Home Labs Without Hardware: Building in the Cloud

[Music]

hey hi everyone i'm chris and i'm with snap labs i'm going to be talking about building a home lab in the cloud so first off a big thanks to to besides philly i'm really happy to be speaking here uh for the first time and also actually attending for the first time which is pretty surprising uh i've given like five or six other b-sides talks across the country but lived in philly for 10 years and haven't been here yet so very excited to to be recording this talk and excited to you know see what everyone else has to present on friday so just some background on myself before we get going i started my cyber security career consulting for

security risk advisors uh here in philadelphia so i was doing mostly technical assessments uh and then actually towards the end of my time there is when i co-founded snap labs then i went to do uh a bit of internal red teaming a galaxy smith cline and then as a short stint as a blue team around the security monitoring team at susquehanna international group so so far everywhere i've worked besides my own company has been a nice three-letter acronym company so like i said i co-founded snap labs with my other partner barrett and what we do is we we have a product uh that helps you manage customize deploy lab environments and it's all cloud-based hence the talk

and i also do a lot of customized lab builds there so before going into how to build a lab in the cloud and some of the things to know about it why have a home lab at all so what we find uh is that there are a ton of different kind of varied and specific use cases for having a lab environment and there's really two uh two big use cases that we run across one is is research and development so people that are looking to develop and or test new tools pen testing scripts automated uh ir tools that sort of thing or even setting up things like honey pots to try to analyze more widespread

internet activity or collect malware samples and that sort of thing so that's pretty popular you know set up a lab for rnb but by far the most popular use case for for having a home lab is to have a training environment a safe place to go and practice your pen testing skills or learn about cyber security defense so from the offensive side there that can be anything from simple web app testing to uh some basic network pen testing or even kind of more sophisticated real world pen tests or red teams involving active directory and more connected infrastructure and then on the blue team side you know similar to your app pen testing you can check out secure app

configurations or you know work with different uh security software that you set up in your lab you can set up appliances to protect your home network like firewalls or or pi hole to stop ads from getting displayed there are also some pretty cool open source projects that let you pull in sample malicious data sets and use them pull them into a sim and then use them to practice detection engineering and threat hunting so yeah home labs are quite popular and there's a lot of free and paid platforms out there that will give you access to a lot of these types of things and those are great you know i build one of them myself but i think

that also the the actual building of the lab environments is really valuable as learning opportunity and i know personally i certainly understand things way better when i've gone through the pain of setting it all up so just to like to give an example of that you could either read a quick blog post on how to exploit some specific active directory misconfiguration and take advantage of a group policy this config to own a system or you can go through the whole setup of building the active directory environment launching other systems connecting them pushing out configurations through gpo and then attacking it and for me that's going to result in just a much more a much deeper understanding

of what's actually going on with group policy from both the offensive and the defensive perspective same thing for for web apps um something we find is it you know you don't install software typically i mean sometimes unfortunately things are installed default vulnerable but most of the time after you've done a fresh install of your favorite software or web application it's going to be more or less secure and to give yourself a vulnerable version of it for your lab you have to figure out what specific settings do i need to change to make this insecure and then go and attack them so really the whole act of of doing the lab build process uh i think is super important and a good way

to to really learn at a deeper level what's going on but i don't think you need too much convincing that a home lab is a good idea if you're listening to this talk so uh we can go in and start actually talking about them uh before talking about going into uh the cloud for your lab environment just want to go over some some hardware constraints that you're going to run into as you get more sophisticated so your basic lab is going to start off nice and simple maybe just a single web app and then as you learn you might add more web apps to your lab environment or you might be interested in just more

sophisticated setups so you know while at first just running things off of your laptop is going to be fine for most people as you progress throughout your career you're probably going to run into a scenario where you're running something that's kind of too sophisticated for the device you already had and you're going to have to start really thinking about investing in other hardware so some some quick examples of that kind of go through the the chart of lab sophistication here so a simple web application lab uh is probably gonna run on a single vm or you could deploy it you know in containers locally it's not going to take up that much ram or computer disk space or anything

