simspace corporation simspace cyber range - … 2015 cef... · simspace corporation simspace cyber...
Post on 16-Mar-2018
242 Views
Preview:
TRANSCRIPT
www.simspace.com
BOSTON (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com
SIMSPACE CORPORATION SimSpace Cyber Range
www.simspace.com www.simspace.com 2
THE SIMSPACE CYBER RANGE
Make complex and laborious network environments simple to create and provide accessible, affordable, and sophisticated solutions to meet your cybersecurity research, development, testing, and training needs
www.simspace.com www.simspace.com
Required Elements for Network Cloning
3
Users
Applica,ons
Infrastructure
Network security
Internet sites & services
Opera,ng Systems
Services
Network discovery
Unique business systems
IP: 200.200.115.1/30
IP: 200.200.115.2/30
IP: 200.200.15.1/30
IP: 200.200.15.2/30
ISP-2 AS 220
IP: 200.200.215.1/30IP: 200.200.215.2/30
IP: 210.40.1.1/30
IP: 210.40.1.2/30
ISP-1 AS 219
IP: 210.30.70.1/24
core1OSPF 0
Public DMZSTATIC: 210.40.50.0/24
proxy-01210.40.50.121
CentOS6
wsus-01210.40.50.131
Windows2008R2
exch-edge-01210.40.50.111
Windows2008R2
corp-web-01210.40.50.101
CentOS 6
svcs-01210.40.50.141
CentOS 6SSH/SCP
svcs-02210.40.50.142
CentOS 5.5NTP/FTP/Telnet
IP: 210.40.10.2/29
IP: 210.40.10.1/29
IP: 210.40.60.1/24
IP: 210.40.61.1/24
IP: 210.40.10.3/29
IP: 210.40.10.4/29
IP:210.40.80.1/24
Range Services
LARIAT92 Control-dhcp
Financial Line Business NetworkDHCP: 210.40.61.0/24
OS: Windows 7Count: 35
mn-open-sale-01
mn-open-sale-02
mn-teller-02mn-teller-01
mn-hloan-02mn-hloan-01main-fin-prtr
mn-broker-01
mn-MICR-prtrreceipt-prtrcheck-rdr
Administrative Business FunctionDHCP: 210.40.60.0/24
OS: Windows 7Count: 35
wkstn-03
wkstn-04
wkstn-02wkstn-01
wkstn-06wkstn-05main-bus-prtr
Datacenter1STATIC: 210.40.80.0/24
mn-dc-01210.40.80.11
Windows2008R2
mn-file-01210.40.80.21
Windows2003R2
mn-av-01210.40.80.41
Windows2008R2
mn-exch-01210.40.80.61
Windows2008R2
mn-rh-linux-01210.40.80.51CentOS 5.5
mn-shrpnt-01210.40.80.81
Windows2008R2
IP: 210.40.70.1/24
Financial Line Services NetworkSTATIC: 210.40.70.0/24
branch-app-02210.40.70.102
Windows2008R2
branch-app-01210.40.70.101
Windows2008R2
branch-sql-01210.40.70.110
Windows2008R2
hloan-sql-01210.40.70.120
CentOS 6
broker-sql-01210.40.70.130
CentOS 5
bank-host210.40.80.100
IBM AS400
mn-msmq-01210.40.80.31
Windows2003R2
core-2 OSPF 0
Internet Servers
inet-dc 200.200.200.10
Windows 2008R2
inet-exch200.200.200.11
Windows 2008R2
is4200.200.200.204
Centos 5
is3200.200.200.203
Centos 5
is2200.200.200.202
Centos 5
is1 200.200.200.201
Centos 5
Internet ClientsDHCP: 200.200.200.0/24
OS: Windows 7Count: 15
inet-00 inet-01
IP: 200.200.200.1/24
IP: 200.200.200.2/24
Techco Inc.
