SimSpace Cyber Range

Transcription

SIMSPACE CORPORATION
SimSpace Cyber Range
BOSTON (HQ)
51 Melcher St.
Boston, MA 02210
www.simspace.com
www.simspace.com
THE SIMSPACE
CYBER RANGE
Make complex and laborious network
environments simple to create and provide
accessible, affordable, and sophisticated
solutions to meet your cybersecurity research,
development, testing, and training needs
2
www.simspace.com
Required Elements for Network Cloning
Network discovery Network security Users Unique business systems Applica,ons Generic Financial Institution Network Diagram
Techco Inc.
Internet Servers
Range Services
Internet Clients
Internet sites & services is1
200.200.200.201
Centos 5
is2
200.200.200.202
Centos 5
is3
200.200.200.203
Centos 5
is4
200.200.200.204
Centos 5
inet-exch
200.200.200.11
Windows 2008R2
inet-dc
200.200.200.10
Windows 2008R2
DHCP: 200.200.200.0/24
OS: Windows 7
Count: 15
inet-00
techco-fs
9.10.11.101
Windows 2008 R2
Techco Clients
techco-dc
9.10.11.102
Windows 2008 R2
Techco Management
OS: Windows XP
Techco-FW
AS 221
techco-01
techco-mgmt1
IP: 210.40.52.10
br1-teller-03
IP: 210.30.70.1/24
IP: 9.10.11.2/24
IP: 200.200.215.2/30
ISP-2
AS 220
IP: 200.200.15.1/30
IP: 200.200.115.1/30
IP: 200.200.115.2/30
IP:210.40.50.1/30
Fin-Edge-2
AS: 400
IP: 210.30.10.2/29
IP: 210.30.10.4/29
IP: 210.30.10.3/29
IPSEC Tunnel
br1-branch-srv
210.30.70.200
Windows2008R2
Infrastructure ATM-01
branch-web-02
branch-web-03
branch-web-01
210.40.51.102
210.40.51.103
210.40.51.101
Windows2008R2 Windows2008R2 Windows2008R2
hloan-svr-03
210.40.51.113
CentOS 5.5
ids-it-2
210.40.100.203
SecOnion
ids-it-1
210.40.100.204
SecOnion
netflow-it
210.40.100.205
CentOS 6
Administrative Business Function
DHCP: 210.40.60.0/24
OS: Windows 7
Count: 35
IP: 210.40.10.3/29
core1
OSPF 0
IP: 210.40.10.5/29
IP: 210.40.10.4/29
core-2
OSPF 0
mn-dc-01
210.40.80.11
Windows2008R2
mn-file-01
210.40.80.21
Windows2003R2
mn-msmq-01
210.40.80.31
Windows2003R2
mn-av-01
210.40.80.41
Windows2008R2
mn-shrpnt-01
210.40.80.81
Windows2008R2
mn-exch-01
210.40.80.61
Windows2008R2
mn-teller-01
mn-teller-02
mn-open-sale-01
mn-hloan-01
mn-hloan-02
bank-host
210.40.80.100
IBM AS400
IP:210.40.90.1/24
core3
OSPF 0
IP: 210.40.70.1/24
Financial Line Services Network
STATIC: 210.40.70.0/24
mn-open-sale-02
mn-ELK-01
210.40.80.73
CentOS 6
IP:210.40.80.1/24
IP: 210.40.10.6/29
IP: 210.40.61.1/24
Financial Line Business Network
DHCP: 210.40.61.0/24
OS: Windows 7
Count: 35
netwitness-it
Static:
210.40.100.201
Datacenter1
STATIC: 210.40.80.0/24
IP: 210.40.10.1/29
IP: 210.40.10.2/29
rucksack-it-01
Rucksack
svcs-02
210.40.50.142
CentOS 5.5
NTP/FTP/Telnet
IP: 210.40.50.1/24
IP: 210.40.1.2/30
hloan-svr-02
210.40.51.112
CentOS 6
IP: 210.40.60.1/24
kali-it-01
Kali Linux 2
ext-scanner
210.40.50.143
OpenVAS 7
IP: 210.30.10.1/29
fin-FW
IP: 210.40.1.1/30
hloan-svr-01
210.40.51.111
CentOS 6
IP: 210.40.100.1/24
grr-it
Static:
210.40.100.200
techco-web-02
210.40.52.111
CentOS 6
IP: 210.40.52.1/24
IP: 210.40.51.1/24
ATM-02
IT Department
DHCP 210.40.100.0/24
OS: Windows 2008 R2, Kali Linux 2. Rucksack
Count: 10 Each
win-it-01
Windows2008R2
techco-web-01
210.40.52.101
CentOS 6
MICR-prtr
main-prtr
svcs-01
proxy-01
210.40.50.141 210.40.50.121
