Simspace Cyber Range

SIMSPACE CORPORATION SimSpace Cyber Range

BOSTON (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com www.simspace.com THE SIMSPACE CYBER RANGE

Make complex and laborious network environments simple to create and provide accessible, affordable, and sophisticated solutions to meet your cybersecurity research, development, testing, and training needs

2 www.simspace.com Required Elements for Network Cloning

Network security Network discovery Users

Unique business systems Applicaons

Generic Financial Institution Network Diagram

Techco Inc.

Internet Servers Range Services

Internet Clients techco-fs techco-dc techco-exch DHCP: 200.200.200.0/24 9.10.11.101 9.10.11.102 9.10.11.103 OS: Windows 7 Windows 2008 R2 Windows 2008 R2 Windows 2008 R2 Count: 15 Techco Clients is1 is2 is3 DHCP: 9.10.11.0/24 Techco Management 200.200.200.201 200.200.200.202 200.200.200.203 OS: Windows 7 OS: Windows XP Centos 5 Centos 5 Centos 5 Count: 15 LARIAT92 Control-dhcp

inet-00 inet-01

techco-00 techco-01 Techco-FW techco-mgmt1 techco-mgmt2 Internet sites & services AS 221 is4 inet-exch inet-dc IP: 210.40.52.10 IP:210.40.52.11 200.200.200.204 200.200.200.11 200.200.200.10 Centos 5 Windows 2008R2 Windows 2008R2 IP: 9.10.11.1/24

Inet-client-rtr Public DMZ AS 218 STATIC: 210.40.50.0/24 Techco GRE Tunnel

Branch/Brokerage IP: 200.200.200.1/24 Source: 9.10.11.254 DHCP: 192.168.100.0/24 Destination: 200.200.15.2 OS: Windows 7 Services Count:35 Tunnel IP: 210.40.52.0/24

IP: 200.200.200.2/24 IP: 9.10.11.2/24 corp-web-01 exch-edge-01 210.40.50.101 210.40.50.111 br1-teller-01 Windows2008R2 br1-teller-02 br1-teller-03 IP: 210.30.70.1/24 CentOS 6 IP: 200.200.215.2/30 IP: 200.200.215.1/30

ISP-1 ISP-2 AS 219 AS 220 Techco DMZ br1-open-sale-01 br1-open-sale-02 br1-open-sale-03 IP: 200.200.15.1/30 IP: 200.200.115.1/30 STATIC: 210.40.52.0/24

wsus-01 svcs-01 proxy-01 210.40.50.131 210.40.50.141 210.40.50.121 IP: 200.200.115.2/30 IP: 200.200.15.2/30 Windows2008R2 CentOS 6 CentOS6 br1-hloan-01 br1-hloan-02 br1-broker-01 SSH/SCP IP:210.40.50.1/30 IP: 210.40.50.2/30 Financial Line DMZ techco-web-01 techco-web-02 STATIC: 210.40.51.0/24 Fin-Edge-1 Fin-Edge-2 branch-fw 210.40.52.101 210.40.52.111 AS: 400 AS: 400 (NAT) CentOS 6 CentOS 6 receipt-prtr 192.168.100.1/24 IP: 210.30.10.4/29 IP: 210.30.10.2/29 check-rdr MICR-prtr ext-scanner svcs-02 main-prtr 210.40.50.143 210.40.50.142 IP: 210.30.10.3/29 IP: 210.30.10.1/29 OpenVAS 7 CentOS 5.5 NTP/FTP/Telnet branch-web-01 branch-web-02 branch-web-03 IPSEC Tunnel 210.40.51.101 210.40.51.102 210.40.51.103 IP: 210.40.52.1/24 Windows2008R2 Windows2008R2 Windows2008R2 IP: 210.40.51.1/24 IP: 210.40.50.1/24

Datacenter1 br1-branch-srv fin-FW STATIC: 210.40.80.0/24 210.30.70.200 ATM-01 ATM-02 IP: 210.40.1.1/30 Windows2008R2

