Article - This is how KPN deploys Cyber Ranges to make IT systems more secure

This is how KPN deploys Cyber Ranges to make IT systems more secure

A Cyber Range is a controlled, interactive technological environment where users can learn and test how to detect and mitigate cyber-attacks using the same equipment they encounter at work. Cyber Ranges can simulate IT systems without burdening existing networks. This increases the technical knowledge of cyber response to attacks.

KPN helps companies and uses this method of testing for its own IT infrastructure. What are the advantages of a Cyber Range and what are the aspects and specialists involved in such an approach?

As the threat of cyber-attacks increases, it becomes increasingly difficult for companies and governments to adequately protect themselves against them. Good staff is in demand and personnel who are not bought off must be constantly trained and kept up to date with current developments. This requires testing and simulating existing or future systems of companies during various burglary scenarios. The use of Cyber Ranges offers a solution here. Cloud computing plays a key role in this, because it offers the possibility to create virtual infrastructures on which Cyber Ranges are based. However, setting up and managing Cyber Ranges is a costly and time-consuming affair. KPN offers companies and organizations support in this area. The company uses Cyber Ranges to test its internal infrastructures, but also deploys them for companies and governments that come to them for a wide variety of issues.

For Mark and Maresa, respectively Team Leader Ethical Hacking and Security Researcher at KPN, cyber-attacks are daily business. As Ethical hacker and KPN RED team member, Mark is mainly testing the internal systems for vulnerabilities, while Maresa does a lot of research and tries to guide external customer questions as best as possible. ‘KPN is embedded in society in many ways because our network is related to many different services that are used by “BV NL”. You could say that in terms of cyber security KPN has a very high degree of maturity, which enables us to focus on exceptions in the critical infrastructure of the Netherlands. If we see irregularities, we report them immediately', says Maresa. ‘If, for example, during an investigation we come across a vulnerability of a large health insurance company, even if they are not our customers at the time, we will of course always report it.’

Internal and external testing is increasingly taking place in a Cyber Range. KPN has set up a lab for this in Utrecht. In this lab, KPN offers a controlled, interactive technological environment, where cyber security specialists, whether in training or not, can learn safely and completely shielded how to detect and mitigate cyber-attacks with the same equipment they use at work. This controlled environment can carry out the most severe attacks on IT infrastructure, networks, software platforms and applications. The underlying infrastructure may consist of a network, storage, computers (servers), switches, routers, firewalls and so on. In some cases, it is built using an open-source platform such as OpenStack.

‘It depends on the customer demand’, says Mark. ‘Suppose a company has a new upgrade, they can safely test it to see what the impact is on the current infrastructure. But it can also be a panic test. In that case, you look at how a department of a company reacts in the event of a major attack. The technique behind Cyber Ranges is not new. Mark: 'We have been doing simulations for years and with the expertise that we have built up, we work with and on technologies of the future. For example, we are testing equipment from vendors that will only be on the market in 1.5 years' time.’ Maresa: 'The way we work now with scenarios that are deployed in the cloud with templates is relatively new. It is faster and more cost-efficient. It allows us to test a lot of different cases.’

Four types of Cyber Ranges
The American National Institute of Standards and Technology (NIST) distinguishes four types of Cyber Ranges (*). These are Simulation Ranges, Overlay Ranges, Emulation Ranges and Hybrid Ranges:

- Simulation Ranges run virtually without the need for physical network equipment. Virtual Machines (VM) are used to mimic the server, network, and storage configuration of specific infrastructure. These VMs are based on standardized templates, which may limit their fidelity in replicating the target infrastructure.
- Overlay Ranges run on top of real networks. They offer a higher level of fidelity than Simulation Ranges but in terms of hardware, the cost is usually higher and there is a risk of degrading the underlying network infrastructure. Overlay Ranges also have limited flexibility, as a small change in configuration can lead to the entire Cyber Range being redefined.
- Emulation Ranges run on specific network infrastructures, mapping the specific network/server/storage configuration. The physical infrastructure becomes the Cyber Range itself. Emulation Ranges involve traffic generation, with the ability to emulate traffic flows, specific patterns, and attacks.
- Hybrid Ranges are customized combinations of the above types of Cyber Ranges: they combine the advantages of, for example, the high level of lifelikeness of Overlay Ranges and the flexibility of Emulation Ranges.