CentOS 6
CentOS6
SSH/SCP
wsus-01
210.40.50.131
Windows2008R2
IP: 210.40.50.2/30
Fin-Edge-1
AS: 400
branch-fw
(NAT)
192.168.100.1/24
exch-edge-01
210.40.50.111
Windows2008R2
Techco DMZ
STATIC: 210.40.52.0/24
IP: 200.200.15.2/30
br1-broker-01
Financial Line DMZ
STATIC: 210.40.51.0/24
receipt-prtr
check-rdr
corp-web-01
210.40.50.101
CentOS 6
IP: 200.200.215.1/30
ISP-1
AS 219
br1-open-sale-01 br1-open-sale-02 br1-open-sale-03
br1-hloan-02
Services Public DMZ
STATIC: 210.40.50.0/24
Techco GRE Tunnel
Source: 9.10.11.254
Destination: 200.200.15.2
Tunnel IP: 210.40.52.0/24
IP: 200.200.200.1/24
IP: 200.200.200.2/24
br1-hloan-01
Control-dhcp
techco-mgmt2
IP:210.40.52.11
IP: 9.10.11.1/24
Inet-client-rtr
AS 218
Branch/Brokerage
DHCP: 192.168.100.0/24
OS: Windows 7
Count:35
br1-teller-02
LARIAT92
inet-01
techco-00
br1-teller-01
techco-exch
9.10.11.103
Windows 2008 R2
DHCP: 9.10.11.0/24
OS: Windows 7
Count: 15
mn-Splunk-01
210.40.80.72
CentOS 6
mn-rh-linux-01
210.40.80.51
CentOS 5.5
mn-rh-linux-02
210.40.80.52
CentOS 5.5
Opera,ng Systems Datacenter2
STATIC: 210.40.90.0/24
main-fin-prtr
branch-sql-01
branch-app-02
branch-app-01
210.40.70.110
210.40.70.102
210.40.70.101
mn-dhcp
mn-msmq-02
mn-dc-02
mn-file-02
210.40.90.73
210.40.90.31
210.40.90.11
210.40.90.21
Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2
ln-Splunk-02
210.40.90.72
CentOS 6
trans-host
210.40.90.100
IBM AS400
mn-broker-01
wkstn-01
wkstn-02
wkstn-03
wkstn-04
wkstn-05
wkstn-06
mn-MICR-prtr
main-bus-prtr
receipt-prtr
check-rdr
hloan-sql-01
210.40.70.120
CentOS 6
broker-sql-01
210.40.70.130
CentOS 5
mn-shrpnt-02
mn-exch-02
210.40.90.81
210.40.90.61
Windows2008R2 Windows2008R2
ln-ELK-02
210.40.90.73
CentOS 6
mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux
210.40.90.71
210.40.90.51
210.40.90.52
Openvas 7
Ubuntu 12.04
Ubuntu 14.04
Many components must be installed and conﬁgured like the real network; fully automated build process 3
www.simspace.com
Cyber Range Hosting
Cloud-Based
• 
• 
• 
• 
• 
Range-as-a-service
Hosted in public cloud (AWS, Google)
Isolated environment
Nearly unlimited capacity
Rapid updates
SimSpace Hosted
• 
• 
• 
• 
• 
• 
Range-as-a-service
Hosted at SimSpace datacenter
Isolated environment
Increased data assurances
Rapid updates
Inclusion of physical devices
4
Enterprise
• 
• 
• 
• 
• 
Hosted on-premises
Tied into existing infrastructure
Controlled access, data and results
Integrate with physical devices
Integrate with internal systems
www.simspace.com
Cloud Components & Security
Cyber Range
User access
policies &
management
Network
access
policies
…
High performance nested virtualization and overlay
network
Nested virtualization engine
HVX
Centrally manage users, access policies, networks,
test/training results and security controls
DHCP
DNS
Secure capsule. Isolated self-contained
environments – prevent leakage into cloud
Software defined networking
AWS Foundation Services
Compute
Storage
AWS Global
Infrastructure
Database
Availability Zones
Regions
Networking
Edge
Locations
5
www.simspace.com
Catalog: Preconfigured Networks
Mini-network
Generic Small
Generic Medium
Military
Generic Financial
Generic Financial Institution Network Diagram
Techco Inc.
