SIMSPACE CORPORATION SimSpace Cyber Range
BOSTON (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com www.simspace.com THE SIMSPACE CYBER RANGE
Make complex and laborious network environments simple to create and provide accessible, affordable, and sophisticated solutions to meet your cybersecurity research, development, testing, and training needs
2 www.simspace.com Required Elements for Network Cloning
Network security Network discovery Users
Unique business systems Applica ons
Generic Financial Institution Network Diagram
Techco Inc.
Internet Servers Range Services
Internet Clients techco-fs techco-dc techco-exch DHCP: 200.200.200.0/24 9.10.11.101 9.10.11.102 9.10.11.103 OS: Windows 7 Windows 2008 R2 Windows 2008 R2 Windows 2008 R2 Count: 15 Techco Clients is1 is2 is3 DHCP: 9.10.11.0/24 Techco Management 200.200.200.201 200.200.200.202 200.200.200.203 OS: Windows 7 OS: Windows XP Centos 5 Centos 5 Centos 5 Count: 15 LARIAT92 Control-dhcp
inet-00 inet-01
techco-00 techco-01 Techco-FW techco-mgmt1 techco-mgmt2 Internet sites & services AS 221 is4 inet-exch inet-dc IP: 210.40.52.10 IP:210.40.52.11 200.200.200.204 200.200.200.11 200.200.200.10 Centos 5 Windows 2008R2 Windows 2008R2 IP: 9.10.11.1/24
Inet-client-rtr Public DMZ AS 218 STATIC: 210.40.50.0/24 Techco GRE Tunnel
Branch/Brokerage IP: 200.200.200.1/24 Source: 9.10.11.254 DHCP: 192.168.100.0/24 Destination: 200.200.15.2 OS: Windows 7 Services Count:35 Tunnel IP: 210.40.52.0/24
IP: 200.200.200.2/24 IP: 9.10.11.2/24 corp-web-01 exch-edge-01 210.40.50.101 210.40.50.111 br1-teller-01 Windows2008R2 br1-teller-02 br1-teller-03 IP: 210.30.70.1/24 CentOS 6 IP: 200.200.215.2/30 IP: 200.200.215.1/30
ISP-1 ISP-2 AS 219 AS 220 Techco DMZ br1-open-sale-01 br1-open-sale-02 br1-open-sale-03 IP: 200.200.15.1/30 IP: 200.200.115.1/30 STATIC: 210.40.52.0/24
wsus-01 svcs-01 proxy-01 210.40.50.131 210.40.50.141 210.40.50.121 IP: 200.200.115.2/30 IP: 200.200.15.2/30 Windows2008R2 CentOS 6 CentOS6 br1-hloan-01 br1-hloan-02 br1-broker-01 SSH/SCP IP:210.40.50.1/30 IP: 210.40.50.2/30 Financial Line DMZ techco-web-01 techco-web-02 STATIC: 210.40.51.0/24 Fin-Edge-1 Fin-Edge-2 branch-fw 210.40.52.101 210.40.52.111 AS: 400 AS: 400 (NAT) CentOS 6 CentOS 6 receipt-prtr 192.168.100.1/24 IP: 210.30.10.4/29 IP: 210.30.10.2/29 check-rdr MICR-prtr ext-scanner svcs-02 main-prtr 210.40.50.143 210.40.50.142 IP: 210.30.10.3/29 IP: 210.30.10.1/29 OpenVAS 7 CentOS 5.5 NTP/FTP/Telnet branch-web-01 branch-web-02 branch-web-03 IPSEC Tunnel 210.40.51.101 210.40.51.102 210.40.51.103 IP: 210.40.52.1/24 Windows2008R2 Windows2008R2 Windows2008R2 IP: 210.40.51.1/24 IP: 210.40.50.1/24
Datacenter1 br1-branch-srv fin-FW STATIC: 210.40.80.0/24 210.30.70.200 ATM-01 ATM-02 IP: 210.40.1.1/30 Windows2008R2
IP: 210.40.1.2/30 IT Department DHCP 210.40.100.0/24 hloan-svr-01 hloan-svr-02 hloan-svr-03 OS: Windows 2008 R2, Kali Linux 2. Rucksack 210.40.51.111 210.40.51.112 210.40.51.113 Count: 10 Each CentOS 6 CentOS 6 CentOS 5.5 IP: 210.40.10.1/29 IP: 210.40.10.3/29 mn-dc-01 mn-file-01 mn-msmq-01 mn-ELK-01 bank-host core1 210.40.80.11 210.40.80.21 210.40.80.31 210.40.80.73 210.40.80.100 IP: 210.40.10.2/29 OSPF 0 IP: 210.40.10.4/29 Windows2008R2 Windows2003R2 Windows2003R2 CentOS 6 IBM AS400
