Leading industry research firm TAG Cyber published a report commending Cloud Range’s approach to accelerating cyber readiness for leading organizations by leveraging a layered approach to security.

What does a “layered approach” mean for security programs? A layered approach to security learning takes knowledge, skills, and abilities (KSAs) into account in order to increase preparedness and decrease risk. By focusing on enhancing the KSAs of individuals and teams in an organization, security leaders can be confident in knowing that their cyber defenders are gaining practical hands-on experience necessary to protect their organizations.

TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises.

Read on to learn more about how the KSA model is demonstrated and illustrated in the context of the commercial offering from Cloud Range.

Supporting a Layered Approach to Cybersecurity Readiness: An Overview of Cloud Range

By Ed Amoroso, TAG Cyber

A layered approach to security learning focuses on enhancing and optimizing the knowledge, skills, and abilities of individuals and teams in an organization. The Cloud Range commercial offering is shown to play a key role in establishing cyber readiness for security teams.

INTRODUCTION

Everyone in the security community agrees that the cyber skills gap must be addressed before enterprise threats can be mitigated sufficiently. The biggest challenges are the breadth of information and the scope of knowledge and experience required to manage cyber risks. Defenders must understand complex technologies related to cloud and mobility, attack campaigns such as ransomware, and modern security tools such as SIEM and SOC platforms.

To maintain a consistent level of cyber readiness, organizations have typically relied on traditional methods such as on-the-job training, classroom learning, and attendance at industry conferences. Vendors also provide training on their proprietary technologies and tools. These methods offer benefits, but the intense challenges associated with maintaining cybersecurity skills prompts a more comprehensive approach – one based on layers of learning and performing.

In this report, we describe a multi-layered approach to cybersecurity readiness, training, and continued professional development. The model, which focuses on knowledge, skills, and abilities (KSA), should be familiar to learning professionals but might be new to security practitioners. The KSA model is demonstrated and illustrated in the context of the commercial offering from cybersecurity company Cloud Range.

LEARNING MODEL 

The KSA (Knowledge, Skills, Abilities) model is well-known to many learning professionals and has been used to inform the NICE model promoted by the US Department of Homeland Security to advance cybersecurity learning. All levels in the KSA model are essential to an organization’s readiness for cyber incidents, and all exhibit their own goals, focus areas, and challenges (see Figure 1). 

The learning focus in the KSA model travels upward from individuals developing their knowledge through programs of individualized study. Skills are then improved through task-based learning, such as lab exercises, which can be individualized or performed by small groups. At the highest level, groups and teams coordinate in dynamic and immersive learning exercises to enhance their abilities to perform in live engagements. 

Some of the primary benefits associated with the implementation of any multi-layered cyber skills development training and readiness program include the following: 

• Cross-Organizational Training – If done properly, a layered approach to skills development will address cross-organizational benefits. Teams engaged in training will improve their general cooperative skills beyond just dealing with security incidents. They will also learn to apply their individual skills to group situations. 

• Dynamic Defensive Skills – By exposing team members to multiple layers of cyber skills development, organizations help them develop the ability to deal with many different offensive situations. This helps drive a more dynamic defensive posture, especially if coordination is required across different corporate groups. 

• Closing the Security Skills Gap – By putting a layered program of cybersecurity skills development in place and by ensuring continuous attention to ongoing training, an organization will help to address the cybersecurity skills gap and improve employee retention, especially on the security team. 

Security Operations Center (SOC) team members, as well as Digital Forensics and Incident Response (DFIR) groups, have typically been the most likely participants in dynamic abilities-focused range training, but in the best and most forward-looking organizations live-fire exercising is now expanding to include executive teams. 

ENHANCING CYBERSECURITY KNOWLEDGE 

At the knowledge level of the KSA model, individuals focus on their own personal development. This is typically done through courses, specialized research, and certifications. When performed properly, these basic skills will be useful in live situations that require expert insights. Individualized resources are included to support this type of training – and for cybersecurity, such effort requires information that reflects current offensive measures. 

In cybersecurity, most individualized learning involves the use of podcasts, conference attendance, textbook study, courses (including massive open online courses), and other resources. Employees, with assistance from colleagues and managers, usually have little trouble finding resources that are useful, and all learning programs should encourage this type of individual learning process. 

ENHANCING CYBERSECURITY SKILLS 

At the skills level of the KSA model, learning must be extended to apply knowledge to know how to perform certain functions. Knowing what to do and how to do it is the difference between knowledge and skills. Good skills enhancement programs will include and integrate both types of learning. 

Lab Exercises 

Typically, commercial lab exercises are linear in nature, where there is one correct way to solve a problem that demonstrates a specific skill or set of related skills. These lab exercises are not unlike modern professionals in transportation, programming, and other industries who must continually work on their skills. The image of the determined athlete doing intense calisthenics in the gym comes to mind in this context. 

Learning Priority 

The learning priority at the skills layer is on mastering the logistics of using specific tools and systems to complete prescribed tasks. This can include attack methods, but it can also include many types of defensive activities such as the use of identity and access management (IAM) and other controls. Nevertheless, the coordination at this layer is mostly on technical controls rather than group activity, decision-making, and coordinated actions. 

Proficiency Measurement 

When skills are being developed at this layer of the model, the best teams engage in measurement processes aligned with a well-defined metric to determine whether skills progress is being made. The result is the beginning of a cybersecurity skills assessment that can be combined with measurements made at the next level (abilities) in the KSA model. 

