I've been working on developing a custom cybersecurity home lab to practice implementing and utilizing defensive measures against cybersecurity risks.
Below is a concise summary of the network segments and their responsibilities:
LAN Segment — Hosts the pfSense router, which facilitates segment communication and enforces firewall rules. I am running a dedicated management system for pfSense configuration.
Security Operations Center (SOC) segment: Centralizes security monitoring and threat hunting.
- Security Onion — An intrusion detection system, network security monitoring, and log management platform.
- Splunk — A system information event management system. Its responsible for collecting and formatting logs from various systems for centralized human-readable log analysis and threat hunting.
Corporate environment — Operates an Active Directory environment to simulate enterprise operations.
Attacker — Emulates a comprised internal segment, creating malicious traffic to practice threat hunting and logging capabilities.
Firewall Rules
After I set up my lab, I enforced firewall rules on each segment in pfSense to permit only the traffic necessary and commonly used by most environment.
pfSense by default applies an explicit deny rule at the end of each firewall interface, blocking all other traffic.
SPLUNK
I configured Windows event log collection across corporate machines, using Universal Forwarder to ingest logs via port 9997 for monitoring and analysis.
I also configured pfSense logs to be ingested into Splunk via syslog-ng on port 5514.
Here I can see port 9997 and 5514 open on the Splunk machine.
I can now see logs being ingested into Splunk.
Splunk is an extremely powerful tool used in log management and threat hunting. Mastering it can be extremely beneficial for identifying threats or troubleshooting issues.
For instance, detecting multiple failed login attempts within corporate environment systems can be effectively monitored using Splunk.
Practice #1
I want to query all Window logs that have the event code 4625 or 4771 (login failures).
I can see there are 132 logs of this activity occurring in a 24 hour frame.
Here, I can see all of the logs in a formatted format. If i click on one of the logs, I can see the detailed information such as the affected account and hosts.
As expected from the logs, I can see a password failure from the Administrator account on the Domain controller in the Corporate Environment.
On the left, I see a large number of password failures for multiple accounts in the past 24 hours. An incident like this warrants an immediate investigation, as it strongly indicates malicious activity.
Manually running queries is time-consuming and increases the risk of missing incidents due to inconsistencies. Instead of manually having to check logons every time, I configured alerts that automatically trigger when multiple logon failure attempts in a span of time occur.
Splunk not only allows us to view the logs, but can also see a statistical and visual view of the data, providing a quick yet powerful summary of the events occurring.
I can also create a report of the events I investigated. Reports allow us analyze the information uncovered through searches and use it to create compelling stories. This process can also be automated, providing updated reports on a timely bases.
I can then utilize dashboards to create multiple visualizations and reports into a single interface, providing an overall picture.
Practice #2
I conducted an Nmap scan from the attacker machine 192.168.4.2 to the domain controller 192.168.3.2.
I can then create an alert where if the firewall blocks more than 25 logs on all interfaces except WAN in a certain time-frame, it will trigger the alert.
Here, I have queried for blocked firewall rule logs coming from pfSense. There are blocked 3482 firewall logs in the last 24 hours.
After some digging we identify that IP 192.168.4.2(attacker machine) is generating many logs so il set queries to identify 192.168.4.2 with the “filterlog” and “block” keywords as those define blocked firewall logs.
Here I can see that there is a list of 1986 blocked firewall logs by the associated IP address.
After looking through some of the logs, it becomes clear that a port scan has been conducted and that the firewall has blocked them.Here is a portion of the logs showing the ports that were blocked.
In the next session, I will be discussing my implementation for Security Onion and how I use it in my home lab.