Project Fur-Tress: Building a Home SOC Lab (Part 1)

Introduction

Having recently achieved the BTL1 certification in cybersecurity from Security Blue Team (a fantastic starting point for anyone interested in the field), I realized that a certification is just the beginning. Hands-on experience with defensive cybersecurity tools and systems is invaluable.

So, armed with a Dell server at home, I embarked on a journey to build a testing environment and SOC lab. Documenting this project seemed like a perfect opportunity to create a resource of the knowledge and experience I gain along the way. While I aim to be as detailed and thorough as possible, this isn’t a step-by-step guide.

There are countless excellent resources available from far more experienced professionals, so consider this a chronicle of my personal journey. If you’re inspired to follow along and build your own lab, remember to double-check settings and details for your own use case, and always consult multiple sources for comprehensive guidance.

With that said, let's get started.

Project Fur-tress Series

• Part 2: Setting up Management System and Configuring VLANs
• Part 3: Kali VM and Windows Server 2019 Set up
• Part 4: Finishing Domain Configuration
• Part 5: Setting up Windows 10 Workstation and Ubuntu Server
• Part 6: Vulnerable Web App Containers and Firewall Rules
• Part 7: Preparing and configuration for Flare Malware Analysis VM

Virtualisation Hardware.

For this project, I will be using a Dell R730 server equipped with two E5-2690 v4 CPUs. Each processor boasts 14 cores and 28 threads, providing a combined total of 28 cores and 56 threads. These CPUs run at a base frequency of 2.6 GHz and can turbo up to 3.5 GHz. Additionally, they feature the Intel AVX2 Instruction Set Extensions, which are essential for running newer versions of MongoDB that require AVX.

The server also includes 128 GB of DDR4 RAM, ensuring plenty of memory for running multiple virtual machines. Storage is handled by four 1 TB hard disk drives configured to deliver 3 TB of usable space with redundancy, offering both capacity and resilience.

For the virtualisation platform, I am running Proxmox VE 8.2. This powerful platform will host all the virtual machines required for my SOC lab, providing a versatile and robust environment for building and testing various cybersecurity tools and systems.

Tools and Applications Overview

In building Project Fur-tress, I’ll utilize various tools and applications to create a robust and comprehensive SOC lab. Each of these serves a specific purpose in the cybersecurity landscape, and collectively they form the backbone of our defensive strategy.

Proxmox VE: Virtualisation Platform

Role: Provides a powerful and flexible virtualisation environment to host all the virtual machines required for the SOC lab.
Features:

• Full virtualisation with KVM
• Container-based virtualisation with LXC
• High availability clustering
• Integrated backup and restore options

pfSense: Firewall and Network Management

Role: Acts as the primary firewall, managing network traffic and ensuring security between different network segments.
Features:

• Stateful packet inspection
• Intrusion detection and prevention
• VPN support
• VLAN support for segmented networks

Wazuh: Security Monitoring

Role: An open-source security monitoring platform that provides intrusion detection, vulnerability detection, and integrity monitoring.
Features:

• Real-time threat detection
• Security information and event management (SIEM)
• File integrity monitoring
• Rootkit detection

Graylog: Log Management

Role: Handles log management and analysis, collecting log data from various sources to provide real-time insights.
Features:

• Centralized log management
• Real-time log analysis
• Powerful search and filtering capabilities
• Integration with other tools for alerting and reporting

Grafana: Data Visualization

Role: Visualizes data from various sources, providing clear and actionable insights through customizable dashboards.
Features:

• Integration with multiple data sources (including Wazuh and Graylog)
• Customizable and interactive dashboards
• Alerting and notification capabilities
• Powerful query editor

TheHIVE and Cortex: Case Management and Incident Response

Role: Manages security incidents and enriches incident data through automated analysis. Features:

• Case management and collaboration
• Automated analysis and enrichment
• Integration with other security tools

Velociraptor: Endpoint Monitoring and Forensics

Role: Provides endpoint monitoring, digital forensics, and incident response capabilities. Features:

• Real-time endpoint monitoring
• Forensic data collection
• Incident response automation

OpenCTI and MISP: Threat Intelligence

Role: Manages and enriches threat intelligence data.
Features:

• Collection and management of threat intelligence
• Integration with other security tools
• Collaborative sharing of threat data

InfluxDB and Automation Tools (Shuffle/Ansible)

Role: Provides storage and automation for various security tasks.
Features:

• Time series database for storing metrics and events (InfluxDB)
• Workflow automation and orchestration (Shuffle/Ansible)

By integrating these tools, Project Fur-tress will offer a robust environment for testing and honing defensive cybersecurity strategies.

