A cyber range environment can be tough to create, and even harder to automate deployments for training events or to distribute to your team at scale. You have to design the systems and configure the software, design the network, configure vulnerabilities, escalation paths, and logging, and document all these pieces for other users of the range environment.

Immersive Labs Cyber Ranges makes the process simple with a suite of range building features to help you and your team create powerful range environments with ease.

This guide includes the following sections:

• Systems & Applications
  • Adding Systems
  • Modifying Existing Systems 
  • Deleting Systems
  • Range Applications
• Subnets
  • Adding Subnets
  • Modifying Security Rules
  • Deleting Subnets
• DHCP Options
  • What are DHCP Options?
  • Modifying DHCP Options
• Range Documentation
  • Creating Markdown Documentation
  • Uploading Documentation Files

Systems & Applications

Your range systems are the core of your range environment. They run the operating systems, software, and data that make your range a realistic training environment. Cyber Ranges maintains a core set of system images which you can deploy into any new or existing range environment to configure to your specific needs.

Adding Systems

To add a new system to a deployed range environment, select the Add System button under the Systems tab within your range. From here, you'll need to provide a number of details.

First, select a Name, Hostname, and Image.

Provided Images

We provide a set of images covering several operating systems and versions. There is also a growing set of systems with pre-configured toolsets under the "Security Tools" category.

Custom Images

We also support bringing your own AWS images to the Cyber Ranges platform. You'll need the AMI ID of your image, and it will need to meet a few requirements:

• Shared with the AWS account hosting your Cyber Ranges infrastructure (you may also need to share the images related snapshot-id(s))
• Located in the same region as your Cyber Ranges infrastructure
• Marketplace images are not supported

AMIs which have the EnaSupport property set to true will be launched as t3 type instances; otherwise they will be t2 type.

After choosing your Name, Hostname, and Image, you'll need to select a System Type and Disk Size. System type has the biggest impact on the performance of your system, and also the biggest impact on its running cost. Currently, we support systems with 1 vCPU and 0.5 GiB RAM through 8 vCPU and 32 GiB RAM. We support disk sizes from 8GB - 10TB (though we highly recommend keeping your storage to a minimum, you can always increase this later).

🚧

Estimated Runtime Cost

We provide an estimated runtime cost based on your selections of System Type and Disk Size (GB) when adding a new system. This is calculated based on the hourly AWS cost of the Image and System Type, plus the static costs of the disk storage (monthly) converted to an hourly amount.

This is only an estimated hourly runtime cost, and your actual costs may vary.

Please monitor your AWS bill on a regular basis to avoid unexpected expenses.

Total running range cost estimates are available in the Settings of your currently running range, or the Template details of individual templates.

The next step is to choose which Subnet your system will be launched into. You can choose from any of your currently configured range subnets. You may also choose a specific IP Address within this subnet. This is optional, and the IP address will be randomized if you leave this field blank (if you template this environment, future range launches will preserve the original IP Address of the system).

You're now ready to Launch your system! The system will deploy in a Pending state, and will typically be in a Running state within a minute or two.

📘

New System Credentials

For every range deployed, the Cyber Ranges platform automatically generates an SSH key pair to use for Linux system connections. This key pair is available in the Settings tab of your range environment, and will be automatically used for Console Sessions.

For Windows operating systems, AWS will dynamically generate an Administrator password for the system on launch. We automatically fetch this for use by Console Sessions, and make it available to you in cleartext in the Credentials settings of the system.

Modifying Existing Systems

After a system has been launched into your range environments, you can manage most properties of system directly through the Cyber Ranges dashboard. To edit system properties, first select the Edit icon for the system you'd like to modify.

There are four types of system properties you have control over:

• General
• Specs
• Network
• Credentials

General

Modify the System Name, Hostname, and Student Access. By default, newly launched systems are not accessible to users with the Student role. To allow Student users to access systems in your range you must explicitly allow this by selecting the "Allow students to access this system" checkbox and saving your changes.

