All aspects of our lives, economic strength, and national infrastructure depend on a stable, safe, and strong cyberspace. We rely on all kinds of networks to communicate and travel, power our homes, run our economy, and provide national services. Yet cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy. Cyber-attacks come in many different forms, threats and domains – computers, internal networks, web networks, SAAS, databases, and HLS (cameras, video access control) control of processing systems, industrial machinery and more.
The suggested methodology presents shortly the process of training in the cyber arena .
The Ariel Cyber Innovation Center operates a unique simulator (trainer) based on the technology of Cyberbit, a subsidiary of Elbit Systems, which is associated with the Computer Sciences Department of Ariel University.
The simulator constitutes practical training for cyber teams who deal with cyber warfare and defense, SOC information security experts, and network management and administrators. In hands-on training exercises, participants encounter advanced attack scenarios in a realistic and secure environment, under the guidance of our cyber experts.
In addition to practical expertise, training increases organizational efficiency for resolving incidents, improves self-confidence, and benefits the team’s work. The simulator enables comprehensive training for cyber security at various levels on IT and SCADA networks, and in a variety of operating systems – Windows, Linux and more.
This training is designed to prepare and accustom the trainees in encountering complex cyber incidents, thus strengthening and increasing the efficiency of the defense array in the cyber field, as they experience situations taken from reality without the risks that are likely to occur in real-life conditions.
What is a cyber simulator?
Ariel Cyber Innovation Center operates a unique simulator (Range) based on the technology of Cyberbit, a subsidiary of Elbit Systems, which is associated with the Computer Sciences Department of Ariel University.
The simulator constitutes practical training for cyber teams who deal with cyber warfare and defense, SOC information security experts, and network management and administrators.
During hands-on training exercises, participants will encounter advanced attack scenarios in a realistic and secure environment, under the guidance of our cyber experts.
In addition to practical expertise, training increases organizational efficiency for resolving incidents, improves self-confidence, and benefits the team- work.
The simulator enables comprehensive training for cybersecurity at various levels on IT and SCADA networks, and in a variety of operating systems – Windows, Linux and more.
This training is designed to prepare and accustom the trainees in encountering complex cyber incidents, thus strengthening and increasing the efficiency of the defense array in the cyber field. This is because they experience situations taken from reality without the risks that are likely to occur in real-life conditions.
***The VPN option in the system
Who is fit for the simulator training?
It is recommended that the simulator trainees possess a background and experience in one of the following fields or professions:
The SOC department in an organization or part of an analysis, incident response or forensics group.
Operation and support in the organizational IT department systems: system IT, system administrators, engineers and, consultants.
Developer or integrator of software systems/applications in an organization.
Development of software/communication, for example, IT, IS, CCNA.
Why is it worthwhile to train?
The course provides the trainee with a full environment, including a real image of the organization’s computational environment.
An arena creates real-time scenarios and cyber events and allows the trainee to make decisions and operate all the components and defense programs during the training time, without damage to the company’s servers.
The main advantages of simulator-aided guidance:
Work in a computational environment and network that characterizes the full organizational network.
Experience events in real-time, executed and operated by malicious programs (everything is real, including viruses, malware, exploitation of weaknesses, break-ins, etc.).
Work in a variety of operating systems – Windows, Linux, etc.
Learn and operate a variety of tools in the field – SQL, Wireshark, ArcSight, Checkpoint/Firewall, database, etc.
Work in a replication of the full organizational environment, including different kinds of servers: FTP, WEB, Apache, SMTP, DC, IIS, SQL, and more.
Train teams and individuals to improve and advance their abilities, in the maximum way to increase their professionalism.
Strengthen the communication expertise within the team, for coping with pressured situations.
Understand work methodologies, including the subjects of ethics, decision-making, and escalation.
Course content and scenario
We build special course programs for every client according to the requirements, experience and knowledge of the trainees.
Even so, some primary activities are generally included in the course:
- Scenarios: The trainees will investigate the virtual environment, using the Cyber Trainer System.
- Scenario Debrief: The trainer will have a discussion with the trainees on the solution to the scenario, including analyzing the results of the trainees, adding additional insights, mitigation plans and more.
- Review & Preparation: Review of the previous day and preparation for the next scenario.
- Security Utilities Training: Training and exercising on key investigation tools. This component is dynamic and may be changed based on remaining time and trainee prior knowledge.
Simulator Training Flow:
The Cyber Training Simulator System provides a holistic approach to cyber training. The training flow can be divided to three main steps, all of which are supported by the Training Management System
1. Training Setup - In this stage the trainer defines the training structure, taking into consideration its goals and the skills of the trainees. The relevant cyber-attack scenarios are selected with the corresponding IP SCADA network. The selected network is then automatically cloned and allocated for each blue training team.
2. Training Execution - This is the live training phase in which legitimate traffic is injected into the training network. The selected attack scenarios are also streamed into the network with timing controlled by the trainer, including attempts to inflect damage such as business disruption, confidentiality and information loss. The blue team trainees are required to take all actions normally executed in real-world events to detect, respond and block the attacks. The trainers monitor the session, provide feedback and guidance according to the attack scenario built-in solution metrics.
3. Training Review - In this stage the trainer debriefs the trainees (AAR) by reviewing their performance during the training session, analyses of the attack and highlight of specific actions. The training session is concluded with group and individual feedback, a summary of lessons learned and emphasis on improvement.
Examples of cyber trainer scenarios
IT Training Scenarios
- SQL Injection (Intermidiate)
- WMI Worm (Advanced)
- Apache Shutdown (Novice)
- Trojan Data Leakage (Intermediate)
- Java Applet NMS Kill (Intermediate)
- Java Applet Send Mail (Intermediate)
- Killer Trojan (intermediate-Advanced)
SCADA protocol scenarios (critical infrastructure)
- HMI – Overloading the Plant (Intermediate)
- VPN – Shutting Down the Plant (Intermediate)
- Field 2 Field – Silent Attack (Advanced)
During the course, the trainees will be required to monitor, investigate and mitigate security incidents that occur in real time using real simulator pre-defined scenarios. The course includes both technical and operational aspects of incident investigation. On the technical side, the trainees will learn about tools and techniques used to investigate the network, and will practice the usage of these tools in the virtual environment. On the operational side, the trainees will learn about working as a team, dividing the tasks of monitoring and investigating between the different team members, drawing conclusions from the gathered information and applying mitigation processes.
The participants will be divided into two groups of 5–6 trainees, who train simultaneously (each trainee at his/her own work station), with each group having its own training network which it needs to protect.
During the training, attack scenarios are executed in different versions for the training network according to mission goals and through competition with the defense actions of the blue teams. The trainees address each event in all its stages, beginning with discovery, response and prevention. A coach accompanies the actions and gives feedback to the trainees.
During the training, the system monitors trainee actions, the events and the supporting processes (SIEM, NMS, EPS) and tracks the achievement of the goals and the point-score of the trainees.
At the conclusion of the training, a coach conducts an investigation of the critical events and the trainee responses during the training, and gives points for improvement.
In addition, the client receives a quantitative and qualitative evaluation of the trainees and follow-up reports for progress.