The document itself gives us a good definition of what a cyber range is and where they are used. It also gives us a rundown of who would benefit most from using a cyber range and what cyber ranges are used for. Finally, NICE has included a checklist to help guide you on selecting the best cyber range for your needs.
A brief overview
Cybersecurity has become an essential part of modern organizations. This means there is a high demand for skills development and training across all mediums, especially remote, over-the-internet methods. In order to keep up with high demand for cybersecurity professional skills, methods such as a cyber range are a chance to bridge this skills gap in the market. A cyber range is an interactive learning experience that simulates the most common platforms, network environments, tools, operating systems and applications. A cyber range can do the following for your team:
Offers a performance-based learning and assessment capability Gives a simulated environment that your teams can log into and work in together Has the ability to give instant feedback to your teams Provides real-world simulations of scenarios that you are likely to encounter on the job Creates an environment where risks can be taken to learn and test new ideas without affecting live systems or infrastructure
Why do we need cyber ranges?
Anyone pursuing a cybersecurity certification or workplace skills development will know firsthand how difficult it is to find a realistic simulation environment to learn new cybersecurity skills in. Traditional training seldom feels realistic, most companies don’t have the software or other resources for training and some of the exercises that you need to practice may have legal ramifications if performed on a live system. Cyber ranges help to create a realistic testing and training environment, which can be a mixture of hardware and software that is used to teach techniques and methods most commonly used in the real world.
Who are cyber ranges for?
It stands to reason that before you can decide on which cyber range is for you, you need to find out who cyber ranges are designed for in the first place. Below is a table of use cases that the NICE has identified as being the primary target audience of cyber range training.
Checklist components
At the end of this article, we will look at each item of the checklist and highlight the key elements of each one.
Use cases of a cyber range
NICE has identified the following key use cases of a cyber range and how you could use one in your own circumstances and personal situation. There are many different possibilities for how you could use a cyber range in your own workplace or training environment. You could help to improve key individuals or entire teams with specialized cyber ranges. This is also a good platform to test scenarios and procedures that are modelled around real-world security threats that you can expect to see on the network. These ranges can be customized to model your exact network environment so that you can practice with the most lifelike representation of the layout of your network that you can find.
Location of the range
The location of the range is an important aspect that needs to be looked at. Not all businesses currently have staff actively going into the office, and in those instances, remote training is the way to go. Other businesses might have a requirement that staff be in the office, and in those instances where there is an on-premises solution for the cyber range, then that is also an option. For other businesses, there is a hybrid solution that integrates both on-premises and cloud-based solutions.
Curriculum type
Sometimes, you might not need to spend extra time developing a customized cyber range for your team. Instead, a pre-packaged cyber range can quickly come into service and get your team members started in no time at all. Pre-packaged cyber ranges (with options) is a more customized cyber range with standard learning materials and a few custom modules specific to the company that requests it. An ad hoc curriculum is a solution that is designed with complete customization in mind.
Learning outcomes and standard alignment
The NICE checklist states that a cyber range should use either the NICE Framework within the course content or contain NSA/DHS National Centers for Academic Excellence Knowledge Units. This is an important aspect of a cyber range, as there are many important technical details that need to be included in the materials and exercises that your users will be undertaking when completing a cyber range.
Assessment and debriefing tools
You need feedback in order to learn how effective a training program is, and cyber ranges are no different. To achieve this, the NICE checklist recommends that you implement a way for users to provide constructive feedback about what they felt worked and what didn’t. With this kind of feedback, the organizer can look at the issues raised and address problems as they are reported. Another useful data-gathering tool is a replay feature. This will allow the cyber range organizers to review what users did when they experienced issues. This removes the tedious work of trying to recreate an issue, as the playback defines what went wrong as it happened.
Scalability and elasticity
Cyber ranges differ in functionality, scalability and elasticity. What this means is that not all cyber ranges work in the same way. The NICE checklist identifies this and makes the following distinctions between different cyber ranges in terms of both the number of users that they cater for and the time that are allocated to them. They are classified as limited users with a limited time period, a limited number of users with an unlimited time period, unlimited users with a limited time period and unlimited users with unlimited time periods. These distinctions are important if you are trying to allocate resources to people without overbooking and over-utilizing your resources and leaving users without training. If you can use the NICE checklist to familiarize yourself with the limited resources at your disposal, then you have a far greater chance of successfully implementing a cyber range within your organization.
Training and support
If you are offering a cyber range with complicated and complex subjects and exercises, then the chances of something going wrong is quite high. There are infrastructure considerations and software-based issues as well. If an exercise within a cyber range doesn’t quite work as expected, then you need to have support to help and troubleshoot and fix the issue. The NICE checklist takes these considerations further and helps you to identify the type of support that you need. The types that are listed include: initial support and training (hand-holding), periodic support and training (maintenance) and on-call support and training (break and fix). You need to make sure that the support that you require is available when you need it, and the NICE checklist outlines this very well.
The special sauce
This spicy section outlines the part of the cyber range that makes it unique to your requirements. You may have customizations that are specific to your niche in the market or in your industry. These requirements should be catered for in your cyber range if they are crucial to training your users. The orchestration layer is largely responsible for the dynamic responsiveness of the cyber range. This can be a commercial product or an in-house solution that is developed internally by your developers. Other items that you should think about are scheduling components and whether or not you need a specialized LMS or RLMS solution for your cyber range.
The checklist
Below is the checklist as it is found here on the NIST website.
Conclusion
The NICE checklist exists because cybersecurity training is becoming more and more important for the normal operations of an organization. Cyber ranges are a crucial part of hand-on cyber security training and there are many different types of cyber ranges to choose from. The NICE checklist helps to synthesize the important components that you need to implement a successful cyber range of your own. The great thing about cyber ranges is that they are good for training new users and experts alike. Studying for a certification is still a viable way to learn cybersecurity skills, but nothing quite beats real-world experience and realistic cyber range exercises. The key takeaway from the NICE checklist is that it outlines the most common stumbling blocks for starting up your own cyber range, and offers insight into the minutia of how to create and implement a cyber range of your own.