How to build your own IT infosec holodeck: A blueprint for crafting a virtual enterprise to prod, test and hack

Massive hacker playground can be spun up on the cheap

A group of Italian researchers have developed a blueprint for a massive virtualized enterprise network to allow for large-scale security tests without ruining an IT manager's day.

The University of Rome team constructed a large-scale simulated enterprise environment where everything from public-facing servers to DMZ subnets and firewalled internal networks are virtualized together, linking everything from servers and network appliances to virty versions of Windows, Ubuntu Linux, and macOS endpoints.

The idea, said one of the lead researchers Mara Sorella, was to give network security researchers a way to do controlled experiments on a large scale. Rather than target a single appliance or operating system, a tester could see how an attack would play out across an entire corporate IT setup.

"The main use case is network security research, in particular the deployment of cyber ranges, allowing for controlled experiments in the cyber security domain," Sorella told The Register.

"Indeed, as the system generically allows to reproduce portions of a physical network into a virtual environment, the applications are endless: training IDS/IPS detection algorithms, testing multi-tiered applications and more generally conducting any analysis on software architectures that is not related to performance (which would instead require a copy of the underlying physical network)."

In their initial tests, the Rome Uni crew pitted a series of attacks ranging from bruteforce server attacks to ransomware infections, browser-based malware attacks, and even Heartbleed exploits on servers. The simulations ranged anywhere from five minutes to just under two hours to fully play out.

The group says it wants to further improve the project with simulation of end user behaviors and develop a way to fully automate the installation of various services.


Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds


In the meantime, the team says their blueprint is relatively easy for others to follow. The system uses a combination of the OpenNebula, OpenvSwitch, and GlusterFS platforms along with a fairly modest hardware budget that should be well within the reach of most university departments and mid to large-size companies.

"In our case, we have thankfully received the hardware from Cisco Systems, as a donation to conduct our research, but it can be replicated with at most €7-10K of budget," Sorella said.

"Optionally, thanks to the OpenNebula/GlusterFs layer, the infrastructure is expected to be fairly scalable also when implemented using commodity hardware, or in any case not necessarily using very high-end servers and network equipments (in particular, the most expensive pieces are the switches which can be replaced with lower-end ones, with fewer ports)."

The team this week delivered a full outline of their project in their paper, Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems (PDF). Authors are Florin Dragos Tanasache, Mara Sorella, Silvia Bonomi, Raniero Rapone, and Davide Meacci. The paper has been accepted for publication in the International conference on Distributed Computing and Networking (ICDCN2019) ®

Similar topics

Other stories you might like

  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading

Biting the hand that feeds IT © 1998–2021