I recently graduated from college last year, 2017, and felt after some reflection on what I’ve learned through my time working here at Hurricane Labs as well as working through my degree, that I should probably do a write-up on my Capstone Project (Senior Graduation Project).
The project focus was on setting up a virtual environment for use in demoing SIEM (specifically Splunk), Suricata, and creating a base for building out into a malware lab, pen test environment, web app security environment, etc. The primary source for the project environment implementation came from using Building Virtual Machines, A Hands-On Guide by Tony Robinson (2017) as inspiration. Tony, who works here at Hurricane Labs, also served as mentor for the project.
Taking control with SIEM software
Security Information and Event Management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. Implementation of SIEM software in any system can be used to detect, control, and resolve various attacks and threats faced in cyber security. This project focused on logging data into a SIEM (Splunk) in order to monitor endpoint system activities, active attacks against vulnerable targets, and show how security posture, metrics, and change analysis can be vital to a business and their decisions on information security development.
Project Goal: Implementing a security solution for a small SOC team
The primary goals of the project were to implement a security solution for a company for system monitoring, security posture metrics gathering, and create an active-alerting scenario for a small SOC team (which our project team acted as).
In this scenario, to generate the level of data required to make meaningful alerts and tuning paths available for Splunk Enterprise Security alerting and populating the dashboards that ES provides, we had to leverage the Kali Linux Metasploit “Hail Mary” attack against our “internal” hosts (targets). In the real world, the ideal methodology for gathering this level of information into the SIEM would come from forwarders on hosts gathering information and sending them into indexers which would then populate the search heads with the important data. Unfortunately, due to the inexperience of all parties involved in the project and the strict time frame for the semester, we were unable to gather as much data as some of us would’ve liked.
Project Diagrams: Project Network, Sample Network, Architecture & Software Lists
In the below diagram, our project network is on the left and the sample network from the reference is on the right. Our network for the project was so vastly different because all project members were in different geographical locations. So, I had to create a VPN for each user so they could access the ESXi server we we running on.
The below is also from our presentation for the project and includes the entirety of our architecture setup as well as our software that we used for testing and report generation purposes.
- HP ProLiant G5 servers are a.) loud and b.) power hogs (my electric bill went up an extra $100/mo while it was running). So, if you plan on doing something like this, I recommend finding a more power efficient server.
- Splunk Forwarders on Windows Hosts can be troublesome due to networking requirements, virtual hosts, and firewall configurations.
- This was a good refresher on networking, especially for VPN connections to internal hosts, to virtual hosts on a completely separate network or networks. Also, safeguarding my personal network against the VPN users was entertaining.
- Splunk and specifically Enterprise Security require a LOT of data to make useful things happen, from dashboards to alerts. The amount of data being put into Splunk is directly proportional to the amount of use you’ll get from the Splunk SIEM.
- Automating attacks against known hosts; definitely script kiddie territory, but in order to make alerts fire and generate notables, we had to pretend we had a botnet, or an awful lot of time on our hands to spend attacking our hosts.
- Analytical and critical thinking skills were involved in several problems in this demo of a SIEM integrated solution for a business. Implementing the server infrastructure for this lab, to represent a real world organization and demonstrate some examples of possible risks to the system, requires being able to analyze the logged events and any applicable alerts that may have been triggered. Critically thinking comes into play when considering whether or not those events represent an actual, meaningful risk to the organization, and also how this information can benefit the business in terms of mitigation, remediation, and incident response handling.
- Not only was it important to the project, but I personally learned a lot about the thought-processes that security professionals go through when determining what is “acceptable risk.” This was especially evident when I was going through the process of granting access to my own home network for people I’d never met, providing them user accounts, permissions, etc. to central infrastructure, and letting them “go wild” on the network in order to generate logs for Splunk.
Overall, this was a solid project and a good learning experience for someone who had been working with Splunk in a security role for about a year and a half at the time of completion. It broadened my horizons a bit and gave me a peek inside the inner workings of how I get the logs I need to do my job.
For anyone who wants to learn how to build this out and get their feet wet, I highly recommend Tony’s book as well as taking the time to build their own lab.