Have Lab, Now What?

all right everyone welcome we're uh we're going to get started here so I have the pleasure of introducing Kelsey and Aaron uh they are both cybercity Engineers for the uh guthy click um I today this talk is going to be about home lab so I'm going to read a little bit about what they're going to uh tell you about today and then I'm going to let them do all the talking so uh there are hundreds of blogs on how to build the home lab but rarely is there a talk on how to use it to upscale your career this session was hosted by two cyber security Engineers by day and home labers by night probably first time I've

read that but that's pretty cool um so this will showcase some tried and true methods of pushing your Homeland regardless of the size to his maximum potential as a group we will explore different use cases for any budget on topics such as simulated corporate environments large scale virtualized networks and detection engineer ing labs to help give you experiences and learning opportunities that are not easily available otherwise so I'm going to turn it over to Kelsey and Aaron let's welcome them thank you everyone so like you were saying is Aon and I were talking one day and we're like you know let's go to bsides and we're like you know what let's not just go let's you know have a

little bit more fun than just going to attend right so we were we were brainstorming ideas and one of them that came up is a lot of people here have home Labs so just by show of hand who here has a home lab or has ever had a home lab exactly so keep your keep your hands up if you've got a home lab now how many of you have said okay now what do I do right so it's it's one of those where you know we were talking in with help and Aaron with his home lab that there's plenty of ways and reasons and methods to get the home lab built but hey you've got it cool that's awesome what am I

going to do with this oh God so that's kind of where this talk came from so quick little background I'm Kelsey seamour I'm the senior cyber security engineer at the guthy clinic um been in it in one way or another for a little bit under a decade and cyber security for about 5 years now and with that I'll turn it over to Aaron so I'm Aaron Everson I'm also a cyber security engineer at Guthrie at senior um I've got about 20 years of experience in infrastructure endpoints and networking um only very I'm very very new to uh uh cyber security Minted as of March so one of the things that I did is uh um and

what started a lot of this conversations uh Kelsey has been coaching me a lot um related to my what was my home lab which is basically what most PC Enthusiast or infrastructure guys would have is a uh a few disorganized PCS laying around to test one thing or another so as we started putting the lab together you know again so many articles about okay what to build how you can build it but then what so um this this kind of the talk uh was really inspired by Kelsey helping me do the same thing so with that we kind of broke this into three different sections as you heard earlier first one's going to be around simulated corporate environments

and we're just going to highlight some tools here these are not by any way endorsements these are ones we've used so there's a little bit of endorsement there but at the end of the day it's really you have the lab now what so with that one of the nice things you can do is you can play around with agents and logging methods so I'm going to pick on edrs a little bit so edrs are very expensive very hard to get for a home lab unless you roll your own like E5 tenant with Microsoft get Defender and then now you're just paying a lot of money for something that it's only for a couple end points so really edrs kind of

get broken into three main different areas so one of which is endpoint visibility right so there's a open source tool called OS query which basically exposes your endpoints whether they be servers or laptops desktops whether they be Mac windows or Linux and it makes it a queriable SQL table so I can reach out to my environment and say hey amongst all of my virtualized servers or whatever is in my lab who has bit Locker enabled and are they to what encryption level and that's just a simple SQL query I can pull that data similar to how like crowd strike might display it within their tool Velociraptor kind of takes in that active response side so a lot of the EDR

tools now have ways to do active response Velociraptor can definitely assist with that so with Velociraptor you can run po shell scripts you can push scripts stuff like that and the third one I'm going to talk about here is sysmon so one of the nice benefits of most EDR products is you get some really fine grained in-depth Telemetry so does Sison you have to play around for config file we'll talk about that here in a little bit but nonetheless here's three tools that get me everything but the actual quote unquote protection side of an EDR that we might want to play with from a cyber security standpoint for a total cost of zero outside of hosting it

