Building Your Blue Team Labwith free and inexpensive tools and equipment

Bucks County Community College: Focus on Security7 October 2016

George Frazier, M. Ed., CISSP, GSNA

Introductory Pen Test Lab

NMAP Scans

Center for Internet Security—Controls for Effective Cyber Defense

20 Critical Security Controls (CSC)

• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs• Collect, manage, and analyze audit logs of events that could help detect, understand,

or recover from an attack.

• https://www.cisecurity.org/critical-controls/Library.cfm

Elements of a Blue Team Lab

• NTP

• Syslog

• Netflow

• IDS

• Web Proxy

• SNMP

• Log Analysis

• SIEM

Elements of a Blue Team Lab

• NTP• Configure NTP on all devices to sync with two local NTP servers• Configure time on all devices for UTC (Coordinated Universal Time)

• Syslog• Rsyslog installed by default on Ubuntu Server

• IDS• Security Onion or (OSSIM)

• Netflow• Nfdump and Splunk• (Graylog)• (OSSIM)

Prerequisites Skills or New Skills

• Familiar with Linux

• Familiar with IP, TCP and UDP

• Burn install disc or create bootable USB from .iso file

• Install Ubuntu Server (or distro of your choice)

• Configure Linux from CLI

• Edit files using Vi or other text editor

• Remote Access to Ubuntu Server via OpenSSH and Putty

• Google is your friend

Virtualization: Bare-Metal vs Hosted Hypervisor

Bare Metal (Type 1)

• VMware ESXi

• Microsoft Hyper-V

Hosted (Type 2)

• VMware Fusion

• VMware Player

• VMware Workstation

• Oracle Virtual Box

Work Cited: https://en.wikipedia.org/wiki/Hypervisor

VMWare Workstation 12.5

• Hosted Hypervisor

• VMware Workstation 12.5 Player $150 (Free for Personal Use)

• VMware Workstation 12.5 Pro $250 (Necessary to run more than one VM at a time.)

Oracle VirtualBox

• Hosted Hypervisor

• Reasonably powerful x86 hardware. Any recent Intel or AMD processor should do.

• RAM - 512 MB

• Hard Drive - 30 MB

Ubuntu Server 14.04 LTS

• http://releases.ubuntu.com/trusty/

• Select ubuntu-14.04.4-server-amd64.iso

• Server (Standard) 1 gigahertz 512 megabytes 1 gigabyte

Start with a Firewall

pfSense Firewall

• Minimum

• CPU - 500 Mhz

• RAM - 256 MB

• Recommended

• CPU - 1 Ghz

• RAM - 1 GB

Basic Blue Team Lab

NTP Server

Desktop: TP-Link TG-3468 NIC or Laptop: StarTech USB to Dual Gigabit NIC

Syslog Server

TP-Link TG-3468 10/100/1000 Mbps PCI-Express Network Adapter

• Amazon-$18.00

StarTech.com USB to Dual Gigabit Ethernet Adapter

• Amazon-$53.00

pfSense Firewall

Blue Team Lab: Defend Your Website 1

Metasploitable 2

pfSense Firewall—Three NICs

VirtualBox—Two NICs

NTP Server

Syslog Server

Blue Team Lab: Defend Your Website 1

Metasploitable 2Ubiquiti EdgeRouter X

VirtualBox—Two NICs

NTP Server

Syslog Server

Ubiquiti EdgeRouter X

• Newegg-$49.00

• Syslog and Netflow

• Understanding of Routing

Blue Team Lab: Defend Your Website 2

Wiresharktcpdump

D-Link DGS-1100-05

VirtualBox—Three NICs

SPAN Port

Metasploitable 2

NTP Server

Syslog Server

D-Link DGS-1100-05

• Newegg $36.00

• SPAN Port—Switched Port ANalyzeror Port Mirroring

Blue Team Lab: Defend Your Crown Jewels 1

NTP ServerSyslog Server

Crown Jewels

D-Link DGS-1100-05

SPAN Port

Wiresharktcpdump

Blue Team Lab: Defend Your Crown Jewels 2

NTP ServerSyslog Server

Two NICs: Management and Capture

D-Link DGS-1100-05

SPAN Port

Crown Jewels

Security Onion IDS

• Minimum Two NICs

• Minimum 3 GB RAM (more is better)

• https://securityonion.net/

• https://github.com/Security-Onion-Solutions

Netflow: Session Data

Blue Team Lab: Netflow

VirtualBox—One NIC

NTP Server

Syslog Server

Netflow

Splunk

softflowd

Books

• The Practice of Network Security Monitoring: Understanding Incident Detection and REsponse by Richard Bejtlich

• Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Brandon Enright, Jeff Bollinger, and Matthew Valites

• Applied Network Security Monitoring: Collection, Detection, and Analysis by William B Sander

Papers and other Resources

• Frazier@lmsd.org

Questions?