CYBERSECURITY DETECTION & MONITORING LAB:- Part One

INTRODUCTION AND ENVIRONMENT SETUP

Introduction

A Home lab is an environment in your home that is used to practice and improve your skills in a specific field. This home lab has components and tools that can be found in enterprise infrastructures. It’s a safe environment to work with these components and learn how they work.

The objective of this 7-part series blog is to serve as a guide leading to the building of a digital playground to safely simulate scenarios for cybersecurity enthusiasts.

The idea is to have an environment where one can practice the exploitation of network and/or system vulnerabilities, penetration testing concepts such as persistence, remote command and control, and covering your tracks as an attacker.

Thereafter, the environment will also provide a platform to practice incident response and threat mitigation techniques.

In this way, you can practice both sides of cybersecurity, i.e. the penetration side and the detection and mitigation side of cybersecurity.

High-Level Architectural Overview

The image below shows our lab network topology as will be hosted in the Oracle VM VirtualBox on your local machine.

Home Lab Network Topology

Let’s look at the technologies used in the lab:

a) pfSense:

PfSense is an open-source firewall and network segmentation platform. It is the backbone of our lab as it acts as the barrier between the network segments, controlling and monitoring incoming and outgoing traffic via the configured firewall rules. PfSense is also the gateway router. The setup is such that it is accessed and configured via the Kali Linux VM via the web console since they’re on the same LAN.

NB: pfSense should always be the first VM booted in the lab as it also acts as the DHCP and DNS server for the virtual network machines. Without this, the machines will not access the internet.

b) Kali Linux:

The Kali Linux VM will primarily serve as the attack machine i.e. It will act as the point where all the attacks against the victim network will be propagated from. The Kali VM will allow us to get hands-on practice on offensive cyber security practices and general penetration testing. It is from these attacks that we will be able to learn how to mitigate cyber security attacks and incident response principles.

c) Ubuntu Linux:

The security analyst VM will be hosted on the Ubuntu Linux operating system. As the name suggests, it is from this VM that we will detect malicious activities and put in measures that protect the lab network devices. The security analyst will have access to the security onion IDS via a web page and the Splunk instance will be downloaded here to allow network monitoring and responding to suspected malicious activities. Thereafter, we will apply security controls from this virtual machine.

d) Security Onion:

Security Onion is a Linux open-source all-in-one solution for intrusion detection, security monitoring, and log management. It also has PCAP packet capture and analysis capabilities like Wireshark. Security Onion is instrumental in understanding our lab’s network behavior, detecting, investigating, and responding to potential security threats.

e) Splunk:

Splunk is a software platform that is designed for monitoring, collecting, indexing, searching, and analyzing machine-generated logs in real time. In our lab, it will be used by the Security Analyst as a SIEM where malicious activities i.e. threats can be detected, and the data collected can be visualized in reports to provide data insights. Splunk will work in conjunction with Security Onion as the tool used by the Security Analyst to have a general and detailed view of the network activities.

f) Victim Network:

The victim network is a collection of deliberately configured vulnerable machines that will be attacked in the controlled lab setup. It consists of a Windows domain environment with an Active Directory server and a Windows 10 client machine. The lab will also have the vulnerable machines: Damn Vulnerable Web Application (DVWA) from VulnHub and Metasploitable from Rapid 7 which are secure platforms for penetration testing and security research.

g) SPAN Port:

The SPAN port (also known as a mirror port) is a dedicated network port configured to duplicate traffic from other ports to one specific port and send it to one specific destination. It is going to enhance network visibility by allowing security onion to capture a copy of all network packets from and to the victim network for analysis. It is from this data that our IDS will begin to monitor and detect unusual traffic i.e. the propagated attacks from the Kali attack VM.

Installation & Setup

System requirements

• 64-bit Windows 10 Operating System.
• Minimum 1.4GHz Intel Pentium or equivalent (2GHz recommended) processor.
• At least 16GB of RAM.
• At least 2.0GB of disk storage.

Prerequisite Downloads:

These are the necessary building blocks we need for the lab. Follow the links to download as per the instructions.

a) VirtualBox:

• Download VirtualBox via the link https://www.virtualbox.org/wiki/Downloads (Be sure to pick the correct download for your OS).
• Run the installer to install VirtualBox to your local machine setup (i.e. Follow the steps of the installation guide accepting all the defaults).

b) pfSense:

• Download the latest version of pfSense from the link https://www.pfsense.org/download/ and click on Download.
• Select the correct installation image as below and click add to cart.

• Then proceed to ‘Go to Cart’ and then ‘Checkout’.
• This will lead to a login screen. ‘Create an account’ or ‘Sign in’ then you will proceed to the complete order page.
• Fill in the necessary details the click on ‘Complete Order’.
• You will get the download link for pfSense. Proceed to download the disk image.
• Your download will be a compressed disk image. Use Winrar or 7zip file archiver software to extract the download to get the pfSense disk image.

c) Security Onion:

• Download the Security Onion iso from the link https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md

d) Kali Linux:

• Download the latest Kali Linux iso image installer from the link https://www.kali.org/get-kali/#kali-installer-images

e) Ubuntu Desktop:

• Download the latest Ubuntu Desktop iso image installer from the link https://ubuntu.com/download/desktop

f) Windows 10:

• Download the latest Windows 10 Installation Media Tool from the link https://www.microsoft.com/en-us/software-download/windows10
• Once downloaded, Run the Media Creation Tool.
• Read and accept the Licensing Agreement.
• Select the ‘Create Installation Media (USB flash drive, DVD, or ISO file) for another PC’ option and click next.
• Use the recommended options for Language, Architecture, and Edition and click next.
• Select ‘ISO File’ as the media to use and click next to download the ISO Image for Windows 10.

g) Windows Server 2019:

• Download the Windows Server 2019 disk image from the link https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019. Make sure you’ve selected the ISO downloads option, English in this case.

h) VulnHub — DVWA:

• Download the DVWA disc image from the link https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
• Be sure to use the download link highlighted below:

i) Metasploitable:

• Download the Metasploitable Linux from the link https://sourceforge.net/projects/metasploitable/
• Unzip the downloaded file to gain access to the virtual machine disk format

Now that we’ve laid out all the resources we need for our lab, we should proceed with setting up and configuring them. Let’s begin with installing pfSsense, our firewall in the next episode here: part two. Happy learning!