Building a Threat Hunting Lab (Part 1): Intro and Setting up the networking environment

I was charged by my work with building a basic threat hunting lab to teach Cyber Security Analysts how to better support Network Defenders and Incident Response Teams. This isn't something that I normally do, but they didn't have anyone to do it, and I'm the only person at my job who has a GCFH, so it came to me. But I'm never one to shy away from a challenge and figured this would be both a good learning experience and a Google series of blog posts.

This series of blogs is going to cover setting up and configuring each VM for this and lessons learned as I went through the set up. 

Setting up the environment:


For this lab I'm required to build it in Virtualbox. Itd be easier in VMware or vSphere (yes I know that's still VMware) but I don't have that option. Fortunately VirtualBox has come a long way in recent years and should be more than capable of doing what I need. I'd never done VM networking in VirtualBox before so I had some learning to do.  What I didn't understand originally is that by default VirtualBox vms with NAT enabled will establish individual connections to the Host and not be able to communicate laterally.  This is useful for security but not for when making a network. I needed a NAT network.  In VirtualBox's preferences page there is an option to create a network subnet. The subnet I created was 10.0.2.0/24 and named Find Evil.  Yes this is technically a Class A network and I could have gone with a /8 CIDR but that was far more IP address space than I actually needed.  On each VM I would then set their network setting to NAT Network Find Evil.  This allowed each VM to connect to each other and the the Wider Internet for downloading tools.  I don't exactly want them to reach the wide open internet but I'll fix that later.  

Some of you may be asking why I'm using NAT networking and not Internal or Host Only which are both fair options but I'll explain why I chose what I did. 

Host only is great because it allows networking without connection to the Internet.  When the lab is finalized it will end with Host Only but while I was building I didn't want to use it because it didn't have a network interface so trying to capture packets in Wireshark didn't work. 

Internal networking seemed to have issues everytime I tried to get it to work at all.  It would boot them it never had an IPv4 address.  Well it did, but it was the 169 address that you get when it fails to receive an IP from the DHCP server.  I was able to fix this later by going back into VirtualBox's preferences and enabling the DHCP server, but to little to late. 

Now that the basics of the network are established let's build the first VM. Surprisingly the first VM isn't actually going to be the Windows 7 VM.  



Comments

Post a Comment

Popular posts from this blog

Fingbox Review: Simply not worth it.

Image
I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda. I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed. The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in. Devices Tab I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about
Read more

Cypherpunk: A VPN review

Image
Those of you who know me know that I am a major advocate of VPNs. I think they're great security tools for keeping your public IP address less public. They're similar to a PO box in the sense that you give out that address instead of your actual home address, ideally making it less likely someone unwanted will show up at your front door. VPNs have many practical security applications. First and foremost they protect your information from prying eyes when you're using public Wi-Fi, but a lot of them also provide added features like DNS adblocking, Malware domain blocking, and IPv6 prevention. For this review, I'll be comparing the Cypherpunk to an industry standard Private Internet Access (PIA).  Right off the bat, you can see that Cypherpunk is very stylized. It certainly goes for the look of cyber. It's a simple button press to activate the VPN. Then you get this stylized graphic showing ciphertext moving across the screen. There are 35 ser
Read more

Simple Security: Moderate Difficulty Setup

A few days ago I posted Simple Security: The basics  to cover a few easy and cheap ways to ways to help secure your Windows environment. Today I am planning on going a step further and covering some more advanced techniques to help secure your environment. Given that this is a moderate set up I am going to be trying to keep things as cheap as possible.  On my advanced guide I will be talking about expensive high-quality security solutions like Cisco ASA, SonicWall, Pallo Alto, ESXI, Domain Controllers, enterprise level malware protection like SideWinder, VM servers, and Splunk. In today's guide I will be discussing how to set up tools like Host Level Intrusion Detection Systems (HIDS), Network Level IDS (NIDS),  System Information and Event Management servers, and Smart Firewalls.  I'll also talk about ways to automatically aggregate data from opensource intelligence (OSINT) and using that to feed the analysis systems that will be helping to protect your network. First, l
Read more