Building a Threat Hunting Lab (Part 1): Intro and Setting up the networking environment
I was charged by my work with building a basic threat hunting lab to teach Cyber Security Analysts how to better support Network Defenders and Incident Response Teams. This isn't something that I normally do, but they didn't have anyone to do it, and I'm the only person at my job who has a GCFH, so it came to me. But I'm never one to shy away from a challenge and figured this would be both a good learning experience and a Google series of blog posts.
This series of blogs is going to cover setting up and configuring each VM for this and lessons learned as I went through the set up.
Setting up the environment:
For this lab I'm required to build it in Virtualbox. Itd be easier in VMware or vSphere (yes I know that's still VMware) but I don't have that option. Fortunately VirtualBox has come a long way in recent years and should be more than capable of doing what I need. I'd never done VM networking in VirtualBox before so I had some learning to do. What I didn't understand originally is that by default VirtualBox vms with NAT enabled will establish individual connections to the Host and not be able to communicate laterally. This is useful for security but not for when making a network. I needed a NAT network. In VirtualBox's preferences page there is an option to create a network subnet. The subnet I created was 10.0.2.0/24 and named Find Evil. Yes this is technically a Class A network and I could have gone with a /8 CIDR but that was far more IP address space than I actually needed. On each VM I would then set their network setting to NAT Network Find Evil. This allowed each VM to connect to each other and the the Wider Internet for downloading tools. I don't exactly want them to reach the wide open internet but I'll fix that later.
Some of you may be asking why I'm using NAT networking and not Internal or Host Only which are both fair options but I'll explain why I chose what I did.
Host only is great because it allows networking without connection to the Internet. When the lab is finalized it will end with Host Only but while I was building I didn't want to use it because it didn't have a network interface so trying to capture packets in Wireshark didn't work.
Internal networking seemed to have issues everytime I tried to get it to work at all. It would boot them it never had an IPv4 address. Well it did, but it was the 169 address that you get when it fails to receive an IP from the DHCP server. I was able to fix this later by going back into VirtualBox's preferences and enabling the DHCP server, but to little to late.
Now that the basics of the network are established let's build the first VM. Surprisingly the first VM isn't actually going to be the Windows 7 VM.
Comments
Post a Comment