Author: Joel Panther
Panther, Joel, 2023 Labrandor – A framework for guiding the development of dynamically generated penetration testing laboratories, Flinders University, College of Science and Engineering
Terms of Use: This electronic version is (or will be) made publicly available by Flinders University in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. You may use this material for uses permitted under the Copyright Act 1968. If you are the owner of any included third party copyright material and/or you believe that any material has been made available without permission of the copyright owner please contact copyright@flinders.edu.au with the details.
There is a global skills shortage in cybersecurity. The International Information System Security Certification Consortium estimated that as of 2022, there are over 3.4 million unfilled cybersecurity positions globally. This poses significant economic and national security risks.
Education and skills development are crucial to training people to fill these roles. Current training tools targeted at developing skills in penetration testing consist of various implementations, including purpose-built laboratories, capture-the-flag challenges, and interactive web applications. These laboratories, challenges, and applications take the form of computer systems that intentionally contain security vulnerabilities, with the expectation that the learner will develop their skills while identifying and exploiting these vulnerabilities.
However, while these tools are helpful, they tend to be static scenarios or exercises. Like a Sudoku or crossword puzzle, after the exercise has been completed, the puzzle itself does not change; it remains the same. The issue is that upon repeating the same exercise or puzzle, the learner stops developing the skills associated with solving the exercise and instead completes the puzzle based on their memory of how the puzzle was previously solved. This forces anyone looking to further develop their skills in identifying and exploiting vulnerabilities to continuously search for new exercises.
This research provides an educational and skills development solution to sit alongside existing cybersecurity training resources, specifically focused on penetration testing, which addresses the repeatability and reusability problem found in typical training penetration test laboratories. By addressing these gaps, emerging penetration testers and established offensive security specialists will have increased accessibility and variety of training environments, allowing for expedited skills development.
This solution – a framework named Labrandor – has been developed using the design science research methodology. This novel framework guides the development of dynamically generated penetration testing laboratories. A dynamic laboratory can be provisioned based on a set of randomisable modules, terminated, and then re-provisioned with an entirely different set of modules. This process generates a unique laboratory for practising specific penetration testing skills based on attributes that change depending on the pool of compatible or desirable modules.
The Labrandor framework includes the methods for identifying potential randomisation module category candidates for a dynamic laboratory, predominantly derived from computer system components. This allows developers of dynamic laboratory generation platforms to understand what parts of a system can be randomised through module categories and define the constraints and requirements of these categories. The framework includes guidance for how to develop modules within the module categories.
This research demonstrates the feasibility and potential for developing dynamically changing penetration testing laboratories to create new educational and training material for individuals, researchers, and industry. These types of laboratories would be complementary to the body of educational resources and knowledge that is currently available and creates an innovative method for the development of on-demand skills testing. Educational institutions and industry would be able to rapidly deploy new laboratories for their learners and staff on demand. By using dynamically generated laboratories, emerging penetration testers would have better access to a wider variety of laboratories, improving their knowledge, and developing their penetration testing skills.
Keywords: offensive security, information security, education, cybersecurity, randomisation, penetration test, laboratory, cyber range, framework
Subject: Computer Science thesis
Thesis type: Doctor of Philosophy
Completed: 2023
School: College of Science and Engineering
Supervisor: Professor Trish Williams