IP: 210.40.1.2/30 IT Department DHCP 210.40.100.0/24 hloan-svr-01 hloan-svr-02 hloan-svr-03 OS: Windows 2008 R2, Kali Linux 2. Rucksack 210.40.51.111 210.40.51.112 210.40.51.113 Count: 10 Each CentOS 6 CentOS 6 CentOS 5.5 IP: 210.40.10.1/29 IP: 210.40.10.3/29 mn-dc-01 mn-file-01 mn-msmq-01 mn-ELK-01 bank-host core1 210.40.80.11 210.40.80.21 210.40.80.31 210.40.80.73 210.40.80.100 IP: 210.40.10.2/29 OSPF 0 IP: 210.40.10.4/29 Windows2008R2 Windows2003R2 Windows2003R2 CentOS 6 IBM AS400

Infrastructure IP: 210.40.100.1/24 IP:210.40.80.1/24 IP: 210.40.10.5/29 IP: 210.40.10.6/29 IP: 210.40.60.1/24 IP:210.40.90.1/24 win-it-01 kali-it-01 rucksack-it-01 ids-it-2 core-2 core3 Windows2008R2 Kali Linux 2 Rucksack 210.40.100.203 OSPF 0 OSPF 0 SecOnion Operang Systems IP: 210.40.61.1/24 Financial Line Business Network IP: 210.40.70.1/24 mn-av-01 mn-shrpnt-01 mn-exch-01 mn-Splunk-01 mn-rh-linux-01 mn-rh-linux-02 DHCP: 210.40.61.0/24 210.40.80.41 210.40.80.81 210.40.80.61 210.40.80.72 210.40.80.51 210.40.80.52 OS: Windows 7 Windows2008R2 Windows2008R2 Windows2008R2 CentOS 6 CentOS 5.5 CentOS 5.5 Count: 35

Financial Line Services Network Datacenter2 STATIC: 210.40.70.0/24 grr-it netwitness-it ids-it-1 netflow-it STATIC: 210.40.90.0/24 Static: Static: 210.40.100.204 210.40.100.205 210.40.100.200 210.40.100.201 SecOnion CentOS 6 mn-teller-01 mn-teller-02 mn-open-sale-01

Administrative Business Function main-fin-prtr DHCP: 210.40.60.0/24 branch-sql-01 mn-open-sale-02 mn-hloan-01 mn-hloan-02 branch-app-01 branch-app-02 mn-dc-02 mn-file-02 mn-msmq-02 mn-dhcp OS: Windows 7 210.40.70.110 ln-Splunk-02 trans-host 210.40.70.101 210.40.70.102 210.40.90.11 210.40.90.21 210.40.90.31 210.40.90.73 Count: 35 Windows2008R2 210.40.90.72 210.40.90.100 Windows2008R2 Windows2008R2 Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2 CentOS 6 IBM AS400

mn-broker-01 wkstn-01 wkstn-02 wkstn-03 receipt-prtr mn-MICR-prtr check-rdr

hloan-sql-01 broker-sql-01 mn-shrpnt-02 mn-exch-02 ln-ELK-02 mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux 210.40.90.81 main-bus-prtr 210.40.70.120 210.40.70.130 210.40.90.61 210.40.90.73 210.40.90.71 210.40.90.51 210.40.90.52 wkstn-04 wkstn-05 wkstn-06 CentOS 6 CentOS 5 Windows2008R2 Windows2008R2 CentOS 6 Openvas 7 Ubuntu 12.04 Ubuntu 14.04

Many components must be installed and conﬁgured like the real network; fully automated build process

3 www.simspace.com Cyber Range Hosting

Cloud-Based SimSpace Hosted Enterprise

• Range-as-a-service • Range-as-a-service • Hosted on-premises • Hosted in public cloud (AWS, Google) • Hosted at SimSpace datacenter • Tied into existing infrastructure • Isolated environment • Isolated environment • Controlled access, data and results • Nearly unlimited capacity • Increased data assurances • Integrate with physical devices • Rapid updates • Rapid updates • Integrate with internal systems • Inclusion of physical devices

4 www.simspace.com Cloud Components & Security

User access Network Centrally manage users, access policies, networks, policies & access … test/training results and security controls Cyber Range management policies

Nested virtualization engine High performance nested virtualization and overlay network DHCP DNS HVX Secure capsule. Isolated self-contained Software defined networking environments – prevent leakage into cloud

AWS Foundation Services

Compute Storage Database Networking

Availability Zones AWS Global Edge Infrastructure Locations Regions

5 www.simspace.com Catalog: Preconfigured Networks

Mini-network Generic Small Generic Medium Military Generic Financial

Generic Financial Institution Network Diagram

Techco Inc.