techco-exch9.10.11.103
Windows 2008 R2
techco-dc9.10.11.102
Windows 2008 R2
techco-fs 9.10.11.101
Windows 2008 R2Techco ClientsDHCP: 9.10.11.0/24
OS: Windows 7Count: 15
techco-00 techco-01
IP: 9.10.11.2/24
IP: 9.10.11.1/24
core3 OSPF 0
Techco DMZSTATIC: 210.40.52.0/24
techco-web-02210.40.52.111
CentOS 6
techco-web-01210.40.52.101
CentOS 6
Techco GRE TunnelSource: 9.10.11.254
Destination: 200.200.15.2Tunnel IP: 210.40.52.0/24
Techco-FWAS 221
Techco ManagementOS: Windows XP
techco-mgmt1IP: 210.40.52.10
techco-mgmt2IP:210.40.52.11
IP:210.40.50.1/30 IP: 210.40.50.2/30
IPSEC Tunnel
IP: 210.40.10.5/29 IP: 210.40.10.6/29
ext-scanner210.40.50.143
OpenVAS 7
mn-Splunk-01210.40.80.72
CentOS 6
mn-ELK-01210.40.80.73
CentOS 6
IP:210.40.90.1/24
Datacenter2STATIC: 210.40.90.0/24
mn-dc-02210.40.90.11
Windows2008R2
mn-file-02210.40.90.21
Windows2003R2
mn-exch-02210.40.90.61
Windows2008R2
mn-openvas-02210.40.90.71Openvas 7
mn-shrpnt-02210.40.90.81
Windows2008R2
trans-host210.40.90.100
IBM AS400
mn-msmq-02210.40.90.31
Windows2003R2
ln-Splunk-02210.40.90.72
CentOS 6
ln-ELK-02210.40.90.73
CentOS 6
IT DepartmentDHCP 210.40.100.0/24
OS: Windows 2008 R2, Kali Linux 2. RucksackCount: 10 Each
kali-it-01Kali Linux 2
win-it-01Windows2008R2
rucksack-it-01Rucksack
mn-dhcp210.40.90.73
Windows2008R2
grr-itStatic:
210.40.100.200
Inet-client-rtrAS 218
Fin-Edge-1AS: 400
fin-FW
Fin-Edge-2AS: 400
IP: 210.30.10.3/29
IP: 210.30.10.4/29
IP: 210.30.10.1/29
IP: 210.30.10.2/29
IP: 210.40.51.1/24IP: 210.40.52.1/24IP: 210.40.50.1/24
IP: 210.40.100.1/24
netwitness-itStatic:
210.40.100.201
ids-it-1210.40.100.204
SecOnion
ids-it-2210.40.100.203
SecOnion
netflow-it210.40.100.205
CentOS 6
Branch/BrokerageDHCP: 192.168.100.0/24
OS: Windows 7Count:35
br1-teller-03
br1-open-sale-01
br1-teller-02br1-teller-01
br1-open-sale-03br1-open-sale-02
br1-hloan-01 br1-hloan-02 br1-broker-01
MICR-prtr
br1-branch-srv210.30.70.200
Windows2008R2ATM-01 ATM-02
receipt-prtrcheck-rdr
main-prtr
branch-fw (NAT)
192.168.100.1/24
Financial Line DMZSTATIC: 210.40.51.0/24
hloan-svr-01210.40.51.111
CentOS 6
branch-web-02210.40.51.102
Windows2008R2
branch-web-01210.40.51.101
Windows2008R2
hloan-svr-02210.40.51.112
CentOS 6
branch-web-03210.40.51.103
Windows2008R2
hloan-svr-03210.40.51.113CentOS 5.5
Generic Financial Institution Network Diagram
mn-ubuntu-linux210.40.90.51Ubuntu 12.04
mn-ubuntu-linux210.40.90.52Ubuntu 14.04
mn-rh-linux-02210.40.80.52CentOS 5.5
Many components must be installed and configured like the real network; fully automated build process
www.simspace.com www.simspace.com
Cyber Range Hosting
4
Cloud-Based • Range-as-a-service • Hosted in public cloud (AWS, Google) • Isolated environment • Nearly unlimited capacity • Rapid updates
SimSpace Hosted • Range-as-a-service • Hosted at SimSpace datacenter • Isolated environment • Increased data assurances • Rapid updates • Inclusion of physical devices
Enterprise
