It can be hard for developers of cybersecurity training to create realistic simulations and training exercises when trainees are operating in closed (often classified) environments with no ability to connect to the Internet. To address this challenge, the CERT Workforce Development (CWD) Team recently released a suite of open-source and freely available tools for use in creating realistic Internet simulations for cybersecurity training and other purposes. The tools improve the realism, efficiency, and cost effectiveness of cybersecurity training. In this blog post, I will describe these tools and provide information about how to download, learn more about, and use them.

Since its inception more than 25 years ago, the SEI's CERT Division has been developing and delivering cybersecurity training and exercises on behalf of its sponsors, including the U.S. Department of Defense, the FBI, the National Security Agency (NSA), and other agencies. The purpose of this suite of tools is to aid in the creation of realistic simulations in such environments. In particular, these tools help developers of training scenarios and environments create realistic cyber simulations that can be used in closed environments. The tools also provide trainees with the realistic illusion of being on the Internet without running the risk, for example, of working with live malware that could escape onto the Internet during training.

The following tools are included in the suite:

TopGen

TopGen is a virtualized application-service simulator for offline exercise and training networks. It allows multiple co-hosted virtual application-layer services, such as multiple HTTP vHosts, Domain Name System (DNS) views, or virtual mail domains to be delivered from a single host (physical, virtual machine, or container). A large number of host unique, single IP addresses, corresponding to each virtual application server (each website, nameserver, and mail gateway), are then added to the TopGen host's loopback interface. This configuration ensures that client traffic is delivered to the appropriate application-server daemon, and that replies will originate from the correct source IP address.

GreyBox

GreyBox is a virtual machine that provides a self-contained emulation of the Internet backbone, including connectivity for 500-plus websites, mail servers, Bitcoin environments, and other sites. It simulates not only the servers, but also the Internet infrastructure, with root and top-level domain (TLD) DNS servers, a functional WHOIS service, and a realistic Tier I web cloud. GreyBox includes emulation of Border Gateway Patrol (BGP) and autonomous system (AS) numbers running the actual IP addresses deployed in the Internet backbone.

Greybox and TopGen are designed to run on any generic Linux system. GreyBox provides the ability to communicate in this environment, which renders a realistic simulation of the Internet backbone, implemented with Linux containers. Any peer-to-peer software can be added to GreyBox to increase the realism of the simulation experience for users. We are planning a feature where we could connect arbitrary Docker containers into the Greybox map for added flexibility to allow users to connect custom containers serving whatever their needs are.

The key to the utility of this environment is its realistic look and feel to its users are. The front pages of more than 5,000 websites were scraped from the actual Internet to provide this realistic user experience. GreyBox is great for training and exercises; students have used it to learn about routing. The activity of having users interacting with the system and creating traffic enriches this Internet simulation.

GreyBox has public key infrastructure (PKI) and can do HTTP Secure (HTTPS) or Transport Layer Security (TLS). We use our own in-game certificate authority to sign all the websites to produce HTTPS traffic when a user is looking at packet traces. We eventually want to offer encrypted HTTPS traffic for added realism.

Users can connect existing network enclaves that they're already using in their cyber exercises into the core Internet structure that GreyBox creates. This connectivity can be performed via the simulator's user interface. Users can put RJ-45 icons on the map and connect them to existing routers, then map those to network interfaces of the host machines. Any other computing infrastructure that shares a network with those network interfaces that are mapped into the simulation would then connect to the simulation via those interfaces by simply mapping extra network cards to those enclaves.

GHOSTS

GHOSTS is a framework for automating and orchestrating non-player character activities. By creating "synthetic users" in the environment, it enables advanced user-activity simulation to enrich the realism of cyber exercises. The simulated characters that participants interact with can perform many functions, such as web browsing, executing terminal commands, sending emails, or managing office documents. The functions appear as if real people were performing them, and none can be traced back to the GHOSTS software directly, making the training experience more lifelike and convincing.