in your own lab so with that I'm going to turn over to Aaron for active directory sides so I mean in most environments most of us active director is already set up before we get there we never have time to play with an implementation we never have time to play with certain configurations or misconfigurations so think about how many times you look at the uh your your uh environment and go man I don't think that's set up right never get a chance to either change that configuration because you know how many times you tear down active directory and build it again you just don't do it um so being able to test and and uh your configurations and

redesign your configurations in a microcosm in your orm in your uh home lab is great experience get to test new new things as well as GP deployments seeing how they act how they react or don't act properly whether they've been deprecated or or so forth but also having a firm understanding of this from a as from the infrastructure of it tying that into then cyber security only makes us better analysts better Engineers for understanding how that works because at the end of the day this you know probably going to say multiple times cyber security is simply infrastructure Excellence for sure and another thing here with gpos is how many of you if you're helping recommend os are even

implementing them have you done this before right so using Labs as a good way as Aaron was saying earlier today and I'll let you say the famous quote here oh oh yeah it it's it's um what did I say sorry it was an early morning car ride people right right it's it's been a long day um it is a lowrisk confidence boost it is you can do things that would break your corporate environment and please break it please case and then you know exactly how it's going to behave on top of that if you know exactly how something's going to behave you I mean because I've been in that seat as a as somebody on the

infrastructure side going no no no no no no cyber security I'm not flipping that switch it's a lot easier to have that discussion have that argument and win it in a a reasonable sense when you want to change a control or a g for sure for example on gpos if you're not used to working work with gpos if you have a GP that sets some bad settings simply disabling that GOP does not mean those settings get flipped back on the end point and if you don't play around with it in some way shape or form whether that's the dev environment at work or in your own home lab is the little gotas like that that aren't often

that well documented and that's where that confidence boost can really come in play absolutely another thing around active directory for sure is attacking in defense being that ad is one of the largest I am Solutions in use by most companies from medium business all the way up to large scale Enterprise understanding how it can work at its heart can be really really beneficial for example why should we fear the print operators group and if you're not used to playing around an active directory especially in more of a default State these insecure defaults and learning not only just how are they bad and maybe being on the red team side and seeing exactly how they're bad but also from the defense side of

okay how can we help mitigate this how can we allow the business to still function and you know only have one or two break glass da accounts and then also another fun one with active directory I've had a lot of fun and success both professionally and personally with is ldap firewall and RPC firewall so these are some open source DLS and solutions that were produced by a startup called zero networks they fully open source this part of their solution and what it does is it does dll patching to allow you to get very granular on your ldap calls and your RPC calls to different servers so I'll pick on the attacking defense side here is DC

syncs so being able to completely sync a domain controller to an attacker owned computer so you need either a domain admin or a domain controller account to do that makes sense windows out of the box has no functionality on blocking that for IP addresses so if you have a valid domain admin account and you can talk to the domain controller on the ports required for a domain controller to function guess what you now have a copy of the domain controller so one thing that we can do with playing around with these more in-depth firewalls would be start setting up IP ranges so hey here's where my domain controllers live so now I have the barrier of Entry of having to have a

DA or DC machine account and be on a domain controller already to even attempt a sync plus with the logging included with this if someone attempts and they not on a domain controller that's a very easy High Fidelity red flag for your security operations team to pick up and run with cuz now we went from hey a DC syn happened that kind of looks suspicious we should go investigate we can now say this account from this Source IP address attempted this and failed so we have a blocking control we have a really good detective mechanism around it with High Fidelity and that one little event log is everything your sock needs to go to start their

investigation but it's a mildly complex thing to introduce to an environment so if you don't have a Dev environment or you want to play around with it in the lab that's where that confidence boost can really come and play cuz any of these tools implemented incorrectly can also break active directory which no one wants to be responsible for bringing down domain services for your company hence Homeland yes so the the next subtopic here we want to touch point on is infrastructures code and other engineering so with infrastructure is code rapid deployment seems to be the name of the game now right so companies used to Bey hey if you're a software company we are going to release once

