Recently I received a most interesting link from a friend, about a tiny city that was actually a perfect working model of a real-life city built by the SANS Institute. It had real banking networks, power grid networks, public transit systems, a hospital, a military complex, you name it. It’s a fully decked out city in miniature. And the beauty of this miniature city is that it was made to develop and train your hacking skills. I know many people who would start drooling at the opportunity to test their skills on such a wide range of systems and not go to jail for it, me included. “Cyber Ranges,” as these networks are now often referred to, are fun and extremely useful in developing real-world skills without disappearing behind bars. It’s not even a new idea; various militaries have been doing it for a while now.
Last year I purchased myself some lab time at Offensive Security, the group that releases the Backtrack Linux distribution, in an effort to stay somewhat connected to the technical side of things. I had such a wonderful time rummaging around on that little network, trying to root every system on it. But I also quickly discovered the downside: it’s not cheap. Lab time is purchased, usually per month, and its not hard to accumulate a $1000 bill. While this is perfectly affordable for working professionals, and absolutely worth the money, it is just too expensive for the generation of cyber defenders that we should be educating right now.
Through this article I would like to make the case for governments to set up such labs and open them up to the public. In a government-funded, well-registered and monitored learning environment for hacking, we can not only teach our young those skills that are becoming more valuable by the day, but we can also keep an eye on who is excelling at picking up these skills. How better to determine true skill than to watch them work? Wouldn’t you want to offer them a job on your security team if you’ve seen him burn through a whole network? An added bonus is that we would be able to watch how they attack systems, just like in honeynets. This is a great way for defenders to pick up valuable knowledge on how to secure their systems against actual attackers. Seeing as how hacking is a bit of an ego game, you could easily turn it into a competition by attaching scores to successfully obtaining Administrator-level access on each system.
Having a national cyber lab that is freely accessible to every hacking enthusiast in the country would be a great investment for any government. Setting it up would be a breeze and the return on investment would be nothing short of massive. Plus it sends out a strong national message that you are serious about cyber security as a nation. Is it still too expensive? Get sponsoring from security companies. I bet they would love the opportunity to get in there for some recruiting, and we would all benefit from the concept, directly or indirectly.
About the Author: Don Eijndhoven writes articles on the state of Cyber Warfare and related topics, and can often be found speaking at various conferences. His articles have been published in places such as InfosecIsland.com, ICTTF.org, ITGRCForum.com, PenTest Magazine, PvIB Magazine and a variety of other magazines and websites. Don is an independent security researcher and entrepreneur and the founder of the Dutch Cyber Warfare Community, a platform for all people working in the Cyber Warfare industry in the Netherlands, and a founding board member of the Netherlands Cyber Doctrine Institute (NCDI). The NCDI is a foundation that aims to assist the Dutch Ministry of Defence with writing proper cyber doctrine. He is also the CEO of Argent Consulting, a Dutch firm that offers a full range of services in all areas of Cyber. He holds a Bachelor in Computer Science and is currently working on his MBA at Nyenrode Business University.
Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.