Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Building Your Blue Team Labwith free and inexpensive tools and equipment
Bucks County Community College: Focus on Security7 October 2016
George Frazier, M. Ed., CISSP, GSNA
Introductory Pen Test Lab
NMAP Scans
Center for Internet Security—Controls for Effective Cyber Defense
20 Critical Security Controls (CSC)
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs• Collect, manage, and analyze audit logs of events that could help detect, understand,
or recover from an attack.
• https://www.cisecurity.org/critical-controls/Library.cfm
Elements of a Blue Team Lab
• NTP
• Syslog
• Netflow
• IDS
• Web Proxy
• SNMP
• Log Analysis
• SIEM
Elements of a Blue Team Lab
• NTP• Configure NTP on all devices to sync with two local NTP servers• Configure time on all devices for UTC (Coordinated Universal Time)
• Syslog• Rsyslog installed by default on Ubuntu Server
• IDS• Security Onion or (OSSIM)
• Netflow• Nfdump and Splunk• (Graylog)• (OSSIM)
Prerequisites Skills or New Skills
• Familiar with Linux
• Familiar with IP, TCP and UDP
• Burn install disc or create bootable USB from .iso file
• Install Ubuntu Server (or distro of your choice)
• Configure Linux from CLI
• Edit files using Vi or other text editor
• Remote Access to Ubuntu Server via OpenSSH and Putty
• Google is your friend
Virtualization: Bare-Metal vs Hosted Hypervisor
Bare Metal (Type 1)
• VMware ESXi
• Microsoft Hyper-V
Hosted (Type 2)
• VMware Fusion
• VMware Player
• VMware Workstation
• Oracle Virtual Box
Work Cited: https://en.wikipedia.org/wiki/Hypervisor
VMWare Workstation 12.5
• Hosted Hypervisor
• VMware Workstation 12.5 Player $150 (Free for Personal Use)
• VMware Workstation 12.5 Pro $250 (Necessary to run more than one VM at a time.)
Oracle VirtualBox
• Hosted Hypervisor
• Reasonably powerful x86 hardware. Any recent Intel or AMD processor should do.
• RAM - 512 MB
• Hard Drive - 30 MB
Ubuntu Server 14.04 LTS
• http://releases.ubuntu.com/trusty/
• Select ubuntu-14.04.4-server-amd64.iso
• Server (Standard) 1 gigahertz 512 megabytes 1 gigabyte
Start with a Firewall
pfSense Firewall
• Minimum
• CPU - 500 Mhz
• RAM - 256 MB
• Recommended
• CPU - 1 Ghz
• RAM - 1 GB
Basic Blue Team Lab
NTP Server
Desktop: TP-Link TG-3468 NIC or Laptop: StarTech USB to Dual Gigabit NIC
Syslog Server
TP-Link TG-3468 10/100/1000 Mbps PCI-Express Network Adapter
• Amazon-$18.00
StarTech.com USB to Dual Gigabit Ethernet Adapter
• Amazon-$53.00
pfSense Firewall
Blue Team Lab: Defend Your Website 1
Metasploitable 2
pfSense Firewall—Three NICs
VirtualBox—Two NICs
NTP Server
Syslog Server
Blue Team Lab: Defend Your Website 1
Metasploitable 2Ubiquiti EdgeRouter X
VirtualBox—Two NICs
NTP Server
Syslog Server
Ubiquiti EdgeRouter X
• Newegg-$49.00
• Syslog and Netflow
• Understanding of Routing
Blue Team Lab: Defend Your Website 2
Wiresharktcpdump
D-Link DGS-1100-05
VirtualBox—Three NICs
SPAN Port
Metasploitable 2
NTP Server
Syslog Server
D-Link DGS-1100-05
• Newegg $36.00
• SPAN Port—Switched Port ANalyzeror Port Mirroring
Blue Team Lab: Defend Your Crown Jewels 1
NTP ServerSyslog Server
Crown Jewels
D-Link DGS-1100-05
SPAN Port
Wiresharktcpdump
Blue Team Lab: Defend Your Crown Jewels 2
NTP ServerSyslog Server
Two NICs: Management and Capture
D-Link DGS-1100-05
SPAN Port
Crown Jewels
Security Onion IDS
• Minimum Two NICs
• Minimum 3 GB RAM (more is better)
• https://securityonion.net/
• https://github.com/Security-Onion-Solutions
Netflow: Session Data
Blue Team Lab: Netflow
VirtualBox—One NIC
NTP Server
Syslog Server
Netflow
Splunk
softflowd
Books
• The Practice of Network Security Monitoring: Understanding Incident Detection and REsponse by Richard Bejtlich
• Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Brandon Enright, Jeff Bollinger, and Matthew Valites
• Applied Network Security Monitoring: Collection, Detection, and Analysis by William B Sander
Papers and other Resources
Questions?