This is a project that I've been working on for the past 2 months! My goal has been to at least work on this project three times a week, but life happens, as well as technological issues. But I'm pretty confident now in showing everyone what I've been working on. As you can see from the title, "SIEM/Malware" virtual environment. It's something that I wanted to implement right away when I first heard about it in class, but as my tech skills grew, I was confident I could set it up by myself.
The Idea:
During my Cyber Infrastructure Technology class, I was first introduced to what an IDS/IPS does and the difference between the two. It was truly fascinating to see that people created these complex programs. I know there are many other IDS in the world, but the one we touched on and got experience with was "Snort", an open source IDS created by Cisco. It was also pretty easy to navigate through when first installed. The IPS I got experience with was Splunk, by far the most popular SIEM/IPS on the market today. So in December of 2021, I finally decided to finally set it up. The goal is to simulate attacks in a working cyber environment, monitor them using splunk, and analyze the attack/malware used..
The Setup
Virtualization :
For this project, I ended up using VMWare over VirtualBox. One of the main reasons I chose VMware was the network configuration settings it provides, as well as the fact that it is a great experience to know.But that doesn't mean I don't use Vbox; in fact, I prefer Vbox to VMware when doing CTFs. But when doing more technical activities, I prefer VMware.
NIC'S (Network Interface Card) :
NIC 1 (Bridged/WAN): Sharing an IP with my home network, as well as giving internet access to the selected network networks.
NIC 2 (Host only/Security): For this NIC, I'm going to have my SIEM on this network, to receive all traffic from my host network.
NIC 3 (Host only/Analysis): This NIC will be where I analyze all malware that is going to be deployed on the host network.
NIC 4 (Host Only/Host): Self-explanatory, this will be the host that will be getting pwned.
Virtual Machines :
PfSense: I'll be using PfSense as my gateway/firewall. PfSense is an open source firewall, router, and VPN solution. That is where my NICS come in, as they will be my LANS (excluding the WAN interface).
Debian: I'll be using Debian 11 as my Splunk Indexer. A Splunk Indexer is a repository that will receive data from a forwarder, where that data will be transmitted to events.
Kali (Attacker): My Kali Linux machine will simulate an attacker, where I will be implementing the mitre framework upon planning an attack.
Firewall Rules :
These are the current firewall rules I have setup. They're basic, but they SHOULD get the job done. If anyone has any experience in setting up firewall rules and sees that I have missed a rule or that it hasn't hardened enough, feel free to reach out!
LAN1/2 : SIEM/Malware Analysis
LAN 3 : Hosts
What is the purpose of doing this?
No one is forcing me to do this. I didn't get recommended to do this. Nor am I getting paid to do so. So why? The answer is because I enjoy it. Yes, it's going to look and sound good to talk to in interviews, but it is the fact that I ENJOY the process of learning, making mistakes, and writing about it. I will make a separate post on how/where I got my inspiration to begin to write and to document my work. But in summary, I'm doing this because I love what I'm currently doing, and will continue to do so, and to further advance my skills in tech.