CAMBRIDGE -- Government agencies, law enforcement, security experts, and businesses joined IBM Security as they opened the industry's first commercial Cyber Range at their new global headquarters in Cambridge, Mass., today.
The range is a live operational environment where they kicked off a simulation, a fictional Fortune 500 company is running in real time. The goal for those who visit the lab is for them to engage in an experience that feels as real as possible, said Caleb Barlow, vice president of strategy at IBM Security.
With a petabyte of storage space, they are able to use real weaponized malware and cyber attacks in the air-gapped cyber range. Joe Provost, threat simulation and modeling, IBM Security, said, "Participants immerse themselves in a training scenario or a series of scenarios using all the same malware from enemies or adversaries to prepare them for crisis state."
They use the real IP addresses, simulated in real IP space so that the malware is unaware that it's in a virtual environment and will act the same as it would in a real environment.
"We can simulate anywhere from a couple dozen to a couple thousand to add complexity to scale," Provost said.
The cyber range exercise is about the holistic security strategies of an organization. "How are you going to address your clients, employees, the press?" Provost asked. To that end, the range also includes a live broadcast space where participants are peppered with questions from the media.
Subject matter experts coach the organization from a legal or technical response, empowering companies to determine how their breach story will end.
Spread out over two floors, the cyber range also has specialized networking connections to air-gap so that they can safely bring customers onto the dark web.
"Response is a big part of security, but it's often a forgotten part," said Marc van Zadelhoff, general manager at IBM Security,. "There's a lot of technology to detect or prevent a breach, but what is often forgotten about is the response part. When the 'boom' event happens, how do you deal with that?"
The 'boom' terminology, borrowed from the US Air Force lingo, delineates where most organizations tend to focus their time, efforts, and resources.
Currently, IBM's intention is not to charge organizations for the opportunity to participate in these exercises. "We view it as an asset for the region," Barlow said.
"I want this to be about showing and experiencing. Our goal is that they don't have to use QRadar. The goal is to give them the experience to see how tooling actually makes a difference," said Barlow.
To date, the military, the FBI, and even a group of 10-year-old girls on a field trip have had the chance to sit through a simulation exercise. The hope is that the range not only becomes an asset to the region but an opportunity to train and teach.
"The focus today is left of the boom, we need to focus on the right of the boom. To control the story," Barlow said.
IBM Security will spend the next several weeks working its way through the waiting lists of guests who are willing to help them work through the kinks before they officially open their doors to all as of Jan. 1, 2017.
Until then, they will continue building what is not a single scenario with the hopes of having at least 12 scripts a year from now. "This is a stage. Right now we have one play, but we want to have a dozen plays on the stage," Barlow said.
The ideal scenario, Barlow said, "Is that people start to realize that there is an opportunity to do something different as a team. When you go to a board-level conversation, cyber is the one subject that nobody on the board has any expertise in."
Sharing information
It seems like everyone is catching on to the ideas of both practicing and sharing information. "When it comes to critical infrastructure," said Lucy Ziobro, FBI Cyber Division Section chief, "it falls on the federal government to work with the private sector, and at the backbone of that are their cyber systems."
In the past few years, Ziobro said, "We have briefed 440 healthcare providers, 1,300 participants from financial sectors, and over 5,000 corporations across the country on ransomware."
Sharing the indicators of compromise through public service announcements and liaison alerts are some of the ways to get information out there, which helps to strengthen the experience of learning in a simulated environment.
Toward that end, the FBI has also started a CISO academy at Quantico, where, Ziobro said, "We basically lift the skirt and show them what we're all about."
At the CISO academy and other summits hosted by the FBI, organizations learn both the benefits and risks of dealing with law enforcement, addressing the concerns of those who worry about exposing themselves as victims.
The benefits of sharing information, though, far surpass the potential embarrassment of being a victim. Former director of the National Counterterrorism Center (NCTC), Matt Olsen said that the value of being prepared was a lesson they learned after 9/11.
"There are lessons we can learn from the hard learned lessons obtained from 9/11. We can apply them to the cyber site. It's a team effort. The team involves the private sector. Ninety-eight percent of our critical infrastructure is in the private sector hands," Olsen said.
Three lessons in particular, said Olsen, "We have to learn to share information within, from company to company and from the private sector to the government. We need more experts, and we need to increase our defenses."
Because offense wins in cyber, they have an advantage. "We know companies are going to get hacked, so ultimately, we need to be in a position to respond," he said.
To get better at incident response at every level, organizations need to do more exercises and training. "We need procedures and systems--not only that respond--but allow for a precise, coordinated, and agile response," said Olsen.