera,ng Systems
Datacenter2 STATIC: 210.40.90.0/24
main-fin-prtr branch-sql-01 branch-app-02 branch-app-01 210.40.70.110 210.40.70.102 210.40.70.101 Windows2008R2 Windows2008R2 Windows2008R2
mn-dhcp mn-msmq-02 mn-dc-02 mn-file-02 210.40.90.73 210.40.90.31 210.40.90.11 210.40.90.21 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2
ln-Splunk-02 210.40.90.72 CentOS 6
trans-host 210.40.90.100 IBM AS400
mn-broker-01 wkstn-01
wkstn-02
wkstn-03
wkstn-04
wkstn-05
wkstn-06
mn-MICR-prtr
main-bus-prtr
receipt-prtr check-rdr hloan-sql-01 210.40.70.120 CentOS 6
broker-sql-01 210.40.70.130 CentOS 5
mn-shrpnt-02 mn-exch-02 210.40.90.81 210.40.90.61 Windows2008R2 Windows2008R2
ln-ELK-02 210.40.90.73 CentOS 6
mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.71 210.40.90.51 210.40.90.52 Openvas 7 Ubuntu 12.04 Ubuntu 14.04
Many components must be installed and configured like the real network; fully automated build process 3
www.simspace.com
Cyber Range Hosting
Cloud-Based • • • • •
Range-as-a-service Hosted in public cloud (AWS, Google) Isolated environment Nearly unlimited capacity Rapid updates
SimSpace Hosted • • • • • •
Range-as-a-service Hosted at SimSpace datacenter Isolated environment Increased data assurances Rapid updates Inclusion of physical devices
4
Enterprise • • • • •
Hosted on-premises Tied into existing infrastructure Controlled access, data and results Integrate with physical devices Integrate with internal systems
www.simspace.com
Cloud Components & Security Cyber Range
User access policies & management
Network access policies
…
High performance nested virtualization and overlay network
Nested virtualization engine
HVX
Centrally manage users, access policies, networks, test/training results and security controls
DHCP DNS
Secure capsule. Isolated self-contained environments – prevent leakage into cloud
Software defined networking
AWS Foundation Services Compute
Storage
AWS Global Infrastructure
Database Availability Zones Regions
Networking
Edge Locations
5
www.simspace.com
Catalog: Preconfigured Networks Mini-network
Generic Small
Generic Medium
Military
Generic Financial Generic Financial Institution Network Diagram Techco Inc. Internet Servers
Range Services Internet Clients
is1 200.200.200.201 Centos 5
is2 200.200.200.202 Centos 5
is3 200.200.200.203 Centos 5
is4 200.200.200.204 Centos 5
inet-exch 200.200.200.11 Windows 2008R2
inet-dc 200.200.200.10 Windows 2008R2
DHCP: 200.200.200.0/24 OS: Windows 7 Count: 15
inet-00
techco-fs 9.10.11.101 Windows 2008 R2
Techco Clients
techco-dc 9.10.11.102 Windows 2008 R2
Techco Management OS: Windows XP
Techco-FW AS 221
techco-01
techco-mgmt1 IP: 210.40.52.10
IP: 200.200.200.2/24 br1-teller-03
br1-teller-02
IP: 210.30.70.1/24
IP: 9.10.11.2/24
IP: 200.200.215.2/30
ISP-2 AS 220 IP: 200.200.15.1/30
IP:210.40.50.1/30
Financial Line DMZ STATIC: 210.40.51.0/24
Fin-Edge-2 AS: 400 IP: 210.30.10.2/29
IP: 210.30.10.4/29
br1-branch-srv 210.30.70.200 Windows2008R2
IP: 210.30.10.3/29
ATM-01
branch-web-02 branch-web-03 branch-web-01 210.40.51.102 210.40.51.103 210.40.51.101 Windows2008R2 Windows2008R2 Windows2008R2
techco-web-02 210.40.52.111 CentOS 6
hloan-svr-03 210.40.51.113 CentOS 5.5
IP: 210.40.10.1/29
ids-it-2 210.40.100.203 SecOnion
IP: 210.40.10.5/29
ids-it-1 210.40.100.204 SecOnion
netflow-it 210.40.100.205 CentOS 6
IP: 210.40.10.4/29
core-2 OSPF 0
mn-dc-01 210.40.80.11 Windows2008R2
mn-file-01 210.40.80.21 Windows2003R2
mn-msmq-01 210.40.80.31 Windows2003R2
mn-av-01 210.40.80.41 Windows2008R2
mn-shrpnt-01 210.40.80.81 Windows2008R2
mn-exch-01 210.40.80.61 Windows2008R2
mn-teller-02
bank-host 210.40.80.100 IBM AS400
IP:210.40.90.1/24 core3 OSPF 0 IP: 210.40.70.1/24
Financial Line Services Network STATIC: 210.40.70.0/24
mn-teller-01
mn-ELK-01 210.40.80.73 CentOS 6
IP:210.40.80.1/24
IP: 210.40.10.6/29
IP: 210.40.61.1/24