Internet Servers
Range Services
Internet Clients
is1
200.200.200.201
Centos 5
is2
200.200.200.202
Centos 5
is3
200.200.200.203
Centos 5
is4
200.200.200.204
Centos 5
inet-exch
200.200.200.11
Windows 2008R2
inet-dc
200.200.200.10
Windows 2008R2
DHCP: 200.200.200.0/24
OS: Windows 7
Count: 15
inet-00
techco-fs
9.10.11.101
Windows 2008 R2
Techco Clients
techco-dc
9.10.11.102
Windows 2008 R2
Techco Management
OS: Windows XP
Techco-FW
AS 221
techco-01
techco-mgmt1
IP: 210.40.52.10
IP: 200.200.200.2/24
br1-teller-03
br1-teller-02
IP: 210.30.70.1/24
IP: 9.10.11.2/24
IP: 200.200.215.2/30
ISP-2
AS 220
IP: 200.200.15.1/30
IP:210.40.50.1/30
Financial Line DMZ
STATIC: 210.40.51.0/24
Fin-Edge-2
AS: 400
IP: 210.30.10.2/29
IP: 210.30.10.4/29
br1-branch-srv
210.30.70.200
Windows2008R2
IP: 210.30.10.3/29
ATM-01
branch-web-02
branch-web-03
branch-web-01
210.40.51.102
210.40.51.103
210.40.51.101
techco-web-02
210.40.52.111
CentOS 6
hloan-svr-03
210.40.51.113
CentOS 5.5
IP: 210.40.10.1/29
ids-it-2
210.40.100.203
SecOnion
IP: 210.40.10.5/29
ids-it-1
210.40.100.204
SecOnion
netflow-it
210.40.100.205
CentOS 6
IP: 210.40.10.4/29
core-2
OSPF 0
mn-dc-01
210.40.80.11
Windows2008R2
mn-file-01
210.40.80.21
Windows2003R2
mn-msmq-01
210.40.80.31
Windows2003R2
mn-av-01
210.40.80.41
Windows2008R2
mn-shrpnt-01
210.40.80.81
Windows2008R2
mn-exch-01
210.40.80.61
Windows2008R2
mn-teller-02
bank-host
210.40.80.100
IBM AS400
IP:210.40.90.1/24
core3
OSPF 0
IP: 210.40.70.1/24
Financial Line Services Network
STATIC: 210.40.70.0/24
mn-teller-01
mn-ELK-01
210.40.80.73
CentOS 6
IP:210.40.80.1/24
IP: 210.40.10.6/29
IP: 210.40.61.1/24
Financial Line Business Network
DHCP: 210.40.61.0/24
OS: Windows 7
Count: 35
Administrative Business Function
DHCP: 210.40.60.0/24
OS: Windows 7
Count: 35
IP: 210.40.10.3/29
core1
OSPF 0
IP: 210.40.10.2/29
netwitness-it
Static:
210.40.100.201
Datacenter1
STATIC: 210.40.80.0/24
IP: 210.40.1.2/30
hloan-svr-02
210.40.51.112
CentOS 6
IP: 210.40.60.1/24
rucksack-it-01
Rucksack
svcs-02
210.40.50.142
CentOS 5.5
NTP/FTP/Telnet
IP: 210.40.50.1/24
fin-FW
IP: 210.40.1.1/30
hloan-svr-01
210.40.51.111
CentOS 6
IP: 210.40.100.1/24
kali-it-01
Kali Linux 2
ext-scanner
210.40.50.143
OpenVAS 7
IP: 210.30.10.1/29
IP: 210.40.52.1/24
IP: 210.40.51.1/24
ATM-02
IT Department
DHCP 210.40.100.0/24
OS: Windows 2008 R2, Kali Linux 2. Rucksack
Count: 10 Each
grr-it
Static:
210.40.100.200
techco-web-01
210.40.52.101
CentOS 6
MICR-prtr
IPSEC Tunnel
svcs-01
proxy-01
210.40.50.141 210.40.50.121
CentOS 6
CentOS6
SSH/SCP
wsus-01
210.40.50.131
Windows2008R2
IP: 210.40.50.2/30
Fin-Edge-1
AS: 400
branch-fw
(NAT)
192.168.100.1/24
exch-edge-01
210.40.50.111
Windows2008R2
Techco DMZ
STATIC: 210.40.52.0/24
IP: 200.200.15.2/30
br1-broker-01
main-prtr
win-it-01
Windows2008R2
corp-web-01
210.40.50.101
CentOS 6
IP: 200.200.215.1/30
ISP-1
AS 219
IP: 200.200.115.1/30
IP: 200.200.115.2/30
receipt-prtr
check-rdr
Public DMZ
STATIC: 210.40.50.0/24
Techco GRE Tunnel
Source: 9.10.11.254
Destination: 200.200.15.2
Tunnel IP: 210.40.52.0/24
IP: 200.200.200.1/24
br1-open-sale-01 br1-open-sale-02 br1-open-sale-03
br1-hloan-02
Control-dhcp
techco-mgmt2
IP:210.40.52.11
IP: 9.10.11.1/24
Inet-client-rtr
AS 218
Branch/Brokerage
DHCP: 192.168.100.0/24
OS: Windows 7
Count:35
br1-teller-01
LARIAT92
inet-01
techco-00
br1-hloan-01
techco-exch
9.10.11.103