Infrastructure IP: 210.40.100.1/24 IP:210.40.80.1/24 IP: 210.40.10.5/29 IP: 210.40.10.6/29 IP: 210.40.60.1/24 IP:210.40.90.1/24 win-it-01 kali-it-01 rucksack-it-01 ids-it-2 core-2 core3 Windows2008R2 Kali Linux 2 Rucksack 210.40.100.203 OSPF 0 OSPF 0 SecOnion Opera ng Systems IP: 210.40.61.1/24 Financial Line Business Network IP: 210.40.70.1/24 mn-av-01 mn-shrpnt-01 mn-exch-01 mn-Splunk-01 mn-rh-linux-01 mn-rh-linux-02 DHCP: 210.40.61.0/24 210.40.80.41 210.40.80.81 210.40.80.61 210.40.80.72 210.40.80.51 210.40.80.52 OS: Windows 7 Windows2008R2 Windows2008R2 Windows2008R2 CentOS 6 CentOS 5.5 CentOS 5.5 Count: 35
Financial Line Services Network Datacenter2 STATIC: 210.40.70.0/24 grr-it netwitness-it ids-it-1 netflow-it STATIC: 210.40.90.0/24 Static: Static: 210.40.100.204 210.40.100.205 210.40.100.200 210.40.100.201 SecOnion CentOS 6 mn-teller-01 mn-teller-02 mn-open-sale-01
Administrative Business Function main-fin-prtr DHCP: 210.40.60.0/24 branch-sql-01 mn-open-sale-02 mn-hloan-01 mn-hloan-02 branch-app-01 branch-app-02 mn-dc-02 mn-file-02 mn-msmq-02 mn-dhcp OS: Windows 7 210.40.70.110 ln-Splunk-02 trans-host 210.40.70.101 210.40.70.102 210.40.90.11 210.40.90.21 210.40.90.31 210.40.90.73 Count: 35 Windows2008R2 210.40.90.72 210.40.90.100 Windows2008R2 Windows2008R2 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2 CentOS 6 IBM AS400
mn-broker-01 wkstn-01 wkstn-02 wkstn-03 receipt-prtr mn-MICR-prtr check-rdr
hloan-sql-01 broker-sql-01 mn-shrpnt-02 mn-exch-02 ln-ELK-02 mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.81 main-bus-prtr 210.40.70.120 210.40.70.130 210.40.90.61 210.40.90.73 210.40.90.71 210.40.90.51 210.40.90.52 wkstn-04 wkstn-05 wkstn-06 CentOS 6 CentOS 5 Windows2008R2 Windows2008R2 CentOS 6 Openvas 7 Ubuntu 12.04 Ubuntu 14.04
Many components must be installed and configured like the real network; fully automated build process
3 www.simspace.com Cyber Range Hosting
Cloud-Based SimSpace Hosted Enterprise
• Range-as-a-service • Range-as-a-service • Hosted on-premises • Hosted in public cloud (AWS, Google) • Hosted at SimSpace datacenter • Tied into existing infrastructure • Isolated environment • Isolated environment • Controlled access, data and results • Nearly unlimited capacity • Increased data assurances • Integrate with physical devices • Rapid updates • Rapid updates • Integrate with internal systems • Inclusion of physical devices
4 www.simspace.com Cloud Components & Security
User access Network Centrally manage users, access policies, networks, policies & access … test/training results and security controls Cyber Range management policies
Nested virtualization engine High performance nested virtualization and overlay network DHCP DNS HVX Secure capsule. Isolated self-contained Software defined networking environments – prevent leakage into cloud
AWS Foundation Services
Compute Storage Database Networking
Availability Zones AWS Global Edge Infrastructure Locations Regions
5 www.simspace.com Catalog: Preconfigured Networks
Mini-network Generic Small Generic Medium Military Generic Financial
Generic Financial Institution Network Diagram
Techco Inc.