• Hosted on-premises • Tied into existing infrastructure • Controlled access, data and results • Integrate with physical devices • Integrate with internal systems
www.simspace.com www.simspace.com
Cloud Components & Security
5
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
High performance nested virtualization and overlay network Secure capsule. Isolated self-contained environments – prevent leakage into cloud
DHCP DNS HVX
User access policies &
management Cyber Range
Network access policies
Nested virtualization engine
Software defined networking
Centrally manage users, access policies, networks, test/training results and security controls …
www.simspace.com www.simspace.com
Catalog: Preconfigured Networks
6
Mini-network
Size: 15 hosts Difficulty: - • Internet emulation • Mini network enclave
Generic Small
Size: 40 hosts Difficulty: - • Internet emulation • 1 Simple network • Red Team hosts
Generic Medium
Size: 80 hosts Difficulty: 0.91 • Internet emulation • 4 Simple networks • Red Team hosts
IP: 200.200.115.1/30
IP: 200.200.115.2/30
IP: 200.200.15.1/30
IP: 200.200.15.2/30
ISP-2 AS 220
IP: 200.200.215.1/30IP: 200.200.215.2/30
IP: 210.40.1.1/30
IP: 210.40.1.2/30
ISP-1 AS 219
IP: 210.30.70.1/24
core1OSPF 0
Public DMZSTATIC: 210.40.50.0/24
proxy-01210.40.50.121
CentOS6
wsus-01210.40.50.131
Windows2008R2
exch-edge-01210.40.50.111
Windows2008R2
corp-web-01210.40.50.101
CentOS 6
svcs-01210.40.50.141
CentOS 6SSH/SCP
svcs-02210.40.50.142
CentOS 5.5NTP/FTP/Telnet
IP: 210.40.10.2/29
IP: 210.40.10.1/29
IP: 210.40.60.1/24
IP: 210.40.61.1/24
IP: 210.40.10.3/29
IP: 210.40.10.4/29
IP:210.40.80.1/24
Range Services
LARIAT92 Control-dhcp
Financial Line Business NetworkDHCP: 210.40.61.0/24
OS: Windows 7Count: 35
mn-open-sale-01
mn-open-sale-02
mn-teller-02mn-teller-01
mn-hloan-02mn-hloan-01main-fin-prtr
mn-broker-01
mn-MICR-prtrreceipt-prtrcheck-rdr
Administrative Business FunctionDHCP: 210.40.60.0/24
OS: Windows 7Count: 35
wkstn-03
wkstn-04
wkstn-02wkstn-01
wkstn-06wkstn-05main-bus-prtr
Datacenter1STATIC: 210.40.80.0/24
mn-dc-01210.40.80.11
Windows2008R2
mn-file-01210.40.80.21
Windows2003R2
mn-av-01210.40.80.41
Windows2008R2
mn-exch-01210.40.80.61
Windows2008R2
mn-rh-linux-01210.40.80.51CentOS 5.5
mn-shrpnt-01210.40.80.81
Windows2008R2
IP: 210.40.70.1/24
Financial Line Services NetworkSTATIC: 210.40.70.0/24
branch-app-02210.40.70.102
Windows2008R2
branch-app-01210.40.70.101
Windows2008R2
branch-sql-01210.40.70.110
Windows2008R2
hloan-sql-01210.40.70.120
CentOS 6
broker-sql-01210.40.70.130
CentOS 5
bank-host210.40.80.100
IBM AS400
mn-msmq-01210.40.80.31
Windows2003R2
core-2 OSPF 0
Internet Servers
inet-dc 200.200.200.10
Windows 2008R2
inet-exch200.200.200.11
Windows 2008R2
is4200.200.200.204
Centos 5
is3200.200.200.203
Centos 5
is2200.200.200.202
Centos 5
is1 200.200.200.201
Centos 5
Internet ClientsDHCP: 200.200.200.0/24
OS: Windows 7Count: 15
inet-00 inet-01
IP: 200.200.200.1/24
IP: 200.200.200.2/24
Techco Inc.
