I recently graduated from college last year, 2017, and felt after some reflection on what I’ve learned through my time working here at Hurricane Labs as well as working through my degree, that I should probably do a write-up on my Capstone Project (Senior Graduation Project).
The project focus was on setting up a virtual environment for use in demoing SIEM (specifically Splunk), Suricata, and creating a base for building out into a malware lab, pen test environment, web app security environment, etc. The primary source for the project environment implementation came from using Building Virtual Machines, A Hands-On Guide by Tony Robinson (2017) as inspiration. Tony, who works here at Hurricane Labs, also served as mentor for the project.
Taking control with SIEM software
Security Information and Event Management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. Implementation of SIEM software in any system can be used to detect, control, and resolve various attacks and threats faced in cyber security. This project focused on logging data into a SIEM (Splunk) in order to monitor endpoint system activities, active attacks against vulnerable targets, and show how security posture, metrics, and change analysis can be vital to a business and their decisions on information security development.
Project Goal: Implementing a security solution for a small SOC team
The primary goals of the project were to implement a security solution for a company for system monitoring, security posture metrics gathering, and create an active-alerting scenario for a small SOC team (which our project team acted as).
In this scenario, to generate the level of data required to make meaningful alerts and tuning paths available for Splunk Enterprise Security alerting and populating the dashboards that ES provides, we had to leverage the Kali Linux Metasploit “Hail Mary” attack against our “internal” hosts (targets). In the real world, the ideal methodology for gathering this level of information into the SIEM would come from forwarders on hosts gathering information and sending them into indexers which would then populate the search heads with the important data. Unfortunately, due to the inexperience of all parties involved in the project and the strict time frame for the semester, we were unable to gather as much data as some of us would’ve liked.
Project Diagrams: Project Network, Sample Network, Architecture & Software Lists
In the below diagram, our project network is on the left and the sample network from the reference is on the right. Our network for the project was so vastly different because all project members were in different geographical locations. So, I had to create a VPN for each user so they could access the ESXi server we we running on.