Internet Servers Range Services
Internet Clients techco-fs techco-dc techco-exch DHCP: 200.200.200.0/24 9.10.11.101 9.10.11.102 9.10.11.103 OS: Windows 7 Windows 2008 R2 Windows 2008 R2 Windows 2008 R2 Count: 15 Techco Clients is1 is2 is3 DHCP: 9.10.11.0/24 Techco Management 200.200.200.201 200.200.200.202 200.200.200.203 OS: Windows 7 OS: Windows XP Centos 5 Centos 5 Centos 5 Count: 15 LARIAT92 Control-dhcp
inet-00 inet-01
techco-00 techco-01 Techco-FW techco-mgmt1 techco-mgmt2 AS 221 is4 inet-exch inet-dc IP: 210.40.52.10 IP:210.40.52.11 200.200.200.204 200.200.200.11 200.200.200.10 Centos 5 Windows 2008R2 Windows 2008R2 IP: 9.10.11.1/24
Inet-client-rtr Public DMZ AS 218 STATIC: 210.40.50.0/24 Techco GRE Tunnel
Branch/Brokerage IP: 200.200.200.1/24 Source: 9.10.11.254 DHCP: 192.168.100.0/24 OS: Windows 7 Destination: 200.200.15.2 Count:35 Tunnel IP: 210.40.52.0/24
IP: 200.200.200.2/24 IP: 9.10.11.2/24 corp-web-01 exch-edge-01 210.40.50.101 210.40.50.111 br1-teller-01 Windows2008R2 br1-teller-02 br1-teller-03 IP: 210.30.70.1/24 CentOS 6 IP: 200.200.215.2/30 IP: 200.200.215.1/30
ISP-1 ISP-2 AS 219 AS 220 Techco DMZ br1-open-sale-01 br1-open-sale-02 br1-open-sale-03 IP: 200.200.15.1/30 IP: 200.200.115.1/30 STATIC: 210.40.52.0/24
wsus-01 svcs-01 proxy-01 210.40.50.131 210.40.50.141 210.40.50.121 IP: 200.200.115.2/30 IP: 200.200.15.2/30 Windows2008R2 CentOS 6 CentOS6 br1-hloan-01 br1-hloan-02 br1-broker-01 SSH/SCP IP:210.40.50.1/30 IP: 210.40.50.2/30 Financial Line DMZ techco-web-01 techco-web-02 STATIC: 210.40.51.0/24 Fin-Edge-1 Fin-Edge-2 branch-fw 210.40.52.101 210.40.52.111 AS: 400 AS: 400 (NAT) CentOS 6 CentOS 6 receipt-prtr 192.168.100.1/24 IP: 210.30.10.4/29 IP: 210.30.10.2/29 check-rdr MICR-prtr ext-scanner svcs-02 main-prtr 210.40.50.143 210.40.50.142 IP: 210.30.10.3/29 IP: 210.30.10.1/29 OpenVAS 7 CentOS 5.5 NTP/FTP/Telnet branch-web-01 branch-web-02 branch-web-03 IPSEC Tunnel 210.40.51.101 210.40.51.102 210.40.51.103 IP: 210.40.52.1/24 Windows2008R2 Windows2008R2 Windows2008R2 IP: 210.40.51.1/24 IP: 210.40.50.1/24
Datacenter1 br1-branch-srv fin-FW STATIC: 210.40.80.0/24 210.30.70.200 ATM-01 ATM-02 IP: 210.40.1.1/30 Windows2008R2
IP: 210.40.1.2/30 IT Department DHCP 210.40.100.0/24 hloan-svr-01 hloan-svr-02 hloan-svr-03 OS: Windows 2008 R2, Kali Linux 2. Rucksack 210.40.51.111 210.40.51.112 210.40.51.113 Count: 10 Each CentOS 6 CentOS 6 CentOS 5.5 IP: 210.40.10.1/29 IP: 210.40.10.3/29 mn-dc-01 mn-file-01 mn-msmq-01 mn-ELK-01 bank-host core1 210.40.80.11 210.40.80.21 210.40.80.31 210.40.80.73 210.40.80.100 IP: 210.40.10.2/29 OSPF 0 IP: 210.40.10.4/29 Windows2008R2 Windows2003R2 Windows2003R2 CentOS 6 IBM AS400
IP: 210.40.100.1/24 IP:210.40.80.1/24 IP: 210.40.10.5/29 IP: 210.40.10.6/29 IP: 210.40.60.1/24 IP:210.40.90.1/24 win-it-01 kali-it-01 rucksack-it-01 ids-it-2 core-2 core3 Windows2008R2 Kali Linux 2 Rucksack 210.40.100.203 OSPF 0 OSPF 0 SecOnion IP: 210.40.61.1/24 Financial Line Business Network IP: 210.40.70.1/24 mn-av-01 mn-shrpnt-01 mn-exch-01 mn-Splunk-01 mn-rh-linux-01 mn-rh-linux-02 DHCP: 210.40.61.0/24 210.40.80.41 210.40.80.81 210.40.80.61 210.40.80.72 210.40.80.51 210.40.80.52 OS: Windows 7 Windows2008R2 Windows2008R2 Windows2008R2 CentOS 6 CentOS 5.5 CentOS 5.5 Count: 35
