building your blue team lab...building your blue team lab with free and inexpensive tools and...
TRANSCRIPT
Building Your Blue Team Labwith free and inexpensive tools and equipment
Bucks County Community College: Focus on Security7 October 2016
George Frazier, M. Ed., CISSP, GSNA
Introductory Pen Test Lab
NMAP Scans
Center for Internet Security—Controls for Effective Cyber Defense
20 Critical Security Controls (CSC)
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs• Collect, manage, and analyze audit logs of events that could help detect, understand,
or recover from an attack.
• https://www.cisecurity.org/critical-controls/Library.cfm
Elements of a Blue Team Lab
• NTP
• Syslog
• Netflow
• IDS
• Web Proxy
• SNMP
• Log Analysis
• SIEM
Elements of a Blue Team Lab
• NTP• Configure NTP on all devices to sync with two local NTP servers• Configure time on all devices for UTC (Coordinated Universal Time)
• Syslog• Rsyslog installed by default on Ubuntu Server
• IDS• Security Onion or (OSSIM)
• Netflow• Nfdump and Splunk• (Graylog)• (OSSIM)
Prerequisites Skills or New Skills
• Familiar with Linux
• Familiar with IP, TCP and UDP
• Burn install disc or create bootable USB from .iso file
• Install Ubuntu Server (or distro of your choice)
• Configure Linux from CLI
• Edit files using Vi or other text editor
• Remote Access to Ubuntu Server via OpenSSH and Putty
• Google is your friend
Virtualization: Bare-Metal vs Hosted Hypervisor
Bare Metal (Type 1)
• VMware ESXi
• Microsoft Hyper-V
Hosted (Type 2)
• VMware Fusion
• VMware Player
• VMware Workstation
• Oracle Virtual Box
Work Cited: https://en.wikipedia.org/wiki/Hypervisor
VMWare Workstation 12.5
• Hosted Hypervisor
• VMware Workstation 12.5 Player $150 (Free for Personal Use)
• VMware Workstation 12.5 Pro $250 (Necessary to run more than one VM at a time.)
Oracle VirtualBox
• Hosted Hypervisor
• Reasonably powerful x86 hardware. Any recent Intel or AMD processor should do.
• RAM - 512 MB
• Hard Drive - 30 MB
Ubuntu Server 14.04 LTS
• http://releases.ubuntu.com/trusty/
• Select ubuntu-14.04.4-server-amd64.iso
• Server (Standard) 1 gigahertz 512 megabytes 1 gigabyte
Start with a Firewall
pfSense Firewall
• Minimum
• CPU - 500 Mhz
• RAM - 256 MB
• Recommended
• CPU - 1 Ghz
• RAM - 1 GB
Basic Blue Team Lab
NTP Server
Desktop: TP-Link TG-3468 NIC or Laptop: StarTech USB to Dual Gigabit NIC
Syslog Server
TP-Link TG-3468 10/100/1000 Mbps PCI-Express Network Adapter
• Amazon-$18.00
StarTech.com USB to Dual Gigabit Ethernet Adapter
• Amazon-$53.00
pfSense Firewall
Blue Team Lab: Defend Your Website 1
Metasploitable 2
pfSense Firewall—Three NICs
VirtualBox—Two NICs
NTP Server
Syslog Server
Blue Team Lab: Defend Your Website 1
Metasploitable 2Ubiquiti EdgeRouter X
VirtualBox—Two NICs
NTP Server
Syslog Server
Ubiquiti EdgeRouter X
• Newegg-$49.00
• Syslog and Netflow
• Understanding of Routing
Blue Team Lab: Defend Your Website 2
Wiresharktcpdump
D-Link DGS-1100-05
VirtualBox—Three NICs
SPAN Port
Metasploitable 2
NTP Server
Syslog Server
D-Link DGS-1100-05
• Newegg $36.00
• SPAN Port—Switched Port ANalyzeror Port Mirroring
Blue Team Lab: Defend Your Crown Jewels 1
NTP ServerSyslog Server
Crown Jewels
D-Link DGS-1100-05
SPAN Port
Wiresharktcpdump
Blue Team Lab: Defend Your Crown Jewels 2
NTP ServerSyslog Server
Two NICs: Management and Capture
D-Link DGS-1100-05
SPAN Port
Crown Jewels
Security Onion IDS
• Minimum Two NICs
• Minimum 3 GB RAM (more is better)
• https://securityonion.net/
• https://github.com/Security-Onion-Solutions
Netflow: Session Data
Blue Team Lab: Netflow
VirtualBox—One NIC
NTP Server
Syslog Server
Netflow
Splunk
softflowd
Books
• The Practice of Network Security Monitoring: Understanding Incident Detection and REsponse by Richard Bejtlich
• Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Brandon Enright, Jeff Bollinger, and Matthew Valites
• Applied Network Security Monitoring: Collection, Detection, and Analysis by William B Sander
Papers and other Resources
Questions?