techco-exch9.10.11.103
Windows 2008 R2
techco-dc9.10.11.102
Windows 2008 R2
techco-fs 9.10.11.101
Windows 2008 R2Techco ClientsDHCP: 9.10.11.0/24
OS: Windows 7Count: 15
techco-00 techco-01
IP: 9.10.11.2/24
IP: 9.10.11.1/24
core3 OSPF 0
Techco DMZSTATIC: 210.40.52.0/24
techco-web-02210.40.52.111
CentOS 6
techco-web-01210.40.52.101
CentOS 6
Techco GRE TunnelSource: 9.10.11.254
Destination: 200.200.15.2Tunnel IP: 210.40.52.0/24
Techco-FWAS 221
Techco ManagementOS: Windows XP
techco-mgmt1IP: 210.40.52.10
techco-mgmt2IP:210.40.52.11
IP:210.40.50.1/30 IP: 210.40.50.2/30
IPSEC Tunnel
IP: 210.40.10.5/29 IP: 210.40.10.6/29
ext-scanner210.40.50.143
OpenVAS 7
mn-Splunk-01210.40.80.72
CentOS 6
mn-ELK-01210.40.80.73
CentOS 6
IP:210.40.90.1/24
Datacenter2STATIC: 210.40.90.0/24
mn-dc-02210.40.90.11
Windows2008R2
mn-file-02210.40.90.21
Windows2003R2
mn-exch-02210.40.90.61
Windows2008R2
mn-openvas-02210.40.90.71Openvas 7
mn-shrpnt-02210.40.90.81
Windows2008R2
trans-host210.40.90.100
IBM AS400
mn-msmq-02210.40.90.31
Windows2003R2
ln-Splunk-02210.40.90.72
CentOS 6
ln-ELK-02210.40.90.73
CentOS 6
IT DepartmentDHCP 210.40.100.0/24
OS: Windows 2008 R2, Kali Linux 2. RucksackCount: 10 Each
kali-it-01Kali Linux 2
win-it-01Windows2008R2
rucksack-it-01Rucksack
mn-dhcp210.40.90.73
Windows2008R2
grr-itStatic:
210.40.100.200
Inet-client-rtrAS 218
Fin-Edge-1AS: 400
fin-FW
Fin-Edge-2AS: 400
IP: 210.30.10.3/29
IP: 210.30.10.4/29
IP: 210.30.10.1/29
IP: 210.30.10.2/29
IP: 210.40.51.1/24IP: 210.40.52.1/24IP: 210.40.50.1/24
IP: 210.40.100.1/24
netwitness-itStatic:
210.40.100.201
ids-it-1210.40.100.204
SecOnion
ids-it-2210.40.100.203
SecOnion
netflow-it210.40.100.205
CentOS 6
Branch/BrokerageDHCP: 192.168.100.0/24
OS: Windows 7Count:35
br1-teller-03
br1-open-sale-01
br1-teller-02br1-teller-01
br1-open-sale-03br1-open-sale-02
br1-hloan-01 br1-hloan-02 br1-broker-01
MICR-prtr
br1-branch-srv210.30.70.200
Windows2008R2ATM-01 ATM-02
receipt-prtrcheck-rdr
main-prtr
branch-fw (NAT)
192.168.100.1/24
Financial Line DMZSTATIC: 210.40.51.0/24
hloan-svr-01210.40.51.111
CentOS 6
branch-web-02210.40.51.102
Windows2008R2
branch-web-01210.40.51.101
Windows2008R2
hloan-svr-02210.40.51.112
CentOS 6
branch-web-03210.40.51.103
Windows2008R2
hloan-svr-03210.40.51.113CentOS 5.5
Generic Financial Institution Network Diagram
mn-ubuntu-linux210.40.90.51Ubuntu 12.04
mn-ubuntu-linux210.40.90.52Ubuntu 14.04
mn-rh-linux-02210.40.80.52CentOS 5.5
Generic Financial
Size: 280 hosts Difficulty: - • Internet emulation • Financial business units • Core financial services • 3rd Party network
Size: 150 hosts Difficulty: 1.26 • Internet emulation • Island defense • Tri-service network • Military critical system
Military
www.simspace.com www.simspace.com 7
RANGE BUILDOUT
www.simspace.com www.simspace.com
Cloud-Based Cyber Range • Creation of new network
blueprints: up to 30 mins
• Time to copy blueprint: less than 1 min
• Number of network blueprints and variations (e.g. A/B testing, individual networks per team): nearly unlimited (AWS S3)
• Time to deploy range to computing infrastructure: up to 30 mins
• Range costs: only pay for range use (execution time) not infrastructure or number of copies
• No user scheduling or resource allocation concerns
8
www.simspace.com www.simspace.com
Generic Financial Network Overlay
9
Operating Systems • Windows 2008 R2, • Windows 7 • CentOS, Ubuntu, Kali
Security Tools • Symantec SEP • Splunk, Tanium, Qualys • RSA Netwitness • Security Onion • ELK, GRR
Network Instances • Copies for team training • Copies for new products
(A/B testing)
General • 280 nodes • 15 span ports
IT#Dept
Branch/#Brokerage
Public#DMZ
Financial#Line#DMZ
Financial#Line#of#Business#Network Financial#Line#
Services
Data#Centers
Internet
ATMs
Range#3rd PartyTechco Inc.
