Fail Good and Fail Safely in a Cyber Range Environment
The case for cyber ranges - Part 3
I heard a comment the other day that really clicked something in my mind. The quote was "You don't know how vulnerable you are until you fail". This quote could have come from a movie or TV show about war. Or it could have been uttered during a NFL or college football game! But when I heard the quote, it made me think of cyber security. Now I have to admit, I think about cyber security almost all of the time since that is the industry I work in. However, this was a bit different.
When things are going well, whether it is in your network or your defensive team is not allowing touchdowns, you are getting a false sense of security. There is no such thing as an impenetrable defense. The one common denominator between networks and football? Humans. People. WE, my friends are the weakest link. When humans are involved, something can and will happen. Many times, security issues in networks and systems are caused by simple human error. A simple mistake in policy configuration can allow access when none should be allowed. I personally saw a firewall policy that had "permit tcp any any" and "permit udp any any" in its policy! Seriously? This was a very large e-commerce provider! Do you think that anyone would really put that into the policy? Well, they did.
This actually speaks to failure. Yes, that previous example of the policy would have (and most likely did) caused failure. That failure was going to happen in the production environment. That kind of failure is not a good thing. However, failure can be a good thing when it comes to network security.
The kind of failure that can be good is done in a safe environment. This will allow operators to take risk and try different things to help mitigate threats. They can try new and innovative ways to help improve defenses. But the biggest advantage is that they have the opportunity to see what these threats look like and how they behave. They can get "knee deep" into the action. They can be put into stressful situations where, if they fail, will not cause any damage to the production environment.
This environment is called a cyber range. If any of you have read my previous articles on cyber range (or read them here and here), you know the importance of training and educating the people that are responsible for protecting our enterprises, service providers, governments, and critical infrastructures. Failure in a range is a good thing. Then you have tactile feedback that something is wrong. You learn best by mistakes.
NFL defensive coaches are constantly looking for ways to stop the high-powered offenses. In practice, they can simulate game conditions to figure out what the best approach is to stop the other team from scoring. In network security, we can do the same exact thing. We can simulate game time conditions to allow our operators to Train Like They Fight!