Cyber Resilience & Cyber Ranges: Daz Preuss, COO, on Innovation

1. How is the growing demand for cyber resilience driving innovation in Cyber Range technology across both public and private sectors ?

The increasing frequency and sophistication of cyber-attacks are driving both public and private sectors to invest heavily in cyber resilience, and Cyber Range technology is a central part of this strategy.

As organisations recognise the need to prepare for and respond to complex cyber threats, Cyber Ranges provide realistic environments for testing and training in a controlled setting. Innovation in this space is focused on creating more scalable, flexible, and high-fidelity simulations that can mimic the most advanced threat scenarios.

This includes integrating advanced attack vectors, improving network infrastructure simulations, and incorporating artificial intelligence to create dynamic and unpredictable environments. Both sectors are also prioritising collaboration tools and interoperability to ensure seamless knowledge sharing and coordination during real-world incidents.

There is also a financial consideration and that is the cost to recover from a cyber-attack. This is not limited to cost of damage to hardware or software but also reputational cost. Although the chance of compromise may be considered relatively low, the impact of a single compromise may be enough to render the organisation unrecoverable.

2. What are some of the most effective ways organisations are using Cyber Ranges to simulate large-scale, real-world cyberattacks ?

Organisations are using Cyber Ranges to simulate large-scale, real-world cyberattacks through a variety of techniques. One common approach is to emulate multi-stage, multi-vector attacks that replicate those seen in advanced persistent threat (APT) campaigns.

This includes simulating phishing attacks, ransomware deployments, supply chain vulnerabilities, and DDoS (Distributed Denial of Service) attacks. By integrating real-world network traffic and tools, organisations can create scenarios that span across multiple attack surfaces, including IT systems, OT environments, and cloud infrastructure.

Additionally, Cyber Ranges allow teams to rehearse incident response, crisis management, and recovery operations under pressure, which helps improve both technical and strategic decision-making in the event of a real attack.

The more mature organisations are able to horizon scan and look at the threat landscape impacting competing businesses within the same operating space and model the same attack against their own organisation as part of preparedness.

3. How are Digital Twin environments transforming cybersecurity testing, particularly for critical infrastructure and operational technology (OT) systems ?

Digital Twin environments are revolutionising cybersecurity testing for critical infrastructure and OT systems by providing a virtual replica of physical assets and systems. These virtual models allow organisations to simulate real-world scenarios, test vulnerabilities, and evaluate the security posture of their infrastructure in a safe, controlled environment.

For example, energy grids, transportation systems, and manufacturing lines can be modelled in a Digital Twin to assess how they would behave under a cyber-attack. This not only helps identify weaknesses but also enables proactive threat modelling and response planning.

Furthermore, Digital Twins can be continuously updated in real-time, allowing for ongoing testing of new threats and vulnerabilities as the infrastructure evolves. This means operational assets do not need to be taken out of service and exposed to an element of risk as is the case with traditional testing.

4. What role does AI play in enhancing Cyber Range simulations to create more adaptive and unpredictable threat scenarios ?

Artificial intelligence (AI) plays a critical role in enhancing the realism and adaptability of Cyber Range simulations. By leveraging machine learning algorithms, AI can simulate evolving attack patterns, making the threats more dynamic and unpredictable.

This includes AI-driven tactics for mimicking attacker behaviour, such as lateral movement, evasion techniques, and the use of zero-day exploits. AI can also be used to simulate defensive responses in real-time, allowing for adaptive and interactive training.

The ability to automatically adjust scenarios based on trainee performance or introduce new, unforeseen variables helps develop critical thinking and response capabilities, making training more effective in preparing for real-world incidents.

One of the key benefits of AI is that it is arguably freer from cultural and ethical bias and may approach the same offensive and defensive activities with a fuzzy logic and alternative approach.

It is also possible to include RAG (Retrieval Augmented Generation) AI, which can take into account business documentations and Tactics, Techniques and Procedures(TTPs) to work both with and against the organisation. 

5. How are organisations integrating Cyber Range exercises into their broader security operations and incident response workflows ?

Organisations are increasingly integrating Cyber Range exercises into their broader security operations by aligning them with incident response (IR) workflows and disaster recovery planning or their Business Continuity Management Plan.

For example, Cyber Range scenarios can be designed to mirror real-time threats that are likely to be encountered in live environments, ensuring that response teams practice specific protocols. With careful and outcome based cyber activity design this can span from the technical cyber analysis at the coal face, to the strategic planners in the organisational HQ.

Picture this like a NASA film, where the engineers and analysts have a vital role in providing the risk owner with the expertise and evidence required to inform the correct organisation response.

The training outcomes from Cyber Range exercises are used to inform decision-making processes, helping teams refine their strategies and improve coordination with stakeholders. Moreover, insights from these exercises are fed back into threat intelligence and vulnerability management programs, enhancing the organisation’s preparedness for future attacks.

Regular, cross-departmental drills ensure that all teams – technical and non-technical – are ready to respond effectively in a crisis.

6. What strategies are helping companies measure the ROI and effectiveness of Cyber Range-based training programs ?

Measuring the ROI and effectiveness of Cyber Range-based training programs is essential for justifying the investment. Key strategies include tracking performance metrics such as the reduction in response time to incidents, the number of detected vulnerabilities, the mean time to recover, and the improvement in mitigation strategies post-training.

Additionally, organisations often conduct pre and post assessments to gauge knowledge retention, skill development, and improvements in real-time decision-making. Feedback from participants and after-action reports are critical for evaluating the success of training exercises and identifying areas for improvement. By aligning training outcomes with overall security goals – such as decreased incident frequency or enhanced recovery times – companies can better assess the tangible benefits of Cyber Range programs.

