Network Defense Training Dilemmas

In this blog post, we will illustrate such dilemmas with three common examples.

Three common dilemmas

• Efficiency versus Realism
  Network traffic produced in attack scenarios (purposed for training sessions) can be captured and saved as PCAP files. From a training perspective, such files contain a «story» specific to the environment where it was captured. These can be used again by a blue team. For example when training new members or reviewing a training exercise.This reusability may not be optimal when multiple organizations cooperate and exchange network traffic, in an attempt to conduct more efficient training sessions. Using network traffic produced by external parties removes the creation of new attack scenarios from the equation. This reduces the cost and the preparation of a training session. However, it usually translates into less realism, since the use of network traffic produced in external networks will not match the organization’s environment.

  An ideal situation would allow organizations to cooperate, exchange network traffic and customize it to their needs. This would reduce costs and difficulty of implementation. While increasing network traffic reusability and realism.

• Risk versus Realism
  In order to train computer network defense analysts and reach an advanced skill level, it is essential to create realistic attack scenarios that can generate relevant network traffic. In many cases, real pieces of malware are used in such scenarios, so computer network defense analysts can train with real indicators. However, this practice comes with an inherent risk.On one hand, an attempt to reduce risk usually results in less realistic training sessions (e.g. not training in production environments). On the other hand, realistic scenarios tend to elevate risk. An optimal scenario should allow organizations to train in safe conditions, while keeping a high degree of realism.

• Risk versus Cost
  Running low-risk training sessions tends to increase costs, because more resources and preparation are required. Assuming a training session is going to be conducted in a production network, organizations will typically try to reduce risk as much as possible. Two common scenarios can represent the dilemma. On one hand, if real malware samples are used, reverse engineering or other research against the sample should be conducted. This will provide the organization with clear guidelines of how to work with the sample. Also what to expect if something goes wrong. Reverse engineering requires extra preparation time and knowledge. Something which is usually translated into higher costs. If the organization does not want to spend such amount of resources, it should be prepared to accept a higher risk during the training session.

  On the other hand, organizations could use specialized commercial software for malware simulation and/or an external Red Team. While this alternative tends to be a safe approach, it rapidly increases the costs of the training session. Companies with significant resources and mature security programs are usually the ones who can benefit from this approach, rather than organizations with constraints.

Blue Team Training Toolkit (BT3)

Blue Team Training Toolkit (BT3) is an attempt to introduce improvements in current computer network defense training. Based on adversary replication techniques, and with reusability in mind, BT3 allows individuals and organizations to create realistic computer attack scenarios. All while reducing infrastructure costs, implementation time and risk.

In addition, BT3 could assist red teams during specific scenarios that may occur during the course of a security engagement.

Download the Blue Team Training Toolkit and check out our BT3 video series. Let us know what you think!