Internet Servers Range Services

inet-00 inet-01

techco-00 techco-01 Techco-FW techco-mgmt1 techco-mgmt2 AS 221 is4 inet-exch inet-dc IP: 210.40.52.10 IP:210.40.52.11 200.200.200.204 200.200.200.11 200.200.200.10 Centos 5 Windows 2008R2 Windows 2008R2 IP: 9.10.11.1/24

Inet-client-rtr Public DMZ AS 218 STATIC: 210.40.50.0/24 Techco GRE Tunnel

Branch/Brokerage IP: 200.200.200.1/24 Source: 9.10.11.254 DHCP: 192.168.100.0/24 OS: Windows 7 Destination: 200.200.15.2 Count:35 Tunnel IP: 210.40.52.0/24

ISP-1 ISP-2 AS 219 AS 220 Techco DMZ br1-open-sale-01 br1-open-sale-02 br1-open-sale-03 IP: 200.200.15.1/30 IP: 200.200.115.1/30 STATIC: 210.40.52.0/24

Datacenter1 br1-branch-srv fin-FW STATIC: 210.40.80.0/24 210.30.70.200 ATM-01 ATM-02 IP: 210.40.1.1/30 Windows2008R2

IP: 210.40.100.1/24 IP:210.40.80.1/24 IP: 210.40.10.5/29 IP: 210.40.10.6/29 IP: 210.40.60.1/24 IP:210.40.90.1/24 win-it-01 kali-it-01 rucksack-it-01 ids-it-2 core-2 core3 Windows2008R2 Kali Linux 2 Rucksack 210.40.100.203 OSPF 0 OSPF 0 SecOnion IP: 210.40.61.1/24 Financial Line Business Network IP: 210.40.70.1/24 mn-av-01 mn-shrpnt-01 mn-exch-01 mn-Splunk-01 mn-rh-linux-01 mn-rh-linux-02 DHCP: 210.40.61.0/24 210.40.80.41 210.40.80.81 210.40.80.61 210.40.80.72 210.40.80.51 210.40.80.52 OS: Windows 7 Windows2008R2 Windows2008R2 Windows2008R2 CentOS 6 CentOS 5.5 CentOS 5.5 Count: 35

mn-broker-01 wkstn-01 wkstn-02 wkstn-03 receipt-prtr mn-MICR-prtr check-rdr

Size: 15 hosts Size: 40 hosts Size: 80 hosts Size: 150 hosts Size: 280 hosts Difficulty: - Difficulty: - Difficulty: 0.91 Difficulty: 1.26 Difficulty: -

• Internet emulation • Internet emulation • Internet emulation • Internet emulation • Internet emulation • Mini network enclave • 1 Simple network • 4 Simple networks • Island defense • Financial business units • Red Team hosts • Red Team hosts • Tri-service network • Core financial services • Military critical system • 3rd Party network

6 www.simspace.com RANGE BUILDOUT

7 www.simspace.com Cloud-Based Cyber Range

• Creation of new network blueprints: up to 30 mins • Time to copy blueprint: less than 1 min • Number of network blueprints and variations (e.g. A/B testing, individual networks per team): nearly unlimited (AWS S3) • Time to deploy range to computing infrastructure: up to 30 mins • Range costs: only pay for range use (execution time) not infrastructure or number of copies • No user scheduling or resource allocation concerns

8 www.simspace.com Generic Financial Network Overlay

Range# • 280 nodes Internet 3rd Party General Techco Inc. • 15 span ports

Operating Systems • Windows 2008 R2, • Windows 7 Public# • CentOS, Ubuntu, Kali Branch/# DMZ Brokerage • MS Office, Financial# Applications Line#DMZ • IE, Chrome, Firefox • Active Directory, Exchange • IIS, Apache ATMs Data#Centers Security Tools • Symantec SEP IT#Dept • Splunk, Tanium, Qualys Financial#Line#of# • RSA Netwitness Business#Network Financial#Line# • Security Onion Services • ELK, GRR