and these are things like the oauth juice shop web goat there are two open source projects from them that kind of focus on learning oas top 10 security issues and then there's uh intentionally vulnerable server or vms as well metasploitable then vulnerable linux these are all just single system isolated lab environments that would be fine to deploy on just probably your regular laptop now as you move up from that you're going to start having you know a minimally networked lab i think several windows servers that talk to each other maybe you're running a web application on one of them that has a connection to a database on a different server now you're talking about having

you know more than just one system running on top of your host operating system so you're dealing with more ram requirements you're dealing with you know storage that you might have to think about depending on what applications you're running so you're probably still fine with a laptop but you can start to see how you know as you add more and more systems that can get progressively more expensive so a couple concrete examples of some open source projects out here and what their requirements are detection lab we'll touch on later in this too but the requirements for that are going to be 55 gigs of hardware space which i have free most of the time on my

laptop but what i don't have is 16 gigabytes of ram to spare uh whenever so this might be feasible on your on you know your laptop or your normal desktop depending on your specs and what kind of work you do but it's not for me and i think for a lot of people this is where you're going to start to need to think about getting that dedicated device and same for splunk attack range this is another open source project with a couple additional it's very similar to detection lab but you have some additional options in terms of more splunk services that you could launch so this definitely goes over the line for me of i would need a dedicated desktop

or server environment to run this type of a lab on so we we started at the one end of the spectrum of just a single app single system lab kind of the other end of the spectrum is similar to what you see um and a lot of like the red team training courses out there the lab environments they use for those it's a full simulated corporate network we have several of these at snap labs this is an example of the stats from our shirts corp lab it's going to have 28 virtual machines over 60 gigabytes of ram close to a terabyte of storage and i don't personally know anyone with personal devices that can support that

type of a lab environment so you're probably going to need a dedicated actual server to run this thing um eventually i think you know if you play in lab environments long enough you're going to want something with this level of sophistication now maybe you don't need 28 systems but you might have 10 to 12 which would still require most likely a you know a solid server setup to run reliably and when you're talking about you know the amount of money you could spend on that type of hardware versus the cost in the cloud if you think of it in terms of your hours of usage which you know if you're taking advantage of the cloud properly and using its

on-demand nature that's how you should be thinking about it how many hours am i going to spend in this lab it maybe starts to become worth it to think about a hardware setup for this type of environment if you're spending hundreds of hours a year in this lab environment which i don't know about you but i definitely don't have time for hundreds of hours on top of you know my regular work just in a live environment so switching to the cloud for these types of things gives you a lot of flexibility you can turn the lab off you're only using it you're only being charged for it when you use it so some of the constraints of the

hardware stuff onto transitioning to the cloud we talked about its on-demand nature um another big advantage is aside from the the on-demand nature is that there's no upfront costs either so you can start off for free and kind of invest more money into your labs as you grow and as you decide that's something you want to do you don't have to decide up front hey i want to get this server to set up this lab and then you know find out that you're not actually using it that much and it was a big waste of money um there's also a lot of existing tools to deploy these labs pretty quickly so terraform ansible there's several

others that'll help you deploy and configure systems in the cloud they also have options to do that locally but it certainly means that there's no advantage to sticking local to have that type of automation and then like i mentioned the scalability already as you're getting more sophisticated your labs can also get more sophisticated and you don't have to purchase any hardware or upgrade anything it's just ready for you in the cloud so also a note on the hardware that amazon and microsoft is running it's going to be much better than the hardware that you're able to purchase and and you know manage as a consumer in in most cases they're going to manage the updates of that so if you had

to switch out some ram because it went bad they're doing that for you all of your data is pretty much backed up so i really recommend taking advantage of those aspects of of the cloud for your lab environments another thing that's not necessarily just lab related is how relevant and kind of future proof to you use a cliche term right now but enterprises applications all these new technologies are being built largely in the cloud and they're not going to be moving away from that anytime in the near future so by putting your lab environment in the cloud you're able to learn these cloud native concepts and get your hands on some of the specific cloud services

