How to setup your own lab

Another critical aspect of a day-to-day cyber security job is “Having your own cyber security lab”
The fundamental factor here is budget.
Let’s examine the scenarios where you need a lab environment.

A) Examine the logs and do necessary lookups and analytics.
B) Simulating a malware behavior (Very important NOT to do in an office or personal network)
C) To learn various cyber security tools like Wireshark, vulnerability scanners, pen testing, etc…
D) Sandboxing in the context of cyber security, one of the methods is creating a closed network environment where nothing comes from external or goes out.
a simple example is having Oracle Virtual box installed on your laptop and importing Linux and windows ISO images and using them for your testing, Remember not to give these machines internet access. no cost is involved except if you need to buy any OS and tool licenses, you need to make sure your machine is having enough RAM, Storage, and a good CPU.
A more complex example is an environment with multiple machines with different operating systems in a closed network, All the machines in the lab are managed from a central console either VMware or hypervisor, this will be more costly as you need to buy a VMware/hypervisor appliance.
Another example is an environment with machines in VMware or hypervisor, machines in Azure, and AWS, this is more costly, as you need to buy VMware/hypervisor hardware and buy subscriptions to Azure, AWS, or any other cloud services.

Lesson 1 Sample scenarios

What are the possible scenarios you need a test lab?

You have a malware sample and you are curious to test the behavior, this is a very tough case and needed extreme precaution before you work in the lab on it, requires a lot of expertise and knowledge, I would recommend avoiding this scenario, instead do the research on the internet or contact the endpoint security vendor to give details on the malware sample.

Test an Endpoint security sensor to see whether it passes the dummy malware test.

Use a tool like Wireshark to examine packets.

Do analytics on a set of log samples, for doing analytics you may use SQL express database or Microsoft Excel or something similar.

Install and test a log management solution (requires a heterogeneous test environment)

Lesson 2 Learn about SOC

As a cyber security professional, it is not always working on detecting threats, however, more than half the time you work on optimizing your security solution, implementing the solution, and eliminating the noise generated by your security monitoring solution, in this context if you think, what could be the possible tools you will encounter?

The term security operation center is a common word nowadays, what does it contain and what tools do they use?

a security operation center aka SOC essentially is a dedicated environment with appropriate physical security controls and other security measures and will have trained people usually divided into multiple teams, a common scenario is a red team of professionals who handle the live threat scenarios faced by the organization, a Blue team of professionals who work on defensive measures, incident management professionals, legal and regulatory knowledge professionals, Risk analysts, etc…

usually, a SOC environment contains a security event management solution that aggregates intelligence from various log sources in the organization, the log sources could be firewalls, endpoint security logs, IDS and IPS solutions, Web application firewalls, Endpoint logs like logs from windows workstations, servers, Linux servers and other log sources which can provide useful information.

as cloud services are becoming a dominating part of IT infrastructure, the nature of the SOC environment is getting changed, since part of the organization’s infrastructure is in the cloud, monitoring the cloud assets is needed.

How to set up a lab in these hybrid scenarios?

A simple lab can be like installing Oracle virtual box in your laptop and creating VMs, this is having a dependency on your laptop hardware if you don’t have sufficient CPU, ram, and SSD storage you will not be able to create more VMs.

How do you test a web application in the context of security as if it is deployed in a production scenario? where incoming requests can be quite different from the use case tests the developer did with a sample of data?

OWASP is having good guidance on this subject.

This demands a staging environment in the cloud where you can create the test environment, using the below references, however, if you want to simulate a scenario of how the application behaves with specific attack methods, you need a sandbox environment created in the lab or in the cloud.

The application you are going to test determines the kind of test environment you need.

a simple example is “Windows server enabled with IIS and installed the web application”, exposing this to the internet is difficult and risky, how do you do this? you need a virtualized environment, which you can destroy after doing the test.

Leave a Comment