Network Instances • Copies for team training • Copies for new products (A/B testing)

9 www.simspace.com Enterprise User Emulation

Traffic generation via intelligent host-based agents to accurately emulate enterprise activity

VIRTUAL USERS • Unique personas with their own accounts, documents, user behaviors, application biases, social groups, projects • Interact with real applications on each host (e.g. MS Office, IE, Firefox) like a typical user • Collaborate with other users to accomplish broader tasks • Can scale to thousands of users across platform types • Generate realistic workload on each host & network • Create means for attackers to exploit clients & hide in enterprise traffic

10 www.simspace.com Attack Tools

Attack tools to simulate sophisticated attacks, APT1, CyberSnake, etc...

Run attack scenarios automatically by combining discrete attacker tasks to form a full attack

Custom malware exercising blue’s ability to identify and contain malware communications and persistence utilizing all common techniques

BREACH: Attack Platform, Reports OPFOR: Opposing Force, Attacker WORMHOLE: 0-day attack surrogates

11 www.simspace.com Assessment Tools

Network Traffic Generation Monitoring & STATUS MISSION REPLAY Monitor emulated Visualize traffic flows; user activity replay attacker actions

Event Mission Impact TRACKING DISPLAY

Coordinate, record Business function actions from Red & Blue dependencies on IT assets

www.simspace.com Data Collection and Reporting

Data collected from multiple sources to provide reports, mission impact and scorecards

Detailed information collected from each emulated user about application and host performance

13 www.simspace.com Example Uses

R&D TESTING ANALYSIS ASSESSMENTS On-demand network Assess products across Run the latest malware and Test your tools, people and environments and tools suite of network attacks for analysis in a safe processes against a suite of to develop novel environments and attack laboratory environment attack scenarios to identify cybersecurity solutions scenarios areas for improvement

TRAINING EXERCISES COMPLIANCE SALES & POCs Team-based training Test your organizational For regulated industries Showcase product capabilities against sophisticated preparedness to withstand leverage the network clone for in a realistic and representative adversaries in a safe and sophisticated attacks and compliance stress testing enterprise environment controlled environment disruptive events

14 www.simspace.com CONTACT US

William Hutchison, CEO Sales & Business Boston, MA (HQ) [email protected] [email protected] Lee Rossey, CTO General Inquiry 51 Melcher St. [email protected] [email protected] Boston, MA 02210 Bart Gray, COO Tech Support www.simspace.com [email protected] [email protected]

www.simspace.com Example Products Used in the Range Example software that can be deployed • Any tool that can run in VMWare GoogleChrome wireshark make cygwin flashplayerplugin gimp sudo malwarebytes git.install sourcetree awscli nant • Operating Systems: notepadplusplus.install dotnet3.5 autoit console2 javaruntime python2 openoffice chromium 7zip.install cdburnerxp logparser windirstat • Windows servers & clients, Ubuntu, Kali adobereader baretail directorymonitor Tortoisesvn vlc foxitreader popcorntime blender dotnet4.5 firefox spybot jenkins • Applications vcredist2010 0ad ie11 nxlog winpcap microsoftsecurityessen mobaxterm lastpass • MS Office, IE, Chrome, Firefox wamp-server tials openvpn combofix atom audacity redis ultravnc • Active Directory, Exchange, IIS, Apache, … nodejs.install defraggler autoruns r.Project ccleaner steam vmwareplayer golang sysinternals speccy aimp openssl.light • Security Tools: filezilla tor-browser packer poweriso vim 1password cyberduck.install clamwin • Symantec SEP, McAffee ePO putty.install jdk7 intellijidea-community pycharm- libreoffice nmap bginfo community mysql.workbench pidgin filezilla.server webstorm • RSA Netwitness, Tanium, GRR paint.net googleearth bleachbit logmein.client svn emacs xbmc httrack.app • Splunk, Kibana, Snort, Bro, Alien Vault hg cpu-z nscp Jrt curl innosetup vmwarevsphereclient keepass.install • CyberReason, Carbon Black - Bit9 pdfcreator powergui hxd silverlight wget ffmpeg sharex rsat • Many others … calibre eclipse btsync sqlite

16 www.simspace.com