Automated red teaming for cyber range-based training

Cyber Ranges Offensive Security

Our corporate information networks and systems are being actively targeted by threat sources on a daily basis. Detecting incidents and responding to them, requires a very specific set of knowledge, skills, and abilities (KSA). Furthermore, our operational network and systems are also the target of attacks, and therefore the operators and the support staff of our command and control systems, weapon platforms, etc., also need to develop the necessary KSA to operate and maintain these systems in a hybrid threat situation.

Developing the cyber-related KSA that are required for each role in the organization, whether it is a cybersecurity related role or not, typically requires hands-on training on a cyber range. In order to develop adequate mental models, the training scenarios that are used must be sufficiently realistic and therefore end up being inevitable complex to implement and execute.

Running a training scenario on a cyber range currently requires cyber experts to play the role of the attackers. These are referred to as the “read team”. Given the limited number of cyber experts that are available, unfortunately this solution does not scale very well.

In view of the fact that the success of our operations on the one hand increasingly depends on our ability to guarantee information assurance, and on the other hand the cyber threat constantly increases, the need for cyber range based trainings for different types of personnel will only increase. That is why we need to be able to run training scenario’s on a cyber range without generating an excessive load on our cyber experts.

The goal of this project is to develop an automated red teaming solution. This will make it possible to organize an ambitious hands-on cyber training program without creating an excessive load and the expert cyber training staff.

Not only will automated red teaming make it possible to organize larger numbers of training sessions but it will also result in repeatable red team performance, which is important for evaluating and possibly certifying skills.

The project will produce a number of deliverables:

• a scenario definition language that makes it possible to define a training scenario in a such way that it can be automatically orchestrated
  • a scenario orchestrator software that executes a scenario in a training environment
  • a report that provides an overview of the state of the art in cyber attack scenario orchestration