Specialist knowledge in-house, for every sector
Building a Cyber Range requires a great deal of knowledge and skill. It requires a DevOps team that does development and management: technical specialists, network administrators, consultants, content specialists and monitoring specialists. To then test the environment, you need people from a red team, analysts who look at the logging - a security operations center - and administrators to keep the environment running. If necessary, specialists in the field of IoT, web technologies and mobile devices can be deployed. And an incident response department, for example, can be attached. In short, it takes a lot of manpower. ‘It's not as if only ethical hackers are working on a Cyber Range', says Mark. Each specialist does a small part from his/her area of expertise, and through the cooperation between the areas of expertise a Cyber Range emerges. Just as in a real company, a lot depends on the internal coordination and communication to get the different areas of expertise to work together optimally.'

Cyber Ranges are therefore used in all layers of society. In fact, no company or institution can do without them anymore. Cybersecurity Guide.org (**) provides the following global overview of industries where Cyber Ranges are deployed:

- Defense/ Intelligence - The US Air Force, for example, operates the Simulator Training Exercise Network (SIMTEX), also known as the "Black Demon".
- Research/education - Universities use Cyber Ranges for research in a variety of areas. For example, the University of Illinois developed the so-called Real Time Immersive Network Simulation Environment (RINSE) back in 2006. This is mainly used for training. Another example that Cybersecurity Guide mentions is the Information Warfare lab (IWAR) at West Point.
- Industrial/Commercial - Many Cyber Ranges are set up to test commercial products, such as servers, against malicious actors. KPN develops many custom-made Cyber Ranges for companies, including simulators that allow testers to see how systems withstand malware attacks.
- Smart grids - The power grid is a key target for malicious actors. Dedicated Cyber Ranges can simulate the interconnected power grids. They often run on Supervisory Control and Data Acquisition (SCADA) systems that are common in the energy sector.
- Internet of Things (IoT) - The fast-growing IoT is presenting new attack opportunities. Here too, vulnerability testing is becoming increasingly important as more and more devices are connected via wireless communication.

Mark wants to emphasize that companies will always remain vulnerable. No matter how often and how much you test and how strict your security is. And that many organizations often underestimate this. ‘Suppose you work in the media and a malicious person drops an envelope containing a USB stick with, for example, a police logo in your letterbox. Then there is a good chance that you will insert this USB stick into a computer to see what is on it. This is an easy way to plant malware or gain access to a server.’ But it can also be done in other ways. Literally by sneaking into a building through a service entrance and physically bypassing a state-of-the-art firewall. A hacker only needs one name and login to paralyze an entire network. Maresa: ‘Nowadays there are NFC chips that are so small that they fit under a fingernail. This makes it possible to clone an access card and write the information to another chip to gain access to a building at a later stage.’

Hacking heavily secured buildings and testing delivery drones
Maresa and Mark find it important that they can make an impact at KPN. Mark has been working there for 22 years and praises the diversity of the work: 'Not a single day is the same and we work with cool, modern technologies'. Maresa: ‘If you look at what some companies pay their employees, you might be jealous, but then you can ask yourself: “Am I really making a difference here?” At KPN, I am sure that everything we do affects the lives of Dutch people in a positive way. There are so many opportunities here. ‘

Mark adds: 'We have had the opportunity to do various cool projects. From pen testing drones that deliver EpiPens and pizzas, to testing enormous ships. We had the opportunity to work on an app that monitors someone's heart 24 hours a day. In doing so, we looked at whether that medical data was stored securely. If this app proves successful, people will no longer need to go to hospital to have their heart analyzed. KPN has invested in a connected doorbell. We were allowed to break into high-security buildings. And I could go on and on like this for a while. We have a bucket list of cool, out-of-the-box projects and we are ticking them off one by one. That's fantastic, isn't it?'

Sources:
(*) = https://arxiv.org/pdf/2112.11233.pdf
(**) = https://cybersecurityguide.org/resources/cyber-ranges/

Interested?