Applications • MS Office, • IE, Chrome, Firefox • Active Directory, Exchange • IIS, Apache
www.simspace.com www.simspace.com
Enterprise User Emulation
10
Traffic generation via intelligent host-based agents to accurately emulate enterprise
activity VIRTUAL USERS • Unique personas with their own accounts, documents,
user behaviors, application biases, social groups, projects
• Interact with real applications on each host (e.g. MS Office,
IE, Firefox) like a typical user
• Collaborate with other users to accomplish broader tasks
• Can scale to thousands of users across platform types
• Generate realistic workload on each host & network
• Create means for attackers to exploit clients & hide in
enterprise traffic
www.simspace.com www.simspace.com
Attack Tools
11
BREACH: Attack Platform, Reports OPFOR: Opposing Force, Attacker WORMHOLE: 0-day attack surrogates
Attack tools to simulate sophisticated attacks, APT1, CyberSnake, etc... Run attack scenarios automatically by combining discrete attacker tasks to form a full attack Custom malware exercising blue’s ability to identify and contain malware communications and persistence utilizing all common techniques
www.simspace.com www.simspace.com www.simspace.com
Assessment Tools
Traffic Generation STATUS
Monitor emulated
user activity
Mission Impact DISPLAY
Business function
dependencies on IT assets
Event TRACKING
Coordinate, record
actions from Red & Blue
Network Monitoring &
MISSION REPLAY
Visualize traffic flows; replay attacker actions
www.simspace.com www.simspace.com
Data Collection and Reporting
13
Data collected from multiple sources to provide reports, mission impact and scorecards Detailed information collected from each emulated user about application and host performance
www.simspace.com www.simspace.com
Example Uses
14
R&D On-demand network
environments and tools to develop novel
cybersecurity solutions
TESTING Assess products across
suite of network environments and attack
scenarios
TRAINING Team-based training against sophisticated
adversaries in a safe and controlled environment
EXERCISES Test your organizational
preparedness to withstand sophisticated attacks and
disruptive events
COMPLIANCE For regulated industries
leverage the network clone for compliance stress testing
SALES & POCs Showcase product capabilities in a realistic and representative
enterprise environment
ANALYSIS Run the latest malware and attacks for analysis in a safe
laboratory environment
ASSESSMENTS Test your tools, people and processes against a suite of attack scenarios to identify
areas for improvement
www.simspace.com
CONTACT US
Sales & Business sales@simspace.com General Inquiry contact@simspace.com Tech Support support@simspace.com
William Hutchison, CEO Hutch@simspace.com Lee Rossey, CTO Lee@simspace.com Bart Gray, COO Bartman@simspace.com
Boston, MA (HQ) 51 Melcher St. Boston, MA 02210 www.simspace.com
www.simspace.com www.simspace.com
Example Products Used in the Range • Any tool that can run in VMWare • Operating Systems:
• Windows servers & clients, Ubuntu, Kali
• Applications • MS Office, IE, Chrome, Firefox • Active Directory, Exchange, IIS, Apache, …
• Security Tools: • Symantec SEP, McAffee ePO • RSA Netwitness, Tanium, GRR • Splunk, Kibana, Snort, Bro, Alien Vault • CyberReason, Carbon Black - Bit9 • Many others …
16
GoogleChrome flashplayerplugin git.install notepadplusplus.install javaruntime 7zip.install adobereader vlc dotnet4.5 vcredist2010 winpcap wamp-server atom nodejs.install ccleaner sysinternals filezilla vim putty.install libreoffice mysql.workbench paint.net svn hg curl pdfcreator wget calibre
wireshark gimp sourcetree dotnet3.5 python2 cdburnerxp baretail foxitreader firefox 0ad microsoftsecurityessentials audacity defraggler steam speccy tor-browser 1password jdk7 nmap pidgin googleearth emacs cpu-z innosetup powergui ffmpeg eclipse
make sudo awscli autoit openoffice logparser directorymonitor popcorntime spybot ie11 mobaxterm openvpn redis autoruns vmwareplayer aimp packer cyberduck.install intellijidea-community bginfo filezilla.server bleachbit xbmc nscp vmwarevsphereclient hxd sharex btsync
cygwin malwarebytes nant console2 chromium windirstat Tortoisesvn blender jenkins nxlog lastpass combofix ultravnc r.Project golang openssl.light poweriso clamwin pycharm-community webstorm logmein.client httrack.app Jrt keepass.install silverlight rsat sqlite
Example software that can be deployed
top related