Lab Infrastructure

To build my SOC lab within Proxmox, I’m structuring the environment using pfSense as the firewall. Here’s a detailed look at the VLAN configuration and their respective roles:

VLAN10: Fake Internet

• Purpose: Simulates an external threat environment for testing with tools like Kali Linux.
• Access: Cannot access the real internet or the network external to Proxmox but can send traffic to the corporate LAN through pfSense.

VLAN20: Corporate LAN

• Purpose: Acts as the main network for internal operations and testing.
• Access: Connects to pfSense and the fake internet but is isolated from the external network.

Components:

• Windows 2019 Server: Runs as a domain controller with Active Directory, DHCP, DNS, file, and access services.
• Windows 7 and Windows 10 Workstations: Mimic employee devices.
• Ubuntu Server: Hosts a web server and potentially Docker applications with Portainer.
• Database Server: Planned but not yet decided.

VLAN99: Isolated LAN

• Purpose: Dedicated to malware analysis in a sandboxed and isolated environment.
• Access: Only accessible from the Security VLAN.

Components:

• Windows System
• Linux System

Security VLAN

• Purpose: Hosts SOC, SIEM, IDS, and other security applications.
• Access: Can communicate with the external network for internet access and potentially monitor the home network and cloud-based solutions.

Components:

• Alert Visualization and System Monitoring: Wazuh Dashboard and Grafana.
• Backend Storage: Managed by Wazuh Indexer and Cassandra.
• Log Management: Handled by Wazuh Manager and Graylog.
• Case Management: TheHIVE and Cortex for managing security incidents.
• Investigation: Velociraptor for endpoint monitoring and forensics.
• Threat Intelligence: OpenCTI and MISP for intelligence enrichment.
• Database and Automation: InfluxDB for storage, with either Shuffle or Ansible for automation.

Diagram Integration

I’ve created a diagram using draw.io that visually represents this layout, illustrating the VLANs and the various applications, services, and systems.

Preparing Proxmox Network

Before diving into creating any VMs, I started by setting up a dedicated network bridge in Proxmox for my SOC lab devices. Here's how I went about it:

First, I logged into Proxmox and selected my device. From the list of options, I navigated to the Network section. Then, I clicked on Create and chose Linux Bridge from the dropdown.

When the Linux Bridge configuration window opened, I decided to leave the default name as vmbr5—no need to change that. For the IPv4/CIDR setting, I entered 10.10.1.0/24. Ensuring the VLAN Aware option was checked was crucial since I'll be using VLANs in my setup. To help me remember the purpose of this bridge, I added a comment: 'SOC-LAB LAN'. With everything set, I created the bridge and applied the configuration.

This step was all about laying the groundwork, ensuring that all the SOC lab devices would connect through this dedicated network, keeping everything streamlined and organized.

Setting up pfSense

Creating the VM

The next step was to get the pfSense VM created, and set up, so that the initial lab network could be created and configured.

In Proxmox, I selected 'Create VM', then under the 'General' tab, I left the Node as it was, I set the VM ID as 101, and gave it the name 'soc.pfsense' and left all the other options, and clicked Next.

On the 'OS' tab, I selected the Storage location where my ISOs are stored on Proxmon, then selected the pfSense ISO image, and clicked 'Next' again. I left everything at default on the 'System', 'Disk' and 'CPU' tabs.
On the 'Memory' tab, I unchecked 'Ballooning Device', then left everything as default on the 'Network' tab, then finished creating the VM.

Once the VM had been created, I needed to select the VM, go in to Hardware, then add a Network Device. I selected my 'vmbr5' Linux bridge and clicked 'Add' to add this to my VM.

The next step in building Project Fur-tress was to create and set up the pfSense VM, allowing the initial lab network to be configured.

1. Create VM in Proxmox:

• I started by selecting Create VM in Proxmox.
• Under the General tab, I left the Node as it was, set the VM ID to 101, and named it soc.pfsense. I left all other options as default and clicked Next.