every 6 months now it's hey can we release once a day once a week five times a day 10 times a day so infrastructure as code is really beneficial in that and that's how the infrastructure teams will actually start trying to build that so what does a database server need to look like here and using whether it's Docker composed vagrant pick your flavor of choice that's something that is becoming really prevalent in our organization so why not do that for your home lab so for example my home Lab at the point it's standing right now at my house is actually powered off right now I don't need a lot of it I have one or two small

fanless units that I keep powered on but the 68u of rack I have sitting in my closet is powered off right now if I need to go do something I'll power it on and then I have different little scripts that I can just execute against my lab and my hypervisors to build what I need so if I need active directory it's as easy as hitting the power button grabbing a cup of coffee hitting deploy and now especially if I'm going to break things I can have a very quick easy reset button that only takes 5 minutes so being able to have these you know repeatable things and also considering this is the intros set group as well

Cloud security is a huge button on most resumés nowadays as far as you know job description stuff like that infrastructure is code is huge especially in Cloud native organizations so this is a really cool way to up level that I actually don't hear too much being talked about especially on the lab space outside of hey let's go play with this in a cloud provider but if you happen to run the previously free before broadcom version of the sxi in your home lab you can still do deployments that way so up next I'll toss it back to Aaron for operating system hardening so yeah OS hardening I mean there's a certain amount of that you can do in you

know in your in your own environments firm from whatever company you work for ETC but if you don't have access to it especially if you're just starting out in your career um it's great to do in a home lab so I mean you could just wake up one day choose violence and turn on every C CIS CIS yeah c c I'm terrible with acronyms so apologize um you know uh uh yeah you just turn up yeah take a drink yep so with uh the CIS benchmarks there right so you have your level one your level two level one is hey this is reasonably secure it's unlikely to break things level two is here be dragons

proceed with caution so and then it gets worse so you you obviously don't want to turn that on your environment you obviously want to have a solid understanding of CIS B baselines Microsoft security baselines um and any other firewall changes uh Windows Firewall or otherwise that you want to implement or play around with you want to have a solid uh understanding of what the impact is going to be on the environment especially if you need want to stand toe-to-toe with a desktop engineering manager I know cuz I was one and say hey we want to turn this control on you want to be able to say well this is what this control is going to do this

is exactly how it's going to behave in your environment I know cuz I've done it and it's a much easier sell than say saying hey Aaron go turn on this control on all your endpoints I don't know what it's going to do but the book says we want it um so that's being able to do that in your home lab again lowcost confidence boost lowcost knowledge boost and picking back on to Rapid deployment as well hey so I'm turning on these controls turning them off how am I doing that can I do that in a script can I do that via GP so not only are you just gaining the skills yourself seeing how things can

interact how things change you're also going hey wait a minute I kind of got this figured out I can do this in 10 15 minutes here's a GOP file even you know or here's here's a Powershell script I just need to run on these end points hey it's been tested so again it's really the best part of a home lab is it can give you that confidence it can give you that knowledge it can give you things for your resume that you might not already be able to put on there and do so with confidence so another thing that's fun to do with Labs as well is canaries so if you were in the please waste my time

talk earlier today by q that was definitely a topic that got brought up one two three times and again great minds Sy alike think is a great place to get started so they have a lot of you know kind of pre canned almost um with either web hooks or emails for Canary so you can do PDF documents Word documents AWS credentials stuff like that it's a free open source thing they also do have commercial appliances that are awesome for corporate environments if your company wants to go that way um don't know if it's still the case but I remember back at my old shop they used to boast on their website that we have had zero unsatisfied

customers and that's a pretty bold claim to make but I think they made it quite safely now again this wouldn't be a talk about home Labs if we didn't mention rolling your own canaries so there's also a really good book intrusion detection honeypots detection through deception it's about $20 on Amazon I read it about every two years or so it seems and I just finished my read here last week so it's kind of fresh in the brain but it goes through what is a Honeypot and then gives you ways to build them yourself using a Ubuntu VM or Debian VM and a desktop so guess what pretty well within the realm of most home labs and that's something that you

can take back to your organization put on your resume whatever have you hey deception technology deception controls when used effectively can be very very effective in your environment or hgps interception do you want to roll your own squid proxy or whatever have you do man in- the middle of your SSL figure out why pins are both a blessing and a curse on stuff like that and play around with all that guess what you've got a lab go do it have fun really at the end of the day the sky the limit so this concludes our first little third and we're running right on target here does anyone have any questions thus far go for it not a question but I'll

