Technology for cybersecurity, behind the CYBERWISER.eu Platform

In its first year of activity, CYBERWISER.eu has made considerable progress towards implementing the training platform for cybersecurity professionals.
Consortium partners have worked in parallel on different aspects. These include formulating the approach to platform design, and developing and integrating the components.


Ultimately, the aim is to provide a complete, integrated and fully customisable cybersecurity training solution designed in a modular format to meet the specific needs of individual learners or corporate teams alike. The solution will incorporate an independent cyber range platform as well as a comprehensive suite of both free and paid-for web-based certificate courses.

The components of the training platform, all developed by consortium partners, are detailed in the table below.

Component Brief description
Web Portal

A single access point to both the cyber range platform and all training resources (teacher and learner). Access is through a unique Login/Registration page which takes users to the Cross Learning Facilities via a Single Sign On (SSO) mechanism. This mechanism is based on an OpenID Connect module that provides pluggable client implementation for the OpenID Connect protocol. Each user’s view of the Cross Learning Facilities is determined by the permission level to which he or she is assigned.
In the web portal and prior to login, users can also find comprehensive information about the CYBERWISER.eu offering.

Cross-Learning Facilities (CLF)

A set of Workspace areas and a Learning Content Management System containing the training material (including documents, presentations, videos and quizzes) and the cyber range platform.
As mentioned above, the specific resources accessible to a user depend on the access rights linked to a particular offering level. The required functionality is provided by the SSO mechanism.

Simulated Infrastructure Manager (SIM) This component is responsible for instantiating and deploying the training scenarios. It also allows access to the machines and components available in the scenario environment. A NoVNC over Hyper Text Transfer Protocol Secure (HTTPS) interface is used to access the deployed machines and enable their use from a browser.
Pluggable Deployment Manager (xOpera) This optional component expands SIM functionality, enabling the SIM to support the management of simulated environments on infrastructures beyond OpenNebula. These include a range of the IaaS providers such as OpenStack, OpenNebula, and Amazon Web Services (AWS).
Training Manager (TM) This is the component responsible for the management (creation, editing and deletion) of the training scenarios within an activity. It contains the Scenario Designer, which can generate, update or remove a training scenario template. A web interface is provided to enable management from the browser.
Performance Evaluator (PE) This component evaluates trainee performance by gathering data from different information sources during an exercise and applying an algorithm to produce a score. This component evaluates trainee performance by gathering data from different information sources during an exercise and applying an algorithm to produce a score.
Digital Library (DL) The DL is the repository for all the different elements that may be incorporated into a training activity depending on the requirements of individual simulation scenarios or the exercises to be run. Included among others are the metadata and templates of operating systems, preconfigured virtual machines, or any other software to be deployed on any virtual machine.
Economic Risk Evaluator (ERE) This component is responsible for providing economic assessment reports based on the training scenario configuration, the security vulnerabilities detected, and the events and alarms triggered. Evaluation is via execution of the algorithm associated with the Economic Risk Models (ERM).
Vulnerability Assessment Tool (VAT) This component analyses targets by running vulnerability scans. This can occur automatically (following a plan with tasks scheduled beforehand) or on demand. In the latter case, users interact with a web interface to configure the scanners.
Monitoring Sensors These sensors provide relevant information about anomalies happening at both network and application / host layer levels. Logs are sent to the Anomaly Detection Reasoner (ADR) agent. These sensors provide relevant information about anomalies happening at both network and application / host layer levels. Logs are sent to the Anomaly Detection Reasoner (ADR) agent.
Anomaly Detection Reasoner (ADR) The ADR is a Security Information and Event Management (SIEM) solution whose objective is the detection of security threats. It normalizes, filters and correlates information coming from heterogeneous sources, raising alarms as directed by complex event-correlation rules. The ADR is a Security Information and Event Management (SIEM) solution whose objective is the detection of security threats. It normalizes, filters and correlates information coming from heterogeneous sources, raising alarms as directed by complex event-correlation rules.
Attack Simulator (AS) The AS is capable of automating attacks against targets in the simulated infrastructure using pre-defined scripts. It can be deliberately triggered by means of a web interface, or it can work  automatically when the system plays the role of red team.The AS is capable of automating attacks against targets in the simulated infrastructure using pre-defined scripts. It can be deliberately triggered by means of a web interface, or it can work  automatically when the system plays the role of red team.
Countermeasures Simulator (CS) The CS is capable of suggesting and executing mitigation measures according to the risk faced by the simulated infrastructure. It offers a user interface for a human blue team, and can also work automatically when the blue team role is played by the system. The CS is capable of suggesting and executing mitigation measures according to the risk faced by the simulated infrastructure. It offers a user interface for a human blue team, and can also work automatically when the blue team role is played by the system.
Economic Risk Models (ERM) The ERM capture the risks a simulated infrastructure is exposed to in a training scenario. The risk models are provided both graphically - to help human stakeholders understand the risks captured, and via machine-readable scripts. Different scripts are allocated to different training configurations and they are deployed together with the ERE component which will execute them. Risk levels are reported in terms of monetary loss (quantitative risk assessment) based on likelihood and consequence estimates provided as input to the scripts.
Message Broker (MB) The MB enables communication between various components of the CYBERWISER.eu Platform in the scope of a single training exercise. It is implemented as an instance of the RabbitMQ service, exposing an Advanced Message Queuing Protocol (AMQP) interface to exchange messages from multiple sources. Messages sent through the MB include events, alarms, vulnerability reports, trainees’ scoring data, component configuration, and logging data.
Centralized Logging Component (CLC) The CLC is a database which stores all the data arising from the training exercises.The CLC is a database which stores all the data arising from the training exercises.
Infrastructure as a Service The IaaS offers services regarding virtualised computing resources that are both on-demand and scalable. It allows the generation, instantiation and control of the scenario environments through the HTTPS interface; and provides a NoVNC over HTTPS interface to access the created virtual machines.
Event-Based Service Orchestrator (EBSO) The EBSO can orchestrate applications running in Docker containers. It receives messages from the MB to control the component and indirectly, control and modify the behavior of the managed applications by triggering events.

 

In the coming months, the Consortium will issue periodic releases as new capabilities are added to the platform. The process will be gradual to allow for regression testing to ensure correct operation. Various environments will also be created to enable integration, acceptance and piloting of the different releases. In this way we will implement a complete workflow which moves from the development of the individual components through to the verification of the complete assembled product in the pilot sites.