ENHANCING CYBERSECURITY ABILITIES 

The top layer of the KSA model focuses on abilities, which will always require that the training include multiple individuals, groups, and teams. In a cybersecurity context, the SOC team represents the most common target of such abilities-based learning and development. This is often done by allowing individuals and teams to be immersed in a simulated attack. 

A good team simulation will reflect the operational challenges and decision-making requirements that exist in a real security operations center (SOC) where team members must detect attacks and respond in a coordinated manner. Many organizations are even extending this type of learning to additional groups. This is a good trend, because it helps to bring together all aspects of the KSA model into a proper readiness approach.

Realistic Exercises 

Simulated attack exercises to test, improve, and measure team coordination abilities for cybersecurity are now accepted as mandatory for cyber readiness programs. The exercises, often delivered on a live fire cyber range, should be developed by experts with sufficient technical knowledge to ensure inclusion of accurate detail. The focus of exercises is on applying skills and knowledge to real scenarios that demand coordinated response. 

SOC Team Readiness 

Security operations center (SOC) team members rely on this higher level of readiness training. This generally involves honing a team’s ability to collaborate and coordinate multiple resources, applications, systems, and tools. For example, range training might test response to adversary remote access through VPN, privilege escalation via Active Directory, lateral movement via the enterprise LAN, resource theft through SharePoint, and attack egress across proxy gateways. 

Framework Orientation 

Performing range exercises on a regular basis, as often as every month, usually exposes teams to the tactics and techniques within well-known frameworks such as MITRE ATT&CK. This framework emphasis helps teams determine where they can improve defensive processes, communication, and collaboration. Hyper-realistic cyber security live-range training has recently become the most well-known approach to this higher level of abilities development for teams. 

Metrics Goal 

An important metrics goal is to determine and manage the cyber readiness maturity of the organization to detect, mitigate, and respond to serious incidents such as a ransomware attack on critical data. Although no generally accepted industry scales exist to establish a meaningful readiness measurement, organizations can certainly work hard to improve their own posture across a program of live simulation training. 

Operational Care 

Live engagements are most effective when they are realistic and test various types of possible attack scenarios, while also addressing real issues in the organization. They must also, however, avoid any operational impact to live production systems, so the engagement must be carefully controlled. To that end, a separate training range is often used to accomplish these broad security training goals. 

In the next section, we provide an overview of the Cloud Range platform and associated services. Their commercial offering uses comprehensive lab exercises and simulated campaigns to help groups and teams of individuals learn to work together to improve their individual and combined learning. The offering is well-suited to SOC and DFIR teams, but as described below, can easily extend to additional groups and teams within an organization. 

OVERVIEW OF CLOUD RANGE 

Headquartered in Nashville, and supporting enterprise customers around the globe, Cloud Range provides cybersecurity teams with prescriptive programs to upskill team members using a customizable realistic range platform that simulates live attacks. The objective is to provide organizations with the ability to train and test the people who have responsibility for each line of cyber defense. 

Licensed Tools 

The Cloud Range solution uses fully licensed security tools within a full-scale multi-segment enterprise environment. Customer teams can work with Cloud Range to tailor their test engagements to their specific domain (e.g., operational technology). The goal is to advance learning and accelerate experience for individuals, teams, and organizations using systems that are familiar in the local environment. 

Hosted Subscription 

This is Cloud Range’s unique program for enterprise teams delivered in a tailored, cloud-based environment. Live attack simulations are created either by customers or by Cloud Range so that the team becomes immersed in a realistic offense/defense campaign. Cloud Range offers both hosted subscriptions and self-managed range environments. Figure 3 shows a typical network schematic used in a live engagement.

Live-Fire Team Training 

Support from Cloud Range can be tailored to the unique needs of SOC analysts, DFIR teams and other operational teams. The solution benefits from the deep technical skills of the Cloud Range design team to ensure that all simulations are highly realistic. Cloud Range also maintains a robust library of custom-built attack techniques and tactics that align well with popular security models such as MITRE ATT&CK. 

Simulation-Based Candidate Assessments 

Cloud Range provides a customizable assessment tool that is an excellent means for hiring managers to evaluate the individual and group coordination skills of new candidates being considered for hire. By exposing such folks to live virtual campaigns, enterprise teams can reduce the risk of hiring the wrong candidate, which has the obvious consequences. It can also help retention by ensuring the right personnel are hired into appropriate positions. 

Advanced Tabletop Exercises 

Cloud Range’s version of the tabletop exercise introduces live fire simulation, thus enabling stakeholders to understand and respond to an incident in its entirety, even during the indications and warning phase. These exercises can include participants from public relations, legal, human resources, and the CEO office to ensure readiness across all aspects of an incident. Such broad exercises are especially valuable for modern threats such as ransomware. 

Operational Technology Training 

SCADA and OT simulation solutions are available for teams focused on IT/OT convergence who understand the challenges of such coordination. This can include the design of realistic operational technology systems and associated tangle machinery and equipment. Companies who operate in OT sectors will benefit from combined and coordinated skills training for the security and operational support teams who often work in disparate silos. 

Red Team/Blue Team and Capture the Flag Exercises 

The Cloud Range platform allows for red teams to launch their own attack campaigns against targeted simulated assets. This approach allows for cyber defender trainees to deal with attacks that come with the domain knowledge of their peer test groups. Enterprise teams are increasingly being required to demonstrate that such exercises are being performed regularly as part of compliance programs. 

ABOUT TAG CYBER 

TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and nonclients alike — all from a former practitioner perspective.