I'll um just reinforce your statements here because I do a lot of interviews of candidates and I get senior candidates that I ask them how would you harden an operating system Linux to be I mean the backbone of the internet and I kid you not 90% of senior level Engineers security Engineers kind of uh change the root password make sure firewall's on I guess oh no no oh not even that okay and they want to scan the server to find open ports I said but I gave you the server why are you scanning it from outside um and so this is so so critically important um and yeah I just wanted to reinforce that because it's a

great great Point um that you guys made that's understanding how to do that in microcosm is so wonderful because again like I said before and I'll say again I'll keep saying it probably till I retire and then afterwards you know um cyber security is nothing more than it excellence and having those hardening standards and understanding how they're going to work is is critical absolutely and Aaron how many times did I come to you when you were still on desktop engineering with these hairbrained ideas and said hey had an idea let's try this and how many times did I tell you get out of my office not many not enough that we're both standing here that's

true that's true so with that we're going to go on to our next little third here which will be with simulated networking so the the two uh main tools of the trade here are Eve and G or gns3 both are open source so with that we're going to start off with General networking so again if you're just starting out if you never managed the network never architect and network never been a network engineer you know again low cost low risk knowledge gain confidence gain grab yourself a couple of old switches off eBay mind or virtualize as Kelsey said mind licensing if you grab something off eBay depending on what you're getting but and build it

you know go through build build something from scratch uh my home Lab at the house I'm actually uh setting it up as if it was an Enterprise uh environment um right from scratch Network segmentation uh uh Zone segmentation thanks to poo U it's a it's it's a good time but knowing the basics and knowing how it works again it's it's the difference between um hey Network we want you to do this ver uh uh uh versus and well because I said so other than no this is exactly how this closes this Vector this is this problem this is um this is the how it's going to shrink our uh our threat surface beware and also um yeah

different vendors how does a does an extreme switch work like a Cisco switch show hands no so being having exposure in microcosm to different vendor Hardware different vendor software knowing that they're operate completely differently um you're not going to put settings on a Cisco or uh or a 40 net that you would on a p you're not going to do that's getting more into fire walls but you're not going to uh program a uh extreme switch like you would a Cisco switch it's they' be different um to back over to sure and and just another thing to add on there so you might need a nonpublic email address so I mean by that it's not a

Gmail not a Hotmail stuff like that but University emails tend to work pretty well but most of networking vendors will give you 30-day free trials of VMS so if you want to go play around with paa you can go sign up for a 30-day trial if you want to go play around with a juniper vmx router same thing same thing for foret I believe Cisco is still the same way stuff like that so there's legitimate ways you can get Enterprise grade gear in your home Lab at least temporarily now and then and actually get handson so not only can you just say hey if you're new to the industry well I came from a Cisco shop I've only

touched Cisco I've only touched ASAS I've only touched firep poers I've only touched you know Catalyst switching or Nexus you can say hey I went to extreme and extreme for example actually has their VM series completely open for labers with no license limitations no anything else so if you want to say hey I want to play around with extreme fabric connect for example you can go build that in your lab build out fabric play around with the different routing protocols play around with different fabric topologies and the cost to you cuz you already have your lab cuz it's have lab now what is $0 and that's some valuable things especially if you pair them with the