Financial Line Business Network DHCP: 210.40.61.0/24 OS: Windows 7 Count: 35
Administrative Business Function DHCP: 210.40.60.0/24 OS: Windows 7 Count: 35
IP: 210.40.10.3/29 core1 OSPF 0
IP: 210.40.10.2/29
netwitness-it Static: 210.40.100.201
Datacenter1 STATIC: 210.40.80.0/24
IP: 210.40.1.2/30 hloan-svr-02 210.40.51.112 CentOS 6
IP: 210.40.60.1/24 rucksack-it-01 Rucksack
svcs-02 210.40.50.142 CentOS 5.5 NTP/FTP/Telnet
IP: 210.40.50.1/24
fin-FW IP: 210.40.1.1/30
hloan-svr-01 210.40.51.111 CentOS 6
IP: 210.40.100.1/24 kali-it-01 Kali Linux 2
ext-scanner 210.40.50.143 OpenVAS 7
IP: 210.30.10.1/29
IP: 210.40.52.1/24
IP: 210.40.51.1/24
ATM-02
IT Department DHCP 210.40.100.0/24 OS: Windows 2008 R2, Kali Linux 2. Rucksack Count: 10 Each
grr-it Static: 210.40.100.200
techco-web-01 210.40.52.101 CentOS 6
MICR-prtr
IPSEC Tunnel
svcs-01 proxy-01 210.40.50.141 210.40.50.121 CentOS 6 CentOS6 SSH/SCP
wsus-01 210.40.50.131 Windows2008R2
IP: 210.40.50.2/30
Fin-Edge-1 AS: 400
branch-fw (NAT) 192.168.100.1/24
exch-edge-01 210.40.50.111 Windows2008R2
Techco DMZ STATIC: 210.40.52.0/24
IP: 200.200.15.2/30
br1-broker-01
main-prtr
win-it-01 Windows2008R2
corp-web-01 210.40.50.101 CentOS 6
IP: 200.200.215.1/30
ISP-1 AS 219
IP: 200.200.115.1/30
IP: 200.200.115.2/30
receipt-prtr check-rdr
Public DMZ STATIC: 210.40.50.0/24
Techco GRE Tunnel Source: 9.10.11.254 Destination: 200.200.15.2 Tunnel IP: 210.40.52.0/24
IP: 200.200.200.1/24
br1-open-sale-01 br1-open-sale-02 br1-open-sale-03
br1-hloan-02
Control-dhcp
techco-mgmt2 IP:210.40.52.11
IP: 9.10.11.1/24 Inet-client-rtr AS 218
Branch/Brokerage DHCP: 192.168.100.0/24 OS: Windows 7 Count:35
br1-teller-01
LARIAT92
inet-01 techco-00
br1-hloan-01
techco-exch 9.10.11.103 Windows 2008 R2
DHCP: 9.10.11.0/24 OS: Windows 7 Count: 15
mn-Splunk-01 210.40.80.72 CentOS 6
mn-rh-linux-01 210.40.80.51 CentOS 5.5
mn-rh-linux-02 210.40.80.52 CentOS 5.5
Datacenter2 STATIC: 210.40.90.0/24
mn-open-sale-01
main-fin-prtr mn-open-sale-02
mn-hloan-01
mn-hloan-02
branch-sql-01 branch-app-02 branch-app-01 210.40.70.110 210.40.70.102 210.40.70.101 Windows2008R2 Windows2008R2 Windows2008R2
mn-dhcp mn-msmq-02 mn-dc-02 mn-file-02 210.40.90.73 210.40.90.31 210.40.90.11 210.40.90.21 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2
ln-Splunk-02 210.40.90.72 CentOS 6
trans-host 210.40.90.100 IBM AS400
mn-broker-01 wkstn-01
wkstn-02
wkstn-03
wkstn-04
wkstn-05
wkstn-06
mn-MICR-prtr
main-bus-prtr
receipt-prtr check-rdr hloan-sql-01 210.40.70.120 CentOS 6
broker-sql-01 210.40.70.130 CentOS 5
Size: 15 hosts Difficulty: -
Size: 40 hosts Difficulty: -
Size: 80 hosts Difficulty: 0.91
Size: 150 hosts Difficulty: 1.26
Size: 280 hosts Difficulty: -
• Internet emulation • Mini network enclave
• Internet emulation • 1 Simple network • Red Team hosts
• Internet emulation • 4 Simple networks • Red Team hosts
• • • •
• • • •
6
Internet emulation Island defense Tri-service network Military critical system
mn-shrpnt-02 mn-exch-02 210.40.90.81 210.40.90.61 Windows2008R2 Windows2008R2
ln-ELK-02 210.40.90.73 CentOS 6
mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.71 210.40.90.51 210.40.90.52 Openvas 7 Ubuntu 12.04 Ubuntu 14.04
Internet emulation Financial business units Core financial services 3rd Party network
www.simspace.com
RANGE BUILDOUT 7
www.simspace.com
Cloud-Based Cyber Range • Creation of new network blueprints: up to 30 mins • Time to copy blueprint: less than 1 min • Number of network blueprints and variations (e.g. A/B testing, individual networks per team): nearly unlimited (AWS S3) • Time to deploy range to computing infrastructure: up to 30 mins • Range costs: only pay for range use (execution time) not infrastructure or number of copies • No user scheduling or resource allocation concerns 8
www.simspace.com
Generic Financial Network Overlay Internet
Range#
3rd Party Techco Inc.
