• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Online red & blue attack/defense simulations

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Online red & blue attack/defense simulations

    Hi all,

    I'm currently on the bench and looking to make good use of this time to deepen my practical security knowledge before the next gig. As I learn (and enjoy) best by doing, I've been googling for online red/blue style security simulations but haven't yet had much luck in finding anything that seems to fit what I'm after (i.e. there is no pre-existing network to test, I'm looking for a simulated network infrastructure that I can harden as best I can and ideally have the simulation 'attack' it once I'm finished so I can see how it holds up and learn more about anything I missed).

    Anyone had any online/eLearning experiences or recommendations in this area they'd care to share (I've seen this sort of thing offered in a short course form before but it required being on site in London)? Happy to pay for a good tool but it needs to be reasonably priced as if it's too expensive I'll probably be better off homebrewing something together using virtualisation tools - and that takes a good while.

    Thanks.
    Last edited by man; 3 June 2018, 13:52. Reason: Manners

    #2
    Quite amused at the concept that people will publish an "insecure" network so other people can practice hardening it. If you can harden something, you can also break it, which is rather the point of having security in the first place so why provide a training ground for hackers (I know you're not, but you get the point)..

    You're a contractor, remember. You run a business. If the knowledge is necessary for your work, get a decent training course and do it properly; and if cyber security is what you trade in, YourCo can pick up both the bill and the expenses.
    Blog? What blog...?

    Comment


      #3
      Have you checked out https://www.vulnhub.com?

      Not full on networks but vulnerable OS builds for you break in to?

      You could learn to exploit them and then learn to secure them and try again...

      Comment


        #4
        Thanks for the replies.

        @malvolio:
        I agree with you in that real infrastructure is breakable and so it seems counter intuitive to leave it wide open to the internet - That's why any company offering this sort of service would need to think carefully about the underlying infrastructure (e.g. running their switches / firewalls virtually in GNS3 etc, virtual hosts that wipe after each session etc - or if that is considered too 'exposed' then perhaps a simple cut down version of clickable/CLI enterable security settings along with a 'run attack simulation' button and a summary of results). I don't believe for one moment that providing these sorts of environments would provide a training ground that hackers don't already have access to (or can very easily make themselves using readily available virtualisation technologies). I also think that knowing how you're likely to be attacked, helps you to better defend.

        I haven't forgotten that I'm a contractor - bench time serves as an excellent reminder - but I disagree on your all or nothing suggestion with regards to training/professional development - I see value in pursuing knowledge outside of a full blown (and all things considered, expensive) training course, particularly as security is not my company's USP, merely a part of the package my clients benefit from. I'm not looking for CV material with this, which a training course would undoubtably be best suited for - more an improved understanding so that my next design will be more secure than my last.

        @Mag:
        That's a great suggestion I'd never heard of before - it does seems a little red team focussed for my needs (I'm looking to focus more on the blue team stuff) but it's definitely something I'll be having a play around with.

        Comment


          #5
          https://en.wikipedia.org/wiki/WarGames - your original inspiration?
          The greatest trick the devil ever pulled was convincing the world that he didn't exist

          Comment


            #6
            Forget tools and hacking scripts. Security is risk based. Know your environment in detail, and the threats to that environment. Understand where the risks points are, how they can be exploited and mitigate against that.
            Ethical hacking is bulltulip. And trying to hack something yourself is a waste of time as it doesn’t represent a real world risk.
            Buy a book on CISSP and read it.
            See You Next Tuesday

            Comment


              #7
              Ever thought of attending a Hack-a-thon? Essentially, a marathon for hackers... sounds like a fun way to test your skills/see the skills of others!

              Comment

              Working...
              X