Paul Qiu

Senior Solutions Architect

June 2016

Cisco Cyber Range

“What I hear, I forget

What I see, I remember

What I do, I understand”

~ Confucius

Agenda

• Cyber Range Highlights

• Cyber Range Overview & Architecture

• Cyber Range Threat Response Exercise

• Cyber Range Further Investigation

Agenda

4

Cyber Range Highlights

5

Cyber Range Highlights

Defence Organisations

Government Regulatory authorities

Consulting and Auditing firms

Cyber Emergency Response Teams

Information Security and Surveillance teams

Enterprise NOC/SOC Teams.

Oil and Gas Sectors

Large Service Providers

Partners, distributors, value added resellers, and security system integrators

Workshops all over the world

Cyber Range Overview

Cyber Range Service Delivery Platform

• A Platform for ServiceDelivery and Learning

• Deeper understanding of leading security methodologies, operations, and procedures

• Empower customers with the architecture and capability to combat modern cyber threats

• Over 100 Attack Cases for 12 Technology Solutions

• 100+ applications simultaneously merged with 200-500 different Malware types

• Virtual environment accessible from any place in the world

PEOPLE PROCESS DATA THINGS

Cisco Cyber Range Service Packages

Cyber Range build on customer premise with updates via subscription

3 or 5 day intensive real life experience, Rent Cyber Range Services Delivery Platform Including test engineer Local Cisco Services Lab

3 or 5 day intensive real life experience reacting to and defending against rudimentary and Complex Cyber Attacks delivery to any location

• Threat Intelligence Report

• Threat modelling for customers network environment and regular consulting on impact of latest threats to customer’s security posture

Cyber Range Capabilities

… can improve cyber defence operational capabilities, by way of:

• Architecture / Design validation

• Incident response playbook creation / validation

• War game exercises

• Hands-on training for individual technologies

• Threat mitigation process verification

• Simulating advanced threats (zero day / APT)

Cyber Range Architecture

Covering The Entire Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behaviour Analysis

BEFOREDiscover

Enforce

Harden

AFTERScope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING

Foundation

Prevent

Firewall

Anti-Virus

Host IPS

Web proxy

Anti-Spam

Network IPS

Detect

Network IDS

NetFlow anomaly

Advanced Malware

Behavioural anomaly

Collect

NetFlow

Event logs

Web proxy logs

Web firewall

Mitigate

IP blackhole

account

disablement

scalable load balancer device monitoring

Analyse

NetFlow analysis

SIEM analysis

Malware analysis

Cisco CSIRT Protection Model

Cyber Range Network Components Overview

Identity Services Engine

Flow Collector FC

SMCStealthWatch Management Internet

IXIA

Breaking Point Open Source Attack

ToolsInside Host

NetFlow

AVC

TrustSec

Wireless Security

ASA NGFW

Cisco Talos

Web Security Appliance

Email Security Appliance

Cyber Threat

Defence

Sourcefire IPS

Splunk

Cisco

Prime

Fire

SIGHT

Data Analytics

N1KV

ASAv

Virtual Security

Cyber Range Network

1

6

Meet the Teams

AGENDA: Infiltrate networks to steal data and/or cause damage for publicity or gain.

AGENDA: Monitor and defend attacks against “CyberRangeNetworks” and their clients.

AGENDA: Enhance knowledge of attack and defence strategies. Hopes to one day join the red or blue teams.

Red Team Blue Team Green Team

Skill Set: High Skill Set: High Skill Set: Varied

LOCATION: Everywhere LOCATION: Security Operations Centre

LOCATION: This room

Cyber Range Networks’ Biggest Threats?

Cyber RangeThreat Response Exercise

Category Title Description

CAT 0 Exercise / Network Defence Testing Known vulnerability assessments, audits, Q/C incident tests, table-top exercises, etc

CAT 1 Unauthorised AccessLogical or physical access without permission (regardless of awareness) to a network,

system, application, data, or other resource from internal to external

CAT 2 Denial of Service (DoS)

An attack that successfully prevents or impairs the normal authorised functionality of

networks, systems or applications by exhausting resources.

This activity includes being the victim or participating in the DoS.

CAT 3 Malicious CodeSuccessful installation of malicious software (e.g., virus, worm, Trojan horse, or other

code-based malicious entity) that infects an operating system or application.

CAT 4 Improper Usage

Any acceptable-use, lab, minimum host, general insecurity, or other policy violations,

unscheduled vulnerability assessments, external vulnerability notification, etc.

An employee violates acceptable computing use polices.

CAT 5 Scans/Probes/Attempted Access

This category includes any activity that seeks to access or identify a company asset,

including computer, open ports, protocols, service, or any combination for later exploit.

This activity does not directly result in a compromise or denial of service.

CAT 6 Investigation

Unconfirmed incidents where evidence is inconclusive, or when supporting another

team’s investigation. Potentially malicious or anomalous activity deemed by the

reporting entity to warrant further review.

Incident Categories by CERT

Cyber Range Further Investigation

Additional Resources

• Service Overview:

www.GetCyberRange.com

https://www.servicesdiscovery.com/en/article.php?idx=218

• Sales Collateral:

https://cisco.jiveon.com/groups/cisco-cyber-range

• Contact Us:

Cyber-Range@cisco.com

Additional Resources

“What I hear, I forget

What I see, I remember

What I do, I understand”

~ Confucius