Information security training labs are a very important component when it comes to teaching information security or showcasing awesome security software, training your customers to use said software and getting the best out of it. Depending on a few factors (lab complexity and size, user experience etc), online security training labs are delivered either via VPN, or as simple VM boxes over electronic support (USB, CD etc).
To understand what the perfect security training lab should look like, we’ve asked security training managers, information security instructors and CS teachers (who teach network security) two questions:
- What the problems with their security training labs are?
- How would a perfect security training lab look like?
Some of the answers were more product-centered, others were more general, but the ideas and vision are pretty clear.
Problems with actual security training labs:
- Stability i.e. systems that were crashing or becoming unresponsive
- Slow
- Small and uninteresting (not really representative of the actual internet), which makes it boring
- Volatility i.e. a vulnerability might disappear over night due to a change in setup
The perfect Security Training Lab:
Here is what people are looking for in a training lab environment:
- An instance of Kali.
- An instance of Metasploitable2
- An instance or RHEL with common vulns (Vulnerable Apache/Tomcat/Java-RMI)
- A local SMTP mail relay with web-based mail client for social engineering campaigns
- A Windows Domain Controller (W2k8)
- A Windows 2k8 SQL Server with common SQL vulns (for example, blank sa password and MSSQL xp_cmdshell)
- A Windows 7 Client unpatched and with vulnerable apps (Java, Adobe Reader, Flash, Browsers, etc)
- A Windows 8 Client unpatched and with vulnerable apps (Java, Adobe Reader, Flash, Browsers, etc)
In addition to the above, these systems would need to be configured in a way that allows the student to exercise the following functionalities:
- Remote exploits
- Local exploits
- Brute force password attacks
- Credentials domino meta-module
- Pass-the-hash
- Social Engineering campaign (i.e. Setup a campaign, relay a phishing email through the local smtp gateway, log into a client and retrieve the email and get pwned)
Tiered network environment where we can leverage Proxy and VPN pivoting, that would be awesome.This should be representative of real world issues in real world environments.
Another interesting answer on “How your dream training lab would look like?”
- A diversity of operating systems would also be nice. For instance, it would be a “nice to have” to have a vulnerable SPARC Solaris system to be able to demonstrate what a buffer overflow on SPARC looks like.
- There should be a nice number of systems active (let’s say 40 or more), with a diverse set of technologies and vulnerabilities. The reason would be to not have dull vulnerability scan results, but also to be able to teach students on common vulnerabilities.
- Another feature could be a network that is not completely flat, so that mapping out networks can be looked at. And it would also be cool to have hosts that can only be reached/attacked through pivoting via a vulnerable host for example.
- I’ve also been thinking about a lab in which it’s possible to do traffic redirection attacks (eg. ARP spoofing), to enable testing of MITM attacks (eg. RDP MITM).
- Another nice to have would be a system on which a vulnerability is present that makes a service crash when vulnerability scanned or when exploitation is attempted. The service should then restart automatically after a few minutes. This would be nice to show the dangers of scanning/pentesting.
- What would also be nice is that if there’s a vulnerable server to attack during a course, it would be best if every student has his own target to attack, because a system might become unstable after an exploit and if there’s 10 people bashing on the same vulnerability in parallel… so there should be a flexible way to configure a lab instance for a number of people.
- But most of all: it should be stable and reliable. Nothing is worse than to have to give a course and hosts are going down, network is slow, connectivity is lost, etc. …
I know it’s a lot to ask and not all that simple, but you asked what I’m dreaming
Building Next Generation of Information Security Training Labs:
Because of the increasing complexity of the software, internet size (IoE – Internet of Everything) and types of attacks, information security trainings demand new standards over security training labs and the answers above prove that there is a need for better, sophisticated and close to real world security training labs. If you really want to learn and train over information security at a higher level, USB/CD delivery training labs are out of the question nowadays. USB/CD security labs are for entry level security professionals wannabes and there are plenty of free great resources.
Based on our experience at CTF365, there are some very important factors that you have to keep in mind, when designing the next generation of information security training labs whether you’re a software/hardware security vendor, security training company, or any information security organization related:
Availability
- Every student gets his/her own security training lab. This way you’ll avoid system alteration and the student will get what he paid for.
- Redundancy – In case of IP failure or hardware failure.
Diversity
- As many operating systems as possible, with a lot of applications and web applications.
Complexity
- Tiered networks, traffic automation over smtp, ftp services etc. to mimic the real world.
Automation
- Easy and fast deploy (e.g. three clicks and 2-3 minutes), easy to manage (create/delete/restart labs or VMs within the labs in minutes) and full monitoring.
Flexibility
- Different modules for different trainings.
Building such a security training lab takes time, a lot of man-hours, a clear vision over its architecture and most importantly, the willingness to have it done for your customers. Awesome security training labs are important from a marketing and brand recognition point of view as well. You might have a great product that customers want (or “must have”) but if you don’t offer them proper training to use your product at its full capacity it will be a great loss in the long run.
About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.