![Page 1: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/1.jpg)
Building Your Blue Team Labwith free and inexpensive tools and equipment
Bucks County Community College: Focus on Security7 October 2016
George Frazier, M. Ed., CISSP, GSNA
![Page 2: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/2.jpg)
![Page 3: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/3.jpg)
![Page 4: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/4.jpg)
![Page 5: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/5.jpg)
Introductory Pen Test Lab
![Page 6: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/6.jpg)
NMAP Scans
![Page 7: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/7.jpg)
Center for Internet Security—Controls for Effective Cyber Defense
20 Critical Security Controls (CSC)
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs• Collect, manage, and analyze audit logs of events that could help detect, understand,
or recover from an attack.
• https://www.cisecurity.org/critical-controls/Library.cfm
![Page 8: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/8.jpg)
Elements of a Blue Team Lab
• NTP
• Syslog
• Netflow
• IDS
• Web Proxy
• SNMP
• Log Analysis
• SIEM
![Page 9: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/9.jpg)
Elements of a Blue Team Lab
• NTP• Configure NTP on all devices to sync with two local NTP servers• Configure time on all devices for UTC (Coordinated Universal Time)
• Syslog• Rsyslog installed by default on Ubuntu Server
• IDS• Security Onion or (OSSIM)
• Netflow• Nfdump and Splunk• (Graylog)• (OSSIM)
![Page 10: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/10.jpg)
Prerequisites Skills or New Skills
• Familiar with Linux
• Familiar with IP, TCP and UDP
• Burn install disc or create bootable USB from .iso file
• Install Ubuntu Server (or distro of your choice)
• Configure Linux from CLI
• Edit files using Vi or other text editor
• Remote Access to Ubuntu Server via OpenSSH and Putty
• Google is your friend
![Page 11: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/11.jpg)
Virtualization: Bare-Metal vs Hosted Hypervisor
Bare Metal (Type 1)
• VMware ESXi
• Microsoft Hyper-V
Hosted (Type 2)
• VMware Fusion
• VMware Player
• VMware Workstation
• Oracle Virtual Box
Work Cited: https://en.wikipedia.org/wiki/Hypervisor
![Page 12: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/12.jpg)
VMWare Workstation 12.5
• Hosted Hypervisor
• VMware Workstation 12.5 Player $150 (Free for Personal Use)
• VMware Workstation 12.5 Pro $250 (Necessary to run more than one VM at a time.)
![Page 13: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/13.jpg)
Oracle VirtualBox
• Hosted Hypervisor
• Reasonably powerful x86 hardware. Any recent Intel or AMD processor should do.
• RAM - 512 MB
• Hard Drive - 30 MB
![Page 14: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/14.jpg)
Ubuntu Server 14.04 LTS
• http://releases.ubuntu.com/trusty/
• Select ubuntu-14.04.4-server-amd64.iso
• Server (Standard) 1 gigahertz 512 megabytes 1 gigabyte
![Page 15: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/15.jpg)
Start with a Firewall
![Page 16: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/16.jpg)
pfSense Firewall
• Minimum
• CPU - 500 Mhz
• RAM - 256 MB
• Recommended
• CPU - 1 Ghz
• RAM - 1 GB
![Page 17: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/17.jpg)
Basic Blue Team Lab
NTP Server
Desktop: TP-Link TG-3468 NIC or Laptop: StarTech USB to Dual Gigabit NIC
Syslog Server
![Page 18: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/18.jpg)
TP-Link TG-3468 10/100/1000 Mbps PCI-Express Network Adapter
• Amazon-$18.00
![Page 19: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/19.jpg)
StarTech.com USB to Dual Gigabit Ethernet Adapter
• Amazon-$53.00
![Page 20: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/20.jpg)
pfSense Firewall
![Page 21: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/21.jpg)
Blue Team Lab: Defend Your Website 1
Metasploitable 2
pfSense Firewall—Three NICs
VirtualBox—Two NICs
NTP Server
Syslog Server
![Page 22: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/22.jpg)
Blue Team Lab: Defend Your Website 1
Metasploitable 2Ubiquiti EdgeRouter X
VirtualBox—Two NICs
NTP Server
Syslog Server
![Page 23: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/23.jpg)
Ubiquiti EdgeRouter X
• Newegg-$49.00
• Syslog and Netflow
• Understanding of Routing
![Page 24: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/24.jpg)
Blue Team Lab: Defend Your Website 2
Wiresharktcpdump
D-Link DGS-1100-05
VirtualBox—Three NICs
SPAN Port
Metasploitable 2
NTP Server
Syslog Server
![Page 25: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/25.jpg)
D-Link DGS-1100-05
• Newegg $36.00
• SPAN Port—Switched Port ANalyzeror Port Mirroring
![Page 26: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/26.jpg)
Blue Team Lab: Defend Your Crown Jewels 1
NTP ServerSyslog Server
Crown Jewels
D-Link DGS-1100-05
SPAN Port
Wiresharktcpdump
![Page 27: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/27.jpg)
Blue Team Lab: Defend Your Crown Jewels 2
NTP ServerSyslog Server
Two NICs: Management and Capture
D-Link DGS-1100-05
SPAN Port
Crown Jewels
![Page 28: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/28.jpg)
Security Onion IDS
• Minimum Two NICs
• Minimum 3 GB RAM (more is better)
• https://securityonion.net/
• https://github.com/Security-Onion-Solutions
![Page 29: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/29.jpg)
Netflow: Session Data
![Page 30: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/30.jpg)
Blue Team Lab: Netflow
VirtualBox—One NIC
NTP Server
Syslog Server
Netflow
Splunk
softflowd
![Page 31: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/31.jpg)
Books
• The Practice of Network Security Monitoring: Understanding Incident Detection and REsponse by Richard Bejtlich
• Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Brandon Enright, Jeff Bollinger, and Matthew Valites
• Applied Network Security Monitoring: Collection, Detection, and Analysis by William B Sander
![Page 33: Building Your Blue Team Lab...Building Your Blue Team Lab with free and inexpensive tools and equipment Bucks County Community College: Focus on Security 7 October 2016 George Frazier,](https://reader034.vdocuments.us/reader034/viewer/2022042605/5f51b47edd91094cbe0a92e4/html5/thumbnails/33.jpg)
Questions?