you know relevant to security aws has guard duty cloud watch cloud trail there's azure sentinel there's hundreds of other services that you can learn and uh that knowledge is going to be relevant for you for a long time so those are the advantages of moving to the cloud there's also some some gotchas i won't call them uh disadvantages really because you know things aren't moving back away from the cloud so i don't think the fact that it's different from on-prem is a disadvantage it's just something that you should be aware of when you're building these environments so the big one everyone thinks of is it's really easy to misconfigure a service in the cloud to be insecure so

you know your big fortune 100 company that leaves an s3 bucket public and then all of a sudden they have a huge data breach that can happen when you're setting up your lab environments as well so something to take note of and then also the the networking intricacies can be a bit of a nightmare so things that you might expect to just work as you're setting these things up for the first time won't for instance your broadcast traffic isn't going to exist in the same way amazon is doing some special layer two magic where you're never gonna see that so tools like responder won't work and then kind of in the same vein a lot of your network traffic analysis

tools aren't gonna work the same so while you can you know tcp dump or do a packet capture off of an individual network interface on an instance you can't kind of uh tap a switch in the same way you would in a physical lab to get all of the lab traffic and then monitor that through a tool like zeke or cerakota aws is doing things to make this uh a little better so they have things like vpc traffic mirroring which will mirror all the traffic from those interfaces to a specific location but they don't support all the traffic types yet and it's definitely not a one-to-one of what you're used to in a physical lab

environment so just some things to take note all righty on to building a lab in the cloud with aws so just i'm going to breach through these steps real quickly here um but this is an example of what you'd need to do to get signed up and spin up a quick lab environment so sign in or sign up if you haven't create some underlying infrastructure that's mostly going to support your networking launch your systems configure those systems and then you know start doing your pen testing or your blue team research or whatever you're doing so to sign up just takes a couple minutes you'll need a credit card and a phone number i believe to verify your identity

and then when you go to the vpc service i'd use this vpc wizard uh select the first configuration here if you're just starting out it's going to give you a few things to take note of you can name your vpc and set up the cider ranges and this option is going to create a public subnet which creates an internet gateway to allow you to actually have your systems in the lab to have internet access which is important if you want to download software tools and that sort of thing um so it's going to also create a few other resources for you dhp options for custom dns or active directory domain things the route table we'll talk about later

is going to be important for both internet access and your vpns that you set up if you have them and then the network acls which we never touch because it's super easy to to mess that up and then just lose access to your lab and not really know why things aren't talking to each other so once you do that you're going to want to edit that route table and i mentioned that it creates an internet gateway for you if you selected that public subnet option you're going to route all of the traffic bound for the internet at 0 0 0 0 to that internet gateway and that'll let your lab systems uh talk to the internet and download

software next you're going to launch your systems your instances select a service tier how much ram and compute do you need you're going to configure its details make sure you put it in the right vpc you should only have one subnet at this point if you're following along and then the important one here is the auto assign public ip address that's going to give your instance a public ip and let it talk through that internet gateway but it won't actually be accessible to the internet unless you configure your security group that way so no worries there next you add your storage uh add some tags definitely recommend naming things so you know what to go look for in your aws account

besides just instance ids and this is probably the most important step out of the seven here is to configure your security groups so in general you want to definitely make sure that you're only allowing traffic to the traffic types that you need so ssh or rdp and maybe web traffic or something if you have applications you need to access and generally selecting my ip from the source list is going to be the safest and you know only allow that that traffic from your current ip address you also want to make sure that you allow the systems to talk to each other so we call this like an inbound local security group of letting anything that's in the vpc

talk to anything else in your vpc that'll save you a lot of headaches down the line and finally we have key pair which is going to be important for getting your passwords and ssh into getting your windows passwords and ssh into your linux systems all right so kind of a lot of steps there it's kind of tedious to go through especially when you have to do that you know 20 25 times for each system there are existing open source labs with a lot of automation that'll help you go through that a lot quicker so one of them is detection lab which talked about a bit this is a great project by chris long and all you need to do is install the

prerequisites run your terraform apply and the scripts in there are going to automatically spin up most of that infrastructure we just talked about with pre-configured images on amazon so this takes roughly 20 minutes to deploy to aws if you have your aws setup with access keys and that stuff already and there's also local options too for deployment so these are the systems in that project there's a windows domain controller a server to do event collection and log forwarding a simulated workstation and then an ubuntu server for the actual splunk and log ingestion and some other services splunk also has kind of a similar project called splunk attack range there's some great documentation there as well on getting your aws account set

