Recently I received a most interesting link from a friend, about a tiny city that was actually a perfect working model of a real-life city built by the SANS Institute. It had real banking networks, power grid networks, public transit systems, a hospital, a military complex, you name it. It’s a fully decked out city in miniature. And the beauty of this miniature city is that it was made to develop and train your hacking skills. I know many people who would start drooling at the opportunity to test their skills on such a wide range of systems and not going to jail for it, me included. “Cyber Ranges” as these networks are now often referred to, are fun! And they’re extremely useful in developing real-world skills without disappearing behind bars. It’s not even a new idea; various militaries have been doing it for a while now.
Last year I purchased myself some lab time at Offensive Security, the group that releases the Backtrack Linux distribution, in an effort to stay somewhat connected to the technical side of things. I had such a wonderful time rummaging around on that little network, trying to root every system on it. But I also quickly discovered the downside: it’s not cheap. Lab time is purchased, usually per month, and its not hard to accumulate a $1000 bill. While this is perfectly affordable for working professionals, and absolutely worth the money, it is just too expensive for the generation of cyber defenders that we should be educating right now.
Through this article I would like to make the case for governments to set up such labs and open them up to the public. In a government-funded, well-registered and monitored learning environment for hacking, we can not only teach our young those skills that are becoming more valuable by the day, but we can also keep an eye on who is excelling at picking up these skills. How better to determine true skill than to watch them work? Wouldn’t you want to offer them a job on your security team if you’ve seen him burn through a whole network? An added bonus is that we would be able to watch how they attack systems, just like in honeynets. This is a great way for defenders to pick up valuable knowledge on how to secure their systems against actual attackers. Seeing as how hacking is a bit of an ego game, you could easily turn it into a competition by attaching scores to successfully obtaining Administrator-level access on each system.
Having a national cyber lab that is freely accessible to every hacking enthusiast in the country would be a great investment for any government. Setting it up would be a breeze and the return on investment would be nothing short of massive. Plus it sends out a strong national message that you are serious about cyber security as a nation. Is it still too expensive? Get sponsoring from security companies. I bet they would love the opportunity to get in there for some recruiting, and we would all benefit from the concept, directly or indirectly.