cheap entry level like jncia for Juniper or the extreme fabber connect associate from extreme stuff like that that's a really good way to help uplevel yourself for under $100 because it's just the cost of the exam at that point and you have hands-on experience and the other thing here as Aaron was kind of alluding to is how how does a VLAN work how does IPC work 8021 X authentication these are all things that from a networking standpoint you might not touch much of but as a security professional you might have to advise a lot on so as we've said before it's a completely different story when we can say they hey we understand segmentation into different VLS if you

have a flat Network can be a pain Let's Help let's work together we're not doing this to you we're doing this with you and stuff like that and Aaron coming from desktop engineering and end user Computing for for 20 years how's your networking skills going lately well you know it's kind of you let the network team deal with that so you just kind of let them deal with it and they get rusty really rusty really fast you know how to one of the best ways to avoid rust polishing low cost lowrisk polishing home L yep so with that we're going to transition over into firewall Management on the networking side here so with that so one as I alluded to earlier I'm

setting up my own home lab just like an Enterprise Network therefore I can test different things I actually have a poo in my home lab um and being able to test different IPS different app ID signatures um different rules um how they're going to behave so that when I get to an impementation or major rule change not only can I test it beforehand and see how it's going to work because unless your organization has a uh a Dev environment for their firewalls which uh show a hands anybody exactly right well I'll even copy at that right who here has a Dev environment set up similar to your production environment it's not just a firewall couple switches and a

couple maybe one two servers and one two end points doesn't happen so there there's a high risk um if you've never done the change or the rule change that you're planning on doing to you might read it on paper you might have seen it done you might pair with a vendor that's done it but nothing uh uh changes or or can replace that I have done it even if it's in microcosm you've done it that low again that low cost low risk confidence boost of having done this in the lab yourself and are confident that you know exactly how that change is going to behave same thing with upgrades how how many how many have sat

there in the in the Wii hours on and during an off hour's upgrade going God I hope this works like the manual said it would anybody just me just just kind of you hit the button and you're like okay okay wait it's been 30 second wait okay it said it would only Take 5 minutes it's it's been oh U you know uh or yes yes you simulations like pack Trac yeah so Packet Tracer from Cisco is a good example I mean it's Cisco specific but it's a very good way of simulating a Cisco environment you can get the routers the switches ASAS Firepower I believe are now in Packet Tracer it's been a little bit since I've

touched it but yeah I mean and that's kind of one of the things we were saying a little bit earlier and alluding to is when it comes to the home labbing is there's 101 tools to do what you need to do this is the playground where you can go try Milwaukee go try DeWalt stuff like that see what works well see what doesn't work so I mean it's all in you know all different pass to the same end so up next is going to be with Fireball cutover so firewall cutovers are probably one of the hardest things to do with within the realm of network security right so whether you're doing Greenfield which actually is the easiest

of the hard options here right you have nothing let's build but okay who here has going back to the ad discussion how many places do you come that you actually get to Greenfield a firewall deployment versus hey it's here it's built it's already here you know I'm just I'm just the groundskeeper maintaining it or vendor a to vendor B migrations right so hey ex vendor raise their prices you know4 5% we need to go look at you know y vendor so okay we did a POV we did everything else hey it's looking like we're going to cut over if you might not have the budget for Professional Services or this is something you want to do on your own

regardless of Reason practice it out in a HB most Fireball vendors will give you a 30-day eval build out a small little thing couple simulator rules couple simulator policies work on that migration some vendors have tools some don't but regardless you can now simulate those migrations and with the rest of your home lab behind it let's to say you can't build out a quick app server with enic a quick database with insert database labor of choice and just test it out see how it works play with it have fun and get that confidence boost and then also segmentation projects so one of the more frequent buzzwords that may or may not be dying off here I'm

still trying to figure out would be things like uh zero trust network access or micro segmentation or anything around that so so cool what does that mean how does that work right so are you going to play around with Windows Firewall rules are you going to put a bunch of VM series firewalls or container series firewalls Here There and Everywhere again you have a lab it doesn't have to be full Enterprise scale you just have to have enough to do those unit tests and with that we're going to go on to our next chapter here which is going to be detection engineering so again some sample words you'll probably hear throughout the couple next slide