up there's a few things you need to add before you deploy this one and it also uses terraform to deploy to the cloud this is the architecture for it so the main difference here between this and detection lab as far as the deployment process goes is that ansible is going to actually configure and build all these systems from scratch after terraform deploys just the base operating systems so detection lab has images pre-configured for you already and they just deploy and are ready to go and splunk attack range will deploy the bazoo base os and then configure it afterwards so just a couple extra steps means it takes a little longer maybe 30 minutes or so

but still much quicker than doing this all on your own and then configuring it so there's another lab here that ran by my twitter feed a while ago that i wanted to include just as kind of an alternative that's very similar they focus on identifying and sharing indicators of compromise so the logging is pretty extensive but the main difference with this one is it's azure specific and it doesn't use splunk as its sim it uses a project called hulk which is the hunting elk stack so it's all open source tools uh to let you kind of do the same thing as splunk just a bit different alrighty so no matter how you've set up your lab environment the next thing that

you're going to need to do is access it and you know the the security group set up as i mentioned before is really important to make sure that you're not opening up you know rdp to the internet from everywhere and that sort of thing so i think really the best option for this is to set up a separate software vpn to access the rest of your lab environment it kind of simplifies some of the other security group setup that you have to do and also keeps it super secure you know the only thing accessible to known ip addresses is going to be a few ports on one system and then that is kind of your bastion host for

everything else in the lab so setting up several vpn solutions over the years with snap labs it's definitely can be a pain and uh you know maybe a barrier for some folks that are just getting started with building their lab environments uh so we decided that we can remove that barrier by taking the solution we built for our platform and open sourcing a good part of it in the snap labs bastion box to allow some vpn connection easy cert management creation revoking and also a super convenient feature to access your systems through the browser even without a vpn client using apache guacamole so to set up the bastion box first you have to have your lab set up

in the cloud then you just launch uh the bastion box uh into that lab environment there's a public ami that's available to you that you can just search for in the community amis in amazon log in when you set it up initially your instance id is going to be your password and then you can connect to your systems there's also some optional battery box settings so if you disable the source and destination check on that system and also add a route for the vpn clients which there's documentation for in the github as well that'll let you have c2 callbacks to connected clients to the vpn which can be important and also if you assign an elastic ip to

it that'll make sure that any existing vpn configurations will live through any power cycles otherwise when you power off and on that instance you'll get a new external ip each time this is what the console looks like it's pretty simple interface you can connect to and edit create console sessions download revoke create new vpn configurations and i should mention also that this is not limited to aws so you can do this deploy this in your local lab environments as well with an install script so for console sessions there's a few simple uh configuration settings to make same for vp vpn configurations and now we can walk through all that okay so when you launch this you'll be

presented with just a login screen and like i said uh the password is going to be the instance id of the instance the bastion box instance that you launched so you can just sign in and then you can see you have access to all of your console connections here you can edit existing ones see what the parameters are you can delete them in here as well create new connections it's all super quick and simple and then to connect just select the icon under the connect row there and it forwards you forwards this rdp connection straight through to the browser which i found super helpful especially when you have a ton of systems to not have to manually

rdp or ssh into each one of them when you make want to make some config changes to your lab same thing for the vpn configs to create a new one it's really easy just type in the name of it there's like two parameters that change based on whether you're running on linux or windows so just select the appropriate one there create it download it you can connect with any vpn client that accepts open vpn configuration files and there's there's plenty of those and then if you don't want these to work anymore you gave them to a friend and you don't want them to have access you can just do a simple revoke and that'll remove it from the server for

you all right so that's it for bastion box and also our presentation so i appreciate everyone uh for you know tuning in and watching this recording i'm sure i'll be quite embarrassed uh listening to myself for 30 minutes but i'll be in uh the snap labs discord channel during the conference i think barrett will be there as well for any questions you have and here are the links to some resources including the bastion box and we'll get these slides posted to our website as well thanks a

lot

you