This section also shows system details including:

• Operating System
• Launch Date/Time
• Source (who launched the system)

Specs

Modify the System Type and Disk Size in this section of the system settings. You can only modify one attribute of the system specs at a time, and your system will become temporarily unavailable while the modifications take place. This section of the settings also shows the Estimated Running Cost of the system.

Network

You cannot modify the primary network interface of an existing system. To change this attribute you must delete and relaunch the system.

However, you may add (or delete) a Secondary Network Interface which allows your system to access multiple subnets. This also means multiple sets of security rules will apply to this system.

Credentials

Console Connection - This setting controls how you connect to the system when connecting via Console Session (browser). You may specify the connection protocol, username, domain, password, and port for this setting.

• File Sharing - Enable this setting to control whether file sharing is possible through Console Sessions. This is a helpful control for allowing access to licensed or proprietary software to guest users.

Credential Caching - You may also specify additional connections to be made at range power on, or when deliberately running the Cache Creds functionality. Similar to Console Connection settings, you may choose the connection protocol, username, domain, password, and port for this setting. This is useful for facilitating specific escalation paths throughout your range environment.

📘

Sample Credential Caching Scenario

The most common use of the Credential Caching is to create RDP sessions on Windows hosts for Active Directory lateral movement and privilege escalation scenarios. To create an RDP session on a Windows host, perform the following steps:

1. Ensure the user has access to RDP to the target machine. This can be accomplished easily through the "Remote Desktop Users" or "Administrators" local groups.
2. Add the Credential Caching configuration to the target machine.
3. Cache the credentials. The "Cache Creds" functionality can be invoked manually, and is also run automatically after a short delay on range power on.
4. Verify the RDP session started successfully by checking for processes running on the target machine as the appropriate user via Task Manager.

Image

After making configuration changes or installing specific tools, you may want to save this configuration to deploy into other range environments. On the Image tab within the system editing flow, you can specify an Image Name and Image Description, then Create Image. This will template the individual system and make it available as an option to deploy through the Add Systems list.

• Attached Apps - You can select range applications that you have configured which are served from this system. These apps will be added to any range that the custom image is launched into. The App URL must use the system IP to be attached. App URLs will be updated to the new system IP when adding to another range.

Deleting Systems

To delete a system, first select the Edit icon for the system you'd like to delete, then select Delete and Confirm your choice. Your system will be immediately removed from the Cyber Ranges dashboard.

Range Applications

Adding Applications

To add an Application to your range environment, navigate to the Applications tab and select the Add Range Application button. You'll be presented with a view to input the following information about your application:

• Name: A display name for your application.
• Description: A brief description of the application.
• URL: The location of the application within your range. This must start with "http(s)://" and use an IP address
• Student Access: Select whether students are allowed to access this application.

After adding the Application, users can access it directly from their browser in the same way they access range systems with Console Sessions.

Modifying & Deleting Applications

After an Application has been created, Creators and Admins can modify any of its attributes by selecting the Edit button and updating the relevant information. Applications can also be deleted from this view.

Subnets

Every Cyber Ranges environment will have at least one Subnet (apart form the AdminBox subnet) which range Systems can be launched into. You can also add new subnets, modify the security rules for existing subnets, and delete existing subnets.

This provides a ton of flexibility when it comes to the networking setup of your range environments.

🚧

Existing Template Networking

Be careful when modifying the networking rules for existing range templates! Systems and software may be configured which rely on the current networking rules. These may break if changes are applied.

Subnet information can be found for each range under the Settings page within the Subnets tab. At a glance you can see your subnets, their network ranges, and how many network interfaces reside in each.

To add a Subnet to your range, select the + Subnets button. Provide a Name, Description, and Network Range for the subnet. The Network Range provided must be valid CIDR format, reside within your range's overall network parameters, and not conflict with any existing subnets.

You can modify the security rules of the subnet before or after it's created.

Modifying Security Rules

Security Rules control what network traffic can flow into, and out of, the subnet. These security rules are specific to Cyber Ranges/AWS and don't necessarily align with standard firewall or Network ACL behavior. For more details on Security rule specifics, red the AWS User Guide on the topic.

