Through a partnership with premier Cyber Range provider SimSpace, the ACSC has developed a unique opportunity for cyber operators to test their skills and responses during a hands on keyboard exercise conducted in SimSpace’s high fidelity cyber range.
ACSC organizations are partnering with peers to expose their SOC and technical incident response staff to peers, giving them the opportunity to learn new tactics, techniques and procedures to investigate and respond to an attack in a simulated environment, using the tools they would normally use.
This opportunity promises to mature cyber response capabilities, practice incident response communications, develop team dynamics, and provide a next generation experience that few cyber operators get to experience.
2022 ACSC-SimSpace Cyber Range Exercise Training and Development program
The 2022 program builds on the lessons learned from 2020 and 2021. The program features a Live Fire Capture the Flag - a large scale, full Blue Team incident response exercise on a high fidelity range with live fire from a sophisticated SimSpace Red Team with ACSC member participants and collaborators. This is meant to test incident response skills, teamwork and communications, and exercise playbooks. It uses the tools network defenders use and largely focuses on analyzing network traffic data to find the indicators of compromise and piece together the adversaries actions.
To compliment this team exercise, we have more individual and small group activities with Defender Challenges and Lunch and Learn sessions.
- Defender Challenges use the range capabiltiy to present a step by step challenge and score points by producing artifacts and answering questions.
- Lunch and Learns use the range for purple teaming - blue and red team presenting techniques and detections for participants who can then use their own VM in the range to try their hand detecting the red team activity. This is meant to be educational and build a network of front line responders.
Across the board positive feedback shows us that cyber range exercises provide an invaluable opportunity to “have a bad day at the office” in a safe, simulated environment. Participating staff and their security executives, who often observe the exercises, reported learning important lessons about teamwork, communications and coordination during an incident, as well as developing technical skills and “muscle memory.”
New participants in this year’s Cyber Range program include MIT Lincoln Lab, Harvard University and MITRE.
2021 ACSC-SimSpace Cyber Range Training program
Three incident response exercises conducted on the high fidelity SimSpace Cyber Range simulating a business network which has been compromised and where Blue Team Defenders can use their actual investigation tools, like Splunk to document and mitigate.
- One exercise specifically for an individual organization, conducted in parallel with other ACSC members to allow blue teams to compare notes on effective response strategies. The primary goal is testing 8-10 blue teamers as they respond and practice incident management, effective communications, and efficient teamwork.
- Two exercises on a shared team, where 4-5 of blue teamers from one organization work collaboratively with another member organization to exercise and learn from one another. This encourages real time skill sharing, challenges teams to communicate effectively, and builds a network of blue teamers.
The 2021 Outcome
Three successful events that allowed seven teams to learn about their effectiveness, make adjustments to their incident response plans, and identify gaps in their response capabilities. Some teams were able to try out new tools, like CrowdStrike EDR, and understand its effectiveness. All teams provided positive feedback and would like to continue to use cyber ranges to continue to improve their defenses, responsiveness, and resiliency.
The 2020 Pilot
Leading ACSC members participated in an incident response exercise on the cyber range. Each organization brought five to ten members of their SOC to the exercise which allowed them to test their response planning, procedures, and capabilities in a safe environment. Each team entered the range after an event had occured and they had to use standard network log analysis tools like Splunk and Kibana to identify the adversarial activity, log it, and mitigate the damage. Each participating team and several ACSC observers endorsed the pilot cyber range exercise and the ACSC's Collaborative approach.
Organizations that have participated in collaborative range exercises
- Commonwealth of Massachusetts
- Federal Reserve Bank of Boston
- Harvard University
- Liberty Mutual
- Manulife/John Hancock
- MIT Lincoln Lab
- Munich Re
- Schneider Electric
- State Street