• 280 nodes • 15 span ports
Operating Systems
• Windows 2008 R2, • Windows 7 • CentOS, Ubuntu, Kali
Applications
• • • •
MS Office, IE, Chrome, Firefox Active Directory, Exchange IIS, Apache
Security Tools
• • • • •
Symantec SEP Splunk, Tanium, Qualys RSA Netwitness Security Onion ELK, GRR
Network Instances
• Copies for team training • Copies for new products (A/B testing)
Public# DMZ
Branch/# Brokerage Financial# Line#DMZ
ATMs
Data#Centers
IT#Dept Financial#Line#of# Business#Network
General
Financial#Line# Services
9
www.simspace.com
Enterprise User Emulation Traffic generation via intelligent host-based agents to accurately emulate enterprise activity VIRTUAL USERS • Unique personas with their own accounts, documents, user behaviors, application biases, social groups, projects • Interact with real applications on each host (e.g. MS Office, IE, Firefox) like a typical user • Collaborate with other users to accomplish broader tasks • Can scale to thousands of users across platform types • Generate realistic workload on each host & network • Create means for attackers to exploit clients & hide in enterprise traffic
10
www.simspace.com
Attack Tools Attack tools to simulate sophisticated attacks, APT1, CyberSnake, etc... Run attack scenarios automatically by combining discrete attacker tasks to form a full attack Custom malware exercising blue’s ability to identify and contain malware communications and persistence utilizing all common techniques
BREACH: Attack Platform, Reports OPFOR: Opposing Force, Attacker WORMHOLE: 0-day attack surrogates
11
www.simspace.com
Assessment Tools Network Monitoring & MISSION REPLAY Visualize traffic flows; replay attacker actions
Traffic Generation STATUS Monitor emulated user activity
Event TRACKING
Mission Impact DISPLAY
Coordinate, record actions from Red & Blue
Business function dependencies on IT assets
www.simspace.com
Data Collection and Reporting Data collected from multiple sources to provide reports, mission impact and scorecards Detailed information collected from each emulated user about application and host performance
13
www.simspace.com
Example Uses R&D
TESTING
On-demand network environments and tools to develop novel cybersecurity solutions
TRAINING Team-based training against sophisticated adversaries in a safe and controlled environment
Assess products across suite of network environments and attack scenarios
ANALYSIS
ASSESSMENTS
Run the latest malware and attacks for analysis in a safe laboratory environment
Test your tools, people and processes against a suite of attack scenarios to identify areas for improvement
EXERCISES
COMPLIANCE
SALES & POCs
For regulated industries leverage the network clone for compliance stress testing
Showcase product capabilities in a realistic and representative enterprise environment
Test your organizational preparedness to withstand sophisticated attacks and disruptive events
14
www.simspace.com
CONTACT US
Boston, MA (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com
William Hutchison, CEO
[email protected] Lee Rossey, CTO
[email protected] Bart Gray, COO
[email protected]
Sales & Business
[email protected] General Inquiry
[email protected] Tech Support
[email protected]
www.simspace.com
Example Products Used in the Range Example software that can be deployed
• Any tool that can run in VMWare • Operating Systems: • Windows servers & clients, Ubuntu, Kali
• Applications • MS Office, IE, Chrome, Firefox • Active Directory, Exchange, IIS, Apache, …
• Security Tools: • • • • •
Symantec SEP, McAffee ePO RSA Netwitness, Tanium, GRR Splunk, Kibana, Snort, Bro, Alien Vault CyberReason, Carbon Black - Bit9 Many others … 16
GoogleChrome flashplayerplugin git.install notepadplusplus.install javaruntime 7zip.install adobereader vlc dotnet4.5 vcredist2010 winpcap wamp-server atom nodejs.install ccleaner sysinternals filezilla vim putty.install libreoffice mysql.workbench paint.net svn hg curl pdfcreator wget calibre
wireshark gimp sourcetree dotnet3.5 python2 cdburnerxp baretail foxitreader firefox 0ad microsoftsecurityessen tials audacity defraggler steam speccy tor-browser 1password jdk7 nmap pidgin googleearth emacs cpu-z innosetup powergui ffmpeg eclipse
make sudo awscli autoit openoffice logparser directorymonitor popcorntime spybot ie11 mobaxterm openvpn redis autoruns vmwareplayer aimp packer cyberduck.install intellijidea-community bginfo filezilla.server bleachbit xbmc nscp vmwarevsphereclient hxd sharex btsync
cygwin malwarebytes nant console2 chromium windirstat Tortoisesvn blender jenkins nxlog lastpass combofix ultravnc r.Project golang openssl.light poweriso clamwin pycharmcommunity webstorm logmein.client httrack.app Jrt keepass.install silverlight rsat sqlite
www.simspace.com