At CybExer we’re able to assess the quality of the technical responses and incident reporting of teams, as well as drill down into specific users. This is key, as a cyber response team may be heavily reliant on a number of key individuals, and therefore the performance of the same team will be considerably weakened if the key individuals are unavailable. 

7. How are government agencies and defence organisations collaborating with private companies to create more robust, joint Cyber Range exercises ?

Government agencies and defence organisations are increasingly partnering with private companies to build more robust, joint Cyber Range exercises that address shared cybersecurity concerns and are based on shared experiences. These collaborations aim to create environments that reflect the complexity and scale of real-world threats.

Public-private partnerships facilitate the sharing of threat intelligence, best practices, and resources, leading to more comprehensive training exercises. By simulating joint operations between government entities and private-sector organisations, such as critical infrastructure providers, these exercises help improve coordination and communication during cyber-attacks.

They also foster a culture of collaboration and mutual support, ensuring that organisations are well-prepared to face complex cyber threats that span both public and private sectors. 

However, as organisations strive to remain lean and competitive this may also require the outsourcing of services and solutions including cloud or subscription services. This can cause uncertainty over the demarcation of responsibility so these integrations should be assessed when collaborating to ensure a wholistic end-to-end service including system, service and information flows that could be impacted.  

8. What challenges do companies face when scaling Cyber Range capabilities to accommodate increasingly complex and dynamic threat landscapes ?

Scaling Cyber Range capabilities to accommodate a rapidly evolving threat landscape presents several challenges. First, the growing sophistication and variety of cyber threats require constant updates to simulation scenarios, attack vectors, and defensive tools. This necessitates significant investments in infrastructure and personnel to maintain and evolve the platform.

Additionally, simulating highly dynamic and large-scale environments, such as global supply chains or interconnected IoT systems, can be technically complex and resource intensive. There are also challenges in ensuring that simulations accurately reflect the unique needs and risks of specific industries, such as healthcare or energy.

Lastly, organisations must address scalability in terms of user participation, as large-scale exercises involving multiple teams or stakeholders across different geographies require seamless coordination and infrastructure support.

It is key to understand the requirement for a Cyber Range to an organisation and to identify the measure of success. For some it may be a simple case of providing generic online learning to raise awareness of cyber threats. Whereas others may require a cutting edge environment which may appear expensive, however if used to de-risk cyber threats that may result in a much more significant impact to the organisation the costs would be justifiable.

Any organisation considering a Cyber Range should understand how this investment will support the organisation and align with their business strategy. Most importantly, it should be able to grow with the business to prevent over-investment and under-utilisation. 

A highly configurable and modular Cyber Range will be able to evolve as the threat landscape evolves. It is worth speaking to a Cyber Range expert to discuss the options instead of necessarily going for a cookie-cut service, which may not accurately reflect your organisation and associated threats.  

9. How are emerging technologies, such as machine learning and automated threat modelling, influencing the future of Cyber Range platforms ?

Emerging technologies like machine learning (ML) and automated threat modelling are profoundly shaping the future of Cyber Range platforms. ML algorithms can analyse large datasets to identify patterns and predict potential attack scenarios, allowing Cyber Ranges to generate realistic, data-driven simulations that evolve over time.

Automated threat modelling tools can rapidly assess vulnerabilities in complex systems and provide real-time insights into potential attack pathways. These technologies enable more efficient scenario creation, improved threat intelligence integration, and personalised training experiences.

Additionally, machine learning can be used to track and evaluate participant behaviour during exercises, offering valuable feedback on decision-making processes and suggesting areas for further improvement.

Examples of how CybExer use AI / ML includes reducing the training required by an organisation to deploy Cyber Range environments by including local or OpenAI integration into our code base. 

This enables users to modify and generate Cyber Range content without requiring expert consultation that would typically incur a cost. We also use AI to support the assessment of teams where written reports are submitted to eliminate bias.

It is also possible to use AI digital personas within a Cyber Range. Picture a Blue Team ‘Friend’ or a Red Team ‘Foe’, each configured to protect or exploit the environment and respond to each other accordingly. By linking in RAG content this can reveal how a ‘Foe’ may be able to use ethical, legal, or technical configuration constraints against an organisation.

10. What best practices should organisations follow to ensure that Cyber Range exercises lead to tangible improvements in their cyber resilience strategies ?

The most important practice is to understand the key ‘Measure of Success’, and to identify performance indicators that would identify this. Without a well-defined end-state organisations can often find themselves training for the sake of training, but without having a mechanism to measure and justify the investment.

To ensure that Cyber Range exercises lead to tangible improvements in cyber resilience, organisations should follow several best practices:

• Realism and Relevance: Simulate attacks that reflect the specific threats faced by the organisation, including industry-specific risks.
• Clear Objectives: Set measurable goals for each exercise, focusing on key areas such as incident response, recovery speed, and vulnerability detection.
• Regular and Ongoing Training: Conduct exercises regularly to ensure that skills are kept up-to-date and that teams remain prepared for evolving threats.
• Post-Exercise Analysis: Perform thorough after-action reviews to identify gaps in knowledge, processes, or technology and implement improvements.
• Cross-Departmental Involvement: Engage a broad range of stakeholders, including IT, OT, legal, and communications teams, to ensure a holistic approach to cybersecurity resilience.
• Continuous Improvement: Use insights gained from exercises to inform security policies, incident response plans, and security technology upgrades, ensuring a cycle of continuous improvement.

By adopting these best practices, organisations can maximise the impact of Cyber Range exercises and significantly enhance their overall cyber resilience strategies.