Financial Line Services Network Datacenter2 STATIC: 210.40.70.0/24 grr-it netwitness-it ids-it-1 netflow-it STATIC: 210.40.90.0/24 Static: Static: 210.40.100.204 210.40.100.205 210.40.100.200 210.40.100.201 SecOnion CentOS 6 mn-teller-01 mn-teller-02 mn-open-sale-01
Administrative Business Function main-fin-prtr DHCP: 210.40.60.0/24 branch-sql-01 mn-open-sale-02 mn-hloan-01 mn-hloan-02 branch-app-01 branch-app-02 mn-dc-02 mn-file-02 mn-msmq-02 mn-dhcp OS: Windows 7 210.40.70.110 ln-Splunk-02 trans-host 210.40.70.101 210.40.70.102 210.40.90.11 210.40.90.21 210.40.90.31 210.40.90.73 Count: 35 Windows2008R2 210.40.90.72 210.40.90.100 Windows2008R2 Windows2008R2 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2 CentOS 6 IBM AS400
mn-broker-01 wkstn-01 wkstn-02 wkstn-03 receipt-prtr mn-MICR-prtr check-rdr
hloan-sql-01 broker-sql-01 mn-shrpnt-02 mn-exch-02 ln-ELK-02 mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.81 main-bus-prtr 210.40.70.120 210.40.70.130 210.40.90.61 210.40.90.73 210.40.90.71 210.40.90.51 210.40.90.52 wkstn-04 wkstn-05 wkstn-06 CentOS 6 CentOS 5 Windows2008R2 Windows2008R2 CentOS 6 Openvas 7 Ubuntu 12.04 Ubuntu 14.04
Size: 15 hosts Size: 40 hosts Size: 80 hosts Size: 150 hosts Size: 280 hosts Difficulty: - Difficulty: - Difficulty: 0.91 Difficulty: 1.26 Difficulty: -
• Internet emulation • Internet emulation • Internet emulation • Internet emulation • Internet emulation • Mini network enclave • 1 Simple network • 4 Simple networks • Island defense • Financial business units • Red Team hosts • Red Team hosts • Tri-service network • Core financial services • Military critical system • 3rd Party network
6 www.simspace.com RANGE BUILDOUT
7 www.simspace.com Cloud-Based Cyber Range
• Creation of new network blueprints: up to 30 mins • Time to copy blueprint: less than 1 min • Number of network blueprints and variations (e.g. A/B testing, individual networks per team): nearly unlimited (AWS S3) • Time to deploy range to computing infrastructure: up to 30 mins • Range costs: only pay for range use (execution time) not infrastructure or number of copies • No user scheduling or resource allocation concerns
8 www.simspace.com Generic Financial Network Overlay
Range# • 280 nodes Internet 3rd Party General Techco Inc. • 15 span ports
Operating Systems • Windows 2008 R2, • Windows 7 Public# • CentOS, Ubuntu, Kali Branch/# DMZ Brokerage • MS Office, Financial# Applications Line#DMZ • IE, Chrome, Firefox • Active Directory, Exchange • IIS, Apache ATMs Data#Centers Security Tools • Symantec SEP IT#Dept • Splunk, Tanium, Qualys Financial#Line#of# • RSA Netwitness Business#Network Financial#Line# • Security Onion Services • ELK, GRR
Network Instances • Copies for team training • Copies for new products (A/B testing)
9 www.simspace.com Enterprise User Emulation
Traffic generation via intelligent host-based agents to accurately emulate enterprise activity
VIRTUAL USERS • Unique personas with their own accounts, documents, user behaviors, application biases, social groups, projects • Interact with real applications on each host (e.g. MS Office, IE, Firefox) like a typical user • Collaborate with other users to accomplish broader tasks • Can scale to thousands of users across platform types • Generate realistic workload on each host & network • Create means for attackers to exploit clients & hide in enterprise traffic
10 www.simspace.com Attack Tools
Attack tools to simulate sophisticated attacks, APT1, CyberSnake, etc...