Windows 2008 R2
DHCP: 9.10.11.0/24
OS: Windows 7
Count: 15
mn-Splunk-01
210.40.80.72
CentOS 6
mn-rh-linux-01
210.40.80.51
CentOS 5.5
mn-rh-linux-02
210.40.80.52
CentOS 5.5
Datacenter2
STATIC: 210.40.90.0/24
mn-open-sale-01
main-fin-prtr
mn-open-sale-02
mn-hloan-01
mn-hloan-02
branch-sql-01
branch-app-02
branch-app-01
210.40.70.110
210.40.70.102
210.40.70.101
mn-dhcp
mn-msmq-02
mn-dc-02
mn-file-02
210.40.90.73
210.40.90.31
210.40.90.11
210.40.90.21
Windows2008R2 Windows2003R2 Windows2003R2 Windows2008R2
ln-Splunk-02
210.40.90.72
CentOS 6
trans-host
210.40.90.100
IBM AS400
mn-broker-01
wkstn-01
wkstn-02
wkstn-03
wkstn-04
wkstn-05
wkstn-06
mn-MICR-prtr
main-bus-prtr
receipt-prtr
check-rdr
hloan-sql-01
210.40.70.120
CentOS 6
broker-sql-01
210.40.70.130
CentOS 5
Size: 15 hosts
Difficulty: -
Size: 40 hosts
Difficulty: -
Size: 80 hosts
Difficulty: 0.91
Size: 150 hosts
Difficulty: 1.26
Size: 280 hosts
Difficulty: -
•  Internet emulation
•  Mini network enclave
•  1 Simple network
•  Red Team hosts
•  4 Simple networks
•  Red Team hosts
• 
• 
• 
• 
• 
• 
• 
• 
6
Internet emulation
Island defense
Tri-service network
Military critical system
mn-shrpnt-02
mn-exch-02
210.40.90.81
210.40.90.61
Windows2008R2 Windows2008R2
ln-ELK-02
210.40.90.73
CentOS 6
mn-openvas-02 mn-ubuntu-linux mn-ubuntu-linux
210.40.90.71
210.40.90.51
210.40.90.52
Openvas 7
Ubuntu 12.04
Ubuntu 14.04
Internet emulation
Financial business units
Core financial services
3rd Party network
www.simspace.com
RANGE
BUILDOUT
7
www.simspace.com
Cloud-Based Cyber Range
•  Creation of new network
blueprints: up to 30 mins
•  Time to copy blueprint:
less than 1 min
•  Number of network
blueprints and variations
(e.g. A/B testing, individual
networks per team):
nearly unlimited (AWS S3)
•  Time to deploy range to
computing infrastructure:
up to 30 mins
•  Range costs: only pay for
range use (execution time)
not infrastructure or number
of copies
•  No user scheduling or
resource allocation concerns
8
www.simspace.com
Generic Financial Network Overlay
Internet
Range#
3rd Party
Techco Inc.
•  280 nodes
•  15 span ports
Operating Systems
•  Windows 2008 R2,
•  Windows 7
•  CentOS, Ubuntu, Kali
Applications
• 
• 
• 
• 
MS Office,
IE, Chrome, Firefox
Active Directory, Exchange
IIS, Apache
Security Tools
• 
• 
• 
• 
• 
Symantec SEP
Splunk, Tanium, Qualys
RSA Netwitness
Security Onion
ELK, GRR
Network Instances
•  Copies for team training
•  Copies for new products
(A/B testing)
Public#
DMZ
Branch/#
Brokerage
Financial#
Line#DMZ
ATMs
Data#Centers
IT#Dept
Financial#Line#of#
Business#Network
General
Financial#Line#
Services
9
www.simspace.com
Enterprise User Emulation
Traffic generation via intelligent host-based
agents to accurately emulate enterprise
activity
VIRTUAL USERS
•  Unique personas with their own accounts, documents,
user behaviors, application biases, social groups, projects
•  Interact with real applications on each host (e.g. MS Office,
IE, Firefox) like a typical user
•  Collaborate with other users to accomplish broader tasks
•  Can scale to thousands of users across platform types
•  Generate realistic workload on each host & network
•  Create means for attackers to exploit clients & hide in
enterprise traffic
10
www.simspace.com
Attack Tools
Attack tools to simulate sophisticated
attacks, APT1, CyberSnake, etc...