2. OS Configuration:

• In the OS tab, I selected the storage location where my ISOs are stored on Proxmox and chose the pfSense ISO image. Then, I clicked Next.

3. System, Disk, and CPU:

• I left everything at the default settings on the System, Disk, and CPU tabs.

4. Memory Configuration:

• On the Memory tab, I unchecked Ballooning Device and left everything else at the default settings.

5. Network Configuration:

• I left the Network tab settings as default and finished creating the VM.

6. Adding a Network Device:

• Once the VM was created, I selected the VM, navigated to Hardware, and added a Network Device.
• I selected my vmbr5 Linux bridge and clicked Add to attach it to the VM.

With these steps, the pfSense VM was ready to be configured for the SOC lab network. This setup ensures the VM is connected to the dedicated network bridge, streamlining further configurations.

Installing pfSense

With the VM created, it was time to start the VM, and get pfSense installed.

The installation for pfSense is fairly straightforward. After accepting the Terms of Use, I just kept with the default options presented, made sure to select the storage device when presented at the ZFS configuration.

Once the installation was done and the VM had rebooted, I selected 'no' to configuring the VLANs, as I would do this within the web interface later.

When it came to configuring the interfaces, for the WAN interface, I entered 'vtnet0', and the 'vtnet1' for the LAN interface, then pressed 'y' to proceed with this configuration.

The pfSense VM is now running, but I could clearly see that my LAN interface was using the wrong IP address, so I needed to change this.

Configuring LAN Interface

The next step was to configure the LAN interface on pfSense. From the available options in pfSense, I selected option 2 to set the interface IP address, followed by 2 again to configure the LAN interface. Opting for a static configuration rather than DHCP, I set the LAN IP to 10.10.1.254 with a subnet mask of 24. This choice kept it distinct from the dedicated VLAN IP ranges I planned to use, facilitating easier inter-VLAN routing and allowing all necessary restrictions to be managed through firewall rules later.

No upstream gateway was configured since it’s not recommended for a LAN connection, and I decided not to enable IPv6 over DHCP or assign an IPv6 address. To ensure that devices could obtain IP addresses automatically, I enabled the DHCP server on the LAN interface. I specified the IP address range, setting 10.10.1.50 as the start and 10.10.1.100 as the end.

Lastly, I opted to keep the webConfigurator using HTTPS rather than reverting to HTTP for enhanced security.

Once all settings were updated, the LAN interface displayed the new IP address, paving the way for further configurations in my SOC lab network.

To finish off the this part of comfiguring pfSense, I went in to the interface setting for the WAN interface, and disabled IPv6, so that all my lab would be on IPv4.

Summary

The architecture of the lab is meticulously planned, featuring distinct VLANs to simulate various network scenarios. VLAN10, the 'Fake Internet,' will simulate external threats, while VLAN20, the Corporate LAN, will host key infrastructure like the domain controller, workstations, and servers. VLAN50 and VLAN99 will serve specialized roles for SOC operations and isolated malware analysis, respectively. By setting up a dedicated network bridge in Proxmox and configuring pfSense as the firewall, I’ve established a controlled and segmented network environment that will facilitate the testing and evaluation of various security tools and practices.

The initial configuration steps included preparing the Proxmox network, creating and configuring the pfSense VM, and setting up the LAN interface with a dedicated IP range. This groundwork is crucial for ensuring smooth inter-VLAN routing and secure communication between different network segments. As the project progresses, I will continue to build on this foundation, focusing on system updates and security configurations to create a dynamic and effective SOC lab.

Next Steps

In this initial phase of Project Fur-tress, I have laid a solid foundation by setting up a robust virtualisation environment with a Dell R730 server and configuring Proxmox VE 8.2 to host my SOC lab. The architecture features distinct VLANs, each serving specific roles to simulate various network scenarios, from the 'Fake Internet' for threat simulation to the Corporate LAN and Security VLANs for core infrastructure and security operations.

The next steps involve setting up and configuring all devices within the Corporate LAN and Isolated VLANs. This includes installing and configuring the domain controller, workstations, and other servers. Once these devices are set up and updated, I will proceed with configuring firewall rules, NAT, and DNS settings in pfSense to ensure a secure and well-managed network.

Part two of this project will delve into these configurations and more. Join me as I continue this journey of learning, experimenting, and discovery.

Resources

• Proxmox
• pfSense
• draw.io
• Security Blue Team