Run attack scenarios automatically by combining discrete attacker tasks to form a full attack
Custom malware exercising blue’s ability to identify and contain malware communications and persistence utilizing all common techniques
BREACH: Attack Platform, Reports OPFOR: Opposing Force, Attacker WORMHOLE: 0-day attack surrogates
11 www.simspace.com Assessment Tools
Network Traffic Generation Monitoring & STATUS MISSION REPLAY Monitor emulated Visualize traffic flows; user activity replay attacker actions
Event Mission Impact TRACKING DISPLAY
Coordinate, record Business function actions from Red & Blue dependencies on IT assets
www.simspace.com Data Collection and Reporting
Data collected from multiple sources to provide reports, mission impact and scorecards
Detailed information collected from each emulated user about application and host performance
13 www.simspace.com Example Uses
R&D TESTING ANALYSIS ASSESSMENTS On-demand network Assess products across Run the latest malware and Test your tools, people and environments and tools suite of network attacks for analysis in a safe processes against a suite of to develop novel environments and attack laboratory environment attack scenarios to identify cybersecurity solutions scenarios areas for improvement
TRAINING EXERCISES COMPLIANCE SALES & POCs Team-based training Test your organizational For regulated industries Showcase product capabilities against sophisticated preparedness to withstand leverage the network clone for in a realistic and representative adversaries in a safe and sophisticated attacks and compliance stress testing enterprise environment controlled environment disruptive events
14 www.simspace.com CONTACT US
William Hutchison, CEO Sales & Business Boston, MA (HQ) [email protected] [email protected] Lee Rossey, CTO General Inquiry 51 Melcher St. [email protected] [email protected] Boston, MA 02210 Bart Gray, COO Tech Support www.simspace.com [email protected] [email protected]
www.simspace.com Example Products Used in the Range Example software that can be deployed • Any tool that can run in VMWare GoogleChrome wireshark make cygwin flashplayerplugin gimp sudo malwarebytes git.install sourcetree awscli nant • Operating Systems: notepadplusplus.install dotnet3.5 autoit console2 javaruntime python2 openoffice chromium 7zip.install cdburnerxp logparser windirstat • Windows servers & clients, Ubuntu, Kali adobereader baretail directorymonitor Tortoisesvn vlc foxitreader popcorntime blender dotnet4.5 firefox spybot jenkins • Applications vcredist2010 0ad ie11 nxlog winpcap microsoftsecurityessen mobaxterm lastpass • MS Office, IE, Chrome, Firefox wamp-server tials openvpn combofix atom audacity redis ultravnc • Active Directory, Exchange, IIS, Apache, … nodejs.install defraggler autoruns r.Project ccleaner steam vmwareplayer golang sysinternals speccy aimp openssl.light • Security Tools: filezilla tor-browser packer poweriso vim 1password cyberduck.install clamwin • Symantec SEP, McAffee ePO putty.install jdk7 intellijidea-community pycharm- libreoffice nmap bginfo community mysql.workbench pidgin filezilla.server webstorm • RSA Netwitness, Tanium, GRR paint.net googleearth bleachbit logmein.client svn emacs xbmc httrack.app • Splunk, Kibana, Snort, Bro, Alien Vault hg cpu-z nscp Jrt curl innosetup vmwarevsphereclient keepass.install • CyberReason, Carbon Black - Bit9 pdfcreator powergui hxd silverlight wget ffmpeg sharex rsat • Many others … calibre eclipse btsync sqlite
16 www.simspace.com