Don't Get Burned on the New Cyber Range | The Daily Security Brief

Don’t Get Burned on the New Cyber Range

Cyber Ranges aren’t stovetops, they are the future of cyber attack simulation. However, they are pretty expensive. Learn more about how more sweating more in peace means less bleeding during war, and how your company could benefit from simulated cyber attacks.

“Special forces in the military train with live bullets shooting around them, so when and if they’re in the time of battle, they’re not ducking and covering because of these loud banging noises. A cyber range is the same thing — your machine is actually being attacked. It’s no longer theoretical.”

This was said by Rich Baich. He’s talking about the newest tech in banking cyber security, the cyber range. As a former Navy Information Warfare Officer and current CISO of Wells Fargo, he knows about the harsh environments of both human and cyber war. In an interview with American Banker, he revealed the details of this new system. The cyber range is meant to test the limits of the defenses protecting the bank’s systems and infrastructure.

The cyber range is meant to take simulation to the next level. Just like the more realistic training experienced by military special forces, the cyber range uses a more “live-ammo” tactic to train the security division at Wells Fargo. “As financial institutions continue to grow expertise among individuals that have advanced cyberwarfare-like capabilities, those warriors need a place to practice and play and test their skills,” Baich said.

It is a simulator of sorts, but not like other simulations, where outdated tech and outdated hacks don’t prepare your company’s cyber security ninjas (or whatever you like to call them) for the enterprise-grade attacks that can result in bankruptcy and total data loss. Historically, and still today, the most common attack simulations have been paper or desktop-based.

Obviously a cyber range costs a lot more than other simulation/practice techniques, which leaves mid tier and smaller banks without the option, and more vulnerable to attacks. Chris Thompson, who is the head of financial cyber security at Accenture Security firm, said lots of banks can’t afford it the tools they need to protect themselves. “It’s expensive to build a cyber range or to have a sophisticated red team, and the skills needed to build those ranges are scarce,” Thompson said. “The people who run those exercises are demanding high salaries and are hard to get hold of. So there’s a danger the mid-tier banks can get left out.”

How much does a cyber range cost? Recently, IBM built one for their own company, with the ability to not only simulate various types of attacks, but in various environments, such as healthcare, energy, and financial institutions. The total cost was $200 million. IBM does not offer a commercial version of this cyber range at this time, but there are cyber range solutions available from companies like Raytheon, CyberBit, Lockheed, and others.

If $200 million is out of your quarterly budget (seems like Trump is the only one who can afford that sometimes), there are other ways to simulate an attack on your network or system. Red team operations are another simulation option that can really prepare your company for a cyber attack. They do this with the same tactics as special forces, performing an actual attack on your system, using a variety of methods, including hacking, pretexting, spear phishing, and more. The results are discussed with the company, and their security is improved. It also costs a lot less, since a cyber range is basically a full-time staff of red-team experts.

If you have the means to build a cyber range for your company, it could be one of the best internal investments you ever make. If not, but you think your cyber ninjas are ready to take things to the next level, consider services from a red team company, like CoalFire. If you don’t have any cyber ninjas, check out Fibernet’s Managed Services, where qualified professionals are available 24/7 to proactively manage and protect your data.