Cyber ranges

Types of cyber ranges compared: Simulations, overlays, emulations and hybrids

Graeme Messina
February 11, 2021 by
Graeme Messina

There are many different kinds of cyber ranges to choose from when deciding on the best cybersecurity training type for your team. Cyber ranges are an effective way to learn new cybersecurity skills and to practice realistic cybersecurity exercises and techniques without risking damage to your live environments. Cyber ranges use many different technologies in order to simulate a real-world environment. 

These systems are used within synthetic network environments where virtual machines (VM) are connected to mimic real computers and servers on a network. We want to look at the different types of cyber ranges and compare them with one another. 

In this article, we will be using the NICE (National Institute for Cyber Security Education) guide to define the different cyber range types. The document can be found here if you would like to read more about the use cases, features and types of cyber ranges in their entirety. 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What are simulation ranges?

Simulation ranges are useful and effective tools for learning new skills. In a cybersecurity context, they provide learners with global testbeds and other essential simulation tools. A simulation range is simply a cyber range with real-world analogs that mimic real-world systems. We will look at the details of simulation ranges and how they work, as well as provide some examples for you below.

Simulation range examples

A simulation range is any cybersecurity range that recreates the core traits of a security scenario, generally providing closed-network experiences. Simulation ranges were originally popularized by the United States Airforce in 2002. 

Simulation ranges recreate a synthetic network environment that works just like a real-world network. This is achieved with virtualization of both network components and servers to provide a solid training environment for learners to practice cyber range exercises. Virtual machines can emulate key network infrastructure such as servers, network equipment, and storage devices for various enterprise sizes (small, medium and large).

Pros of simulation ranges

  • Quick to spin up and start using
  • Easy to add virtual components
  • Can be customized granularly to match your real network environment

 Cons of simulation ranges

  • Requires lots of configuration and planning
  • Unpredictable and unrealistic latency can be an issue
  • Jitter of network performance on under resourced simulation ranges can be an issue

What are overlay ranges?

Overlay ranges are cyber ranges that run in conjunction with a real network. This type of cyber range sits on top of the real network, servers, and storage solutions. As a result of the proximity to your actual network, you can derive a far higher level of realism from this kind of cyber range.  

Unfortunately there are some cost considerations that can be prohibitive to implement this kind of cyber range, with hardware being the most pronounced cost. Another consideration is that because of how closely these components run with the production infrastructure, these are risks associated with potential network compromises. These environments are generally set up as global testbeds, allowing for more thorough training opportunities. 

Overlay range examples

One of the most well-known examples of an overlay range is the Global Environment for Network Innovations (GENI). This project is sponsored by the NSI (National Science Foundation).

Pros of overlay ranges

  • High fidelity and realistic scenarios can be run on this range type
  • Configured on top of existing environments makes them great analog training tools

Cons of overlay ranges

  • The cost of infrastructure equipment is pricey and can be prohibitive for smaller companies
  • The potential for network compromise exists with this type of cyber range

What are emulation ranges?

Emulation ranges are dedicated networks that have been created to mirror a production network. This is done by mapping pre-existing network, storage and server items onto a physical network infrastructure. This type of cyber range gives learners a closed-network environment that they can test many different scenarios in. 

These environments can also connect with additional segments, creating a bigger testing environment. Traffic can be generated and emulated for testing purposes. These include protocol emulation, source patterns, traffic flows, different attacks and internet connectivity. The end result is that you can expect a very realistic testing environment when configured correctly. 

You can expect realistic DNS resolution from the cyber range’s own DNS servers, which redirect URL requests to cyber range assets, giving your learners a realistic feeling when running through the exercise steps. This allows it to generate traffic for DNS and virtualized internet IP addresses, which is realistic for certain cyber range exercises.

Emulation range examples

The National Cyber Range (NCR) is perhaps the best example of an emulation cyber range. This is a DARPA collaboration which seeks to create a scaled model of the internet. This allows for war games and other simulations of cyberattacks to be carried out in a non-destructive way across interconnected environments.

 Pros of emulation ranges

  • Emulation of network and internet resources creates very realistic testing grounds
  • Internet targets can also be emulated
  • Realistic traffic generation

 Cons of emulation ranges

  • Costs are prohibitive for smaller organizations 
  • Specialized equipment is needed to create realistic environments

What are hybrid ranges?

A hybrid range is a combination of any of the above cyber range types that we have already discussed. You can create vast training resources by utilizing an array of different cyber range types, allowing you to fine-tune your training requirements.

Hybrid range examples

The Virginia Cyber Range is a very well-known example that uses a wide variety of cyber range types. Another example is the European Future Internet Research & Experimentation, which was originally started in 2008. 

 Pros of hybrid ranges

  • You can pick and choose the elements that suit your environment the best
  • You can save money by selecting components that meet your budget
  • A customized cyber range allows you to train users exactly how you need them to be trained

 Cons of hybrid ranges

  • Maintaining a highly customized cyber range can be challenging
  • Making changes to an existing cyber range can be difficult if it is too uniquely customized

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

How do I select the best cyber range for my needs?

There are three different aspects to consider: cost, complexity and utility. The cost of the cyber range is an important factor, If you cannot afford to implement the cyber range of your choice, then you will need to compromise and potentially affect the outcomes of your cyber range initiative. 

Complexity is often tied to the cost of setting up a cyber range, but that isn’t the only concern. If your configuration is difficult to configure and maintain then you will find that your users are not getting the true cyber range experience. 

The utility of your cyber range shows how useful and practical it is for your users. If they do not take away any useful insights and lessons from running through a stale or impractical cyber range, then you will not derive the full value from your training expectations from the cyber range. 

 

Source 

The Cyber Range: A Guide, NIST-NICE

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.