Run attack scenarios automatically by
combining discrete attacker tasks to
form a full attack
Custom malware exercising blue’s
ability to identify and contain malware
communications and persistence
utilizing all common techniques
BREACH: Attack Platform, Reports
OPFOR: Opposing Force, Attacker
WORMHOLE: 0-day attack surrogates
11
www.simspace.com
Assessment Tools
Network
Monitoring &
MISSION REPLAY
Visualize traffic flows;
replay attacker actions
Traffic Generation
STATUS
Monitor emulated
user activity
Event
TRACKING
Mission Impact
DISPLAY
Coordinate, record
actions from Red & Blue
Business function
dependencies on IT
assets
www.simspace.com
Data Collection and Reporting
Data collected from multiple sources
to provide reports, mission impact and
scorecards
Detailed information collected from
each emulated user about application
and host performance
13
www.simspace.com
Example Uses
R&D
TESTING
On-demand network
environments and tools
to develop novel
cybersecurity solutions
TRAINING
Team-based training
against sophisticated
adversaries in a safe and
controlled environment
Assess products across
suite of network
environments and attack
scenarios
ANALYSIS
ASSESSMENTS
Run the latest malware and
attacks for analysis in a safe
laboratory environment
Test your tools, people and
processes against a suite of
attack scenarios to identify
areas for improvement
EXERCISES
COMPLIANCE
SALES & POCs
For regulated industries
leverage the network clone for
compliance stress testing
Showcase product capabilities
in a realistic and representative
enterprise environment
Test your organizational
preparedness to withstand
sophisticated attacks and
disruptive events
14
www.simspace.com
CONTACT US
Boston, MA (HQ)
51 Melcher St.
Boston, MA 02210
www.simspace.com
William Hutchison, CEO
[email protected]
Lee Rossey, CTO
[email protected]
Bart Gray, COO
[email protected]
Sales & Business
[email protected]
General Inquiry
[email protected]
Tech Support
[email protected]
www.simspace.com
Example Products Used in the Range
Example software that can be deployed
•  Any tool that can run in VMWare
•  Operating Systems:
•  Windows servers & clients, Ubuntu, Kali
•  Applications
•  MS Office, IE, Chrome, Firefox
•  Active Directory, Exchange, IIS, Apache, …
•  Security Tools:
• 
• 
• 
• 
• 
Symantec SEP, McAffee ePO
RSA Netwitness, Tanium, GRR
Splunk, Kibana, Snort, Bro, Alien Vault
CyberReason, Carbon Black - Bit9
Many others …
16
GoogleChrome
flashplayerplugin
git.install
notepadplusplus.install
javaruntime
7zip.install
adobereader
vlc
dotnet4.5
vcredist2010
winpcap
wamp-server
atom
nodejs.install
ccleaner
sysinternals
filezilla
vim
putty.install
libreoffice
mysql.workbench
paint.net
svn
hg
curl
pdfcreator
wget
calibre
wireshark
gimp
sourcetree
dotnet3.5
python2
cdburnerxp
baretail
foxitreader
firefox
0ad
microsoftsecurityessen
tials
audacity
defraggler
steam
speccy
tor-browser
1password
jdk7
nmap
pidgin
googleearth
emacs
cpu-z
innosetup
powergui
ffmpeg
eclipse
make
sudo
awscli
autoit
openoffice
logparser
directorymonitor
popcorntime
spybot
ie11
mobaxterm
openvpn
redis
autoruns
vmwareplayer
aimp
packer
cyberduck.install
intellijidea-community
bginfo
filezilla.server
bleachbit
xbmc
nscp
vmwarevsphereclient
hxd
sharex
btsync
cygwin
malwarebytes
nant
console2
chromium
windirstat
Tortoisesvn
blender
jenkins
nxlog
lastpass
combofix
ultravnc
r.Project
golang
openssl.light
poweriso
clamwin
pycharmcommunity
webstorm
logmein.client
httrack.app
Jrt
keepass.install
silverlight
rsat
sqlite
www.simspace.com

SimSpace Cyber Range

Transcription

Similar documents

Testumgebung EM Gridcontrol

HK-200513 - IT-Sicherheit - Hacking für

Enterprise Generation Language - Institut für Informatik