GHOSTS orchestrates friendly, hostile, and other behaviors that players would be likely to encounter. GHOSTS is not simply a mechanism for traffic creation; it creates realistic network traffic in the form of context-driven user activity on a network. It focuses on what every computer-controlled actor on the network is doing and what decisions it might make, and uses the results of those decisions to make future decisions, as well. For example, GHOSTS can bring harmless administrators and hostile red-team operators to life within an exercise by giving them growing intelligence that mimics what people may do in real life. It enables exercise creators to build enclaves of blue teams that perform specific tasks. In addition, GHOSTS can simulate active insider-threat scenarios or random security mistakes that any user might make.

vTunnel

vTunnel allows the tunneling of arbitrary IP traffic from a guest virtual machine through the hypervisor instead of through the normal Ethernet connections. This feature allows the removal of certain network activity from the game space. This capability prevents game players from seeing certain network traffic, such as command-and-control or scoring activities.

vTunnel hides the traffic that is "out of band." All this administrative activity running within the simulation would be in plain view for all participants in the exercise or training course (which distracts users and detracts from the look and feel of a realistic network environment) if nothing were done to hide it. "White cell" management, monitoring and overhead traffic, including the management traffic for the GHOSTS activities, can flow unimpeded and totally unseen by users. vTunnel helps keep all of this administrative traffic hidden so that users can focus on just the activity that relates to the intended event simulation.

vTunnel allows guest VM networks to communicate with management networks on the hypervisor side for the simulation. It transmits traffic between virtual-machine networks and range-management networks, allowing control of automations and simulations while avoiding in-game networks being monitored by exercise participants. The vTunnel connection into the virtual machine allows the sending of command-and-control traffic to the GHOSTS agent. The vTunnel connection out of the virtual machine allows logs and telemetry data from the GHOSTS agent to arrive back at the GHOSTS command-and-control server. By allowing management traffic to reside outside the game space, vTunnel enables more realistic and reliable cyber exercises.

WELLE-D

Cybersecurity training often occurs in classified spaces where users can't bring cellphones or other network-connected devices. For wireless simulation, one work role is that of a wireless professional who needs to perform wireless penetration (or pen) testing. However, these spaces are not good environments for attaching wireless devices to virtual machines, and there are not many virtualization options available for wireless training. We used capabilities in the Linux kernel to extend simulation across multiple virtual machines for Wireless Emulation Link Layer Exchanges Daemon (WELLE-D), which enables integration of virtual wireless networks into the existing cyber range. Virtual machines in the virtual environment can then have realistic wireless interfaces that can be used by all standard wireless tools.

WELLE-D perfectly emulates 802.11 wireless communications in virtual environments without creating any radio signals. WELLE-D enables system administrators to configure wireless access points and/or client systems running on a Linux kernel. The software creates actual 802.11 frames and passes them across a hidden channel so the traffic does not appear in the wired Ethernet environment. Actual 802.11 frames are used in the communication between clients, thereby providing an unparalleled level of realism since all Wi-Fi attack tools can operate against the actual 802.11 traffic. WELLE-D allows the cyber workforce to perform realistic attack-and-defend scenarios in a cost-effective, safe, and controlled environment.

Using WELLE-D, the team can generate and investigate wireless frames with ease. WELLE-D extends frames available in the Linux kernel so that students in one of these roles who need to do wireless pen testing can run their tools, inject frames, and capture frames from the available networks.

TopoMojo

Simulations are hard to set up and hard to administer once they are set up. Many organizations, therefore, have relegated realistic hands-on exercises to once-a-year events, cobbled together by organizational "heroes" who create a lab architecture out of old gear. CERT's motivation in developing TopoMojo was to provide subject-matter experts with a platform where they could quickly create and share ideas for cyber training.

TopoMojo is a web application that simplifies virtual lab creation and deployment. This Linux-based virtual appliance jump launches virtual-machine learning environments, including use of existing network topologies from a topology library, or creation of custom topologies to meet the specific requirements of a given user. After topologies are created, they come to life in the same TopoMojo platform, deploying network configurations and the associated host systems. These deployed environments support training, testing, and many other possibilities.

TopoMojo simplifies the setup of exercises. It comprises two components, a lab player and a lab builder. The player allows a user to browse and access existing labs. After TopoMojo is launched, the user can access various hosts to accomplish lab objectives and can collaborate with others by inviting them to share a lab by sending them a link. The builder interface is for content creators, people with a lab idea that they want to share with others. The builder can add people to a workspace to enable collaboration in putting the lab together. Ideal for creating quick training on a small scale, TopoMojo employs the same technology used for larger simulations.

How to Download and Learn More About These Tools

To download all the tools described in this blog post, please visit http://www.sei.cmu.edu/go/cwd-tools for source code and documentation downloads, executables, and virtual machine .ova images.

The SEI will provide demonstrations of these tools at a forthcoming Cyber Simulator Showcase. For more information and to register, go to https://www.eventbrite.com/e/cyber-simulator-showcase-registration-52673737567.

Additional Resources

Watch a panel discussion providing information about these tools.

Learn more about the SEI CERT Workforce Development Team.

Watch a webinar by Christopher May, Developing Your Cyber Workforce.