🚧

VPN Client IP vs AdminBox IP

• AdminBox Interfaces vs. VPN Client IPs: There are two IP addresses associated with VPN connections. VPN Client IPs (e.g. 10.9.253.0/24 and 10.9.254.0/24) and AdminBox Interfaces (e.g. 10.10.255.244 and 10.10.0.4). These IPs may vary depending on the lab network range.
• Security Group Evaluation: For security group evaluation, AWS uses the AdminBox Interface for traffic within the same subnet (e.g. 10.10.0.X -> 10.10.0.X). For traffic between subnets, AWS uses the VPN Client IPs (e.g. 10.10.0.X -> 10.10.255.X).

These are important distinctions for creating inbound and outbound security rules that behave as you expect, so please bear them in mind while you design your range!

To create or modify a rule, you'll need to select the following:

• Protocol
• Port Range
• Source/Destination CIDR
• Description (Optional)

Below is a set of inbound and outbound security rules, as an example:

Deleting Subnets

To delete a subnet, it must not contain any Network Interfaces. Before deleting a subnet, first delete any secondary network interfaces associated with it, or delete the system itself for primary interfaces.

Once you've removed any associated interfaces you can delete the subnet by selecting the delete icon.

DHCP Options

What are DHCP Options?

DHCP Options Sets help provide configurations to the systems launched into your range environments. You may specify the DHCP Options for Range Systems, Admin VPN Clients, and Attacker VPN Clients. For each of these, you may provide Domain Names for the systems to be aware of, as well as DNS servers to use for resolving domain names.

Range Network DHCP

This set of options applies to systems deployed within the range network, including any attacker systems. Domain Names and DNS server IPs are pushed to new systems at launch, and any updates to these settings are eventually applied to currently deployed and running systems in the range (usually after a couple hours).

Admin & Attacker VPN Clients

These options sets are applied to VPN Clients that connect to the range environment via either Admin or Attacker VPN configuration files. Set these if you want your connected systems to easily resolve range system hostnames.

For a detailed description of DHCP Options sets, read the AWS User Guide. Note that Cyber Ranges environments do not support every available option within AWS DHCP Options sets.

Modifying DHCP Options

To modify these settings, navigate to your range Settings page under the DHCP tab From here, enter your desired Domain Names and DNS Servers.

Range Documentation

Documentation is an important step in the range building process. It helps users of your range environments understand the systems, software, and scenarios you've built into the range.

Cyber Ranges provides two methods to easily document your range details as you build: Markdown style Documentation (Readme's) and Uploaded Files.

Every newly launched range is deployed with a sample readme. This will help you quickly get started with markdown syntax and provide suggested details to include in your documentation.

Consider noting the following in your markdown documentation:

• System Details
  • Hostnames
  • IP Addresses
  • Credentials
  • Users Sessions
• Active Directory Details
  • Trust Relationships
  • Important Users and Passwords
• Additional System Details
  • Descriptions
  • Other User Accounts
  • Configured Software

Cyber Ranges is designed to make it easy to hold training events, CTFs, hiring assessments, and other events where you might not want the participants to have all the range details. However, in other cases, it's likely you'll want them to have some details about the range or event.

To support this scenario, we've made it easy to create separate documentation for Admin users. Whilst editing the Readme documentation, select the readme/Admin readme radio button to automatically create separate pages for your individual users and Admins which you can maintain with different range information. This allows you to target your users with the documentation that is relevant to them. You could of course choose to not split your documentation up; in this case, you'll have a single readme for all your users.

Uploading Documentation Files

In some cases, specific files are better suited for pieces of the range documentation. For instance, if you are building a training environment which already has a set of PowerPoint slides, you might want to upload the slides and associate them with your range template.

To upload a standalone file, navigate to the Files tab and provide a Document Name, Document Description, and then Choose File. You can also choose to allow students to access these files or reserve them for range administrators.