For a while now I have been planning to create a lab environment at home. Just something I can play around in, run some malware if needed or test some POC for exploits.
Well recently I upgraded my gaming PC. Whole new PC. This left me with an older but perfectly working desktop box. What better way to use it than to turn it into a LAB.
This will be part 1 of a series of posts where I go through setting up the lab environment and why I have chosen to do things the way I have.
Part 1 - The planning
This is normally the forgotten or ignored part of setting up a lab environment. I mean its a lab, why do you need to plan it right? Well ive always wanted whatever lab I setup to be able to run sophisticated malware if need be. Malware like wannacry or where a level 1 from an APT actor connects in and digs around. Well that means that it has requirements.
* It needs to look real.
* Be complicated (cause really what network is simple?)
* have logging out the wazooo
* be snapshot-able and have rollback capabilities outside the OS
* have a monitored internet connection
These all seem easy but if we dig into the first requirement we hit out first snag.
IT NEEDS TO LOOK REAL and BE COMPLICATED
These two requirements kind of go hand in hand. For it to look real there needs some kind a complexity.
Ive been sitting here thinking for weeks on what makes a network look real. What does it need. If an actor were to breach a webserver, how would they know its real and not a honey pot?
A few things from my experience help. Active Directory. 99% of businesses that run an active directory based domain do not have a clean or simple active directory structure. So 1… I need a domain based on active directory and 2… I need to make it look really messy. Simple right? Well we will get to how we do that in a future post (when ive actually made it, remember im still planning here :D )
Other devices on the network. What kind of devices would you expect to be on a standard corporate network? And this raises another point… what is the fake company name/business type.
If the fake company name was Fred and Bob’s Gas supply then I as an intruder would expect to see some kind of Industry Control System SOMEWHERE in the network. Now it SHOULD NOT be accessible from normal corp assets but… lets be honest people are lazy and these things get bridged all the time, not the point though. I need to make sure that the network suites the needs of the fake company.
So what ive got at the moment is the following ASCII based diagram
Router
|
V Switch
|
________________________________L________________________
| | | | | | |
DC File Work Work Work Logstack Webserver
Its a flat network but I need to balance realness with easy of management/creation.
Have logging out the wazooo
Yes Wazoo is the technical term here.
Well this is fairly easy. Sysmon all the things. The plan is to have an ELK stack that I can throw all the logs at and develop some front end interface to either compliment or replace kibana for a security perspective. Alerting etc based on the logs feeding into the system. See this Lab isn’t just for running malware, its my development lab too. I have great ambitions on what I can/will develop…. but more on that in a future post ;)
Additionally I will probably put in another linux server at some point which will host a web proxy written by yours truly. These logs will also be pushed off to the ELK instance for review.
Be snapshot-able and have rollback capabilities outside the OS
Simple… its all being build in an ESXi environment on my old gaming PC. Stable and snapshot-able. NEXT!
Have a monitored internet connection
Finally we have an internet connection. As this is a home lab ill be using my home network for this. Lucky for me I know what im doing and have a VLAN setup for this environment and the traffic out of it. Ill be adding an extra nic to the box to ensure there is separation of management and prod network traffic for the environment.
I have a PFSense router/firewall virtualized as the perimeter device which will have logs going to the ELK stack as well. The more logs the better as always. Additionally, ill be building/installing a web filter/proxy in the environment which will allow me to get better insight into HTTP/S traffic out of the environment. Again, logs will be going to the ELK stack.
In all honesty I will probably add more devices as I go, this is going to be my development environment too where I can create my own detections etc off the ELK stack. If I ever get around to it, probably start doing some funky C projects as I learn to program in C as well. But thats another future project and a pipe dream at the moment.
I have considered putting in a Security Onion box but that would require tapping the network and mirroring the traffic. Whilst doable, its not something I want to focus on as I want whatever solutions I make, to be endpoint related. I may put one in later to cover the network side but in my opinion, it is becoming less and less relevant to do network based detections in this every changing environment.
I am keen to hear what you think on the design of this lab and what else I can add in.