Building a “Mini” Cyber Security Lab — SOC (IDS/IPS, SIEM, and Firewall)
Cyber Security is an umbrella term that comprises of different subcategories of a subcategory. This lab setup is going to focus on the technical side for both the offensive and defensive side of Cyber Security where we are going to build a virtualized SOC environment through VMware to detect the attacks that we are a going to simulate from our Kali machine. VMware is a virtualization software where we could deploy and manage these virtual machines, think of it as like building a computer inside a computer. This was the project that I decided to do for my Cyber Attack and Defend class, got great feedback from my professor so why not put it out there.
What you’ll need:
· VMware Workstation — https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html
· PFsense Firewall — https://www.pfsense.org/download/
· Security Onion IDS/IPS and SIEM — https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
· Kali Linux — https://www.kali.org/downloads/
· Metasploitable 2 — https://sourceforge.net/projects/metasploitable/
Installation and configuration:
Installing VMware is a straightforward process so lets go ahead and proceed with our firewall.
Here’s the PFsense firewall settings I had, ensure you have the same networking settings to avoid errors. CPU, RAM and Hard Disk settings will vary depending on your system capacity.
Once you’ve successfully installed PFsense, you will land on this interface where we are going to setup our network interfaces and IP ranges for our machines.
Select option 1 and assign these interfaces to your network cards.
Now that the network interfaces are set, lets assign the IP range for these interfaces.
Now that our firewall is good to go, lets proceed with Security Onion which will be our IDS and SIEM.
Once you’ve powered on Security Onion, follow these steps to install the security applications (Kibana, Zeek, Snort, Suricata, Elasticsearch and much more).
Now that our IDS and SIEM is up, lets setup our Kali (attacker) machine.
Now that our Kali machine is all set and ready, lets setup our vulnerable target machine where we’ll simulate and practice attacks on.
We will be using Metasploitable 2 as our target machine. Metasploitable 2 is a Linux box that is built for conducting penetration testing techniques for cyber security professionals. Installing Metasploitable 2 is a straightforward process, just power it on and you’re target is ready.
Alright, now that our environment is set up, lets try to simulate a simple FTP backdoor exploit and see if our IDS picks it up.
Attack simulation:
As a SOC Analyst, what’s the first thing you would do if you see these kinds of logs in your SIEM? Re-image or segment that compromised machine then create a firewall rule to block that source IP and call it a day?
Prior to doing this project, I did not know how loud an Nmap scan was. I wonder how penetration testers do their reconnaissance for their clients’ network.
I am planning to extend this set up I have. I was thinking of trying to mimic an enterprise active directory network for our Victim Interface, get rid of the Attacker Interface and simulate a social engineering backdoor attack and see if the IDS picks it up.
Credits:
This lab would not have been possible without the video resources provided by Howard from IT Security Labs. I initially tried to do the set up he had but realized it was sort of resource extensive. I highly recommend checking out his Youtube channel https://www.youtube.com/channel/UCXPdZsu8g1nKerd-o5A75vA