are going to be things like Atomic red team security onion and different Sims so on the detection engineering side Atomic red team I going to start here it's a really cool thing it's a really awesome thing to level up your resume and sure enough I had it on M when I actually applied at the Guthrie Clinic many a year ago so Atomic red team is a set of tests that allow you to do basically unit tests around different detections to around different tactics to develop detections and test your controls so it's all mapped to the miter framework so for example if you look at a tactic for exfiltration of data via FTP they have different ways of testing

it it's all written I believe in yaml if I remember off the top of my head correctly or some other markup language but nonetheless there's different tools that you can use to injust the data say I'm going to test out this miter tactic okay well I need seven zip so let me go download seven zip and install it here's a a unit test I'm going to now encrypt a bunch of data into an encrypted zip file on my desk so that's just one little mini part of the miter attack framework maybe one little part of something a bad actor in environment might do well by that happening that generates logs those logs can be used to develop detections

or if you're building out controls hey do my controls work as they're supposed to right so one of the common things that I always tend to preach on is cool we put in a bunch of new detection R we put in a bunch of new controls that's awesome that's great I love it did we test them no why so this is a really awesome way to do that so the other half of the thing is developing test yourself there's nothing stating you can't go build one of these and that's how I got it on my resume when I applied to Guthrie a couple years ago is I was how can I upskill my resume how can I upskill my

career and stuff like that so Atomic red team maintains the list of here's missing DET your missing tests that we have these are test cases we have no listed things on so let's let's build one right so do some research miter for every TTP they have has a bunch of research links already on their website go take a night sit down on the recliner maybe buy a campfire whatever reading destination of choice is for you and just start going through the Articles how do attackers use this how does this look like and then okay let's let's build it and at the end of the day building get just typically one or two on Liners in poers Shell that's it what

do I need to get to prere so do I need anything like seven zip on the machine how does it actually do the test and then how do I clean up the test to bring it back the Endo to a as set state so those are really easy really cool things you can do and throw it in the uh the home laab right give it a test see what it looks like and also is a somewhat Shameless plug your first commit to Atomic red team they will mail you your choice of a shirt or hat if I remember correctly so who doesn't love some good free swag with that nonetheless um tying right into the atomic red team though is

other logging tools like what we were talking about earlier cismon can generate a lot of data very very very quickly if you have a log everything configuration file and a couple Chuckles means yes we've all done it before and we won't talk about that much more but nonetheless okay hey what does this look like how does tuning it work stuff like that that's one cool way you can do it make sure it gets vacuumed up for those detection developments also aut configurations to pick on airon and gpos hey I want to turn on process logging at the start and end of every process with no restrictions on every endpoint there goes your CPU your disc

and your RAM and everything else and but hey you got a lot of logs and your sim cost went through the roof it's a win-win right so being able to play around and test those config configurations in a somewhat of a uh you know environment like this it's it's a really good thing I remember the first time I was playing in Splunk one day and I'm like why don't we just log everything had it in the lab hit run that's why we don't log everything great okay there's my in just for a week so which brings us to our next topic here around Sim engineering so different Sim you know Sim toolings so security onions a big

one they're out in the lobby it's basically roll your own Sim they also do case management packet capture stuff like that it's a all-in-one Swiss Army toolbox if you aren't running this in your home lab I highly suggest you give it at least a try whether you keep it or not it's up to you but it's a very quick way to get to Zero to Hero with this and additionally it's fun it's a really well-built tool it has a lot of features and functionality and they're constantly adding to it or if you want to go the other routes you know elk open search grey log spunk you name it I'm not sure if it's still the case cuz it's been a

year or two but Splunk pre Cisco would actually give you trial VMS and stuff like that so you could roll your own Splunk for limited time L limited data inest so that used to be the big player in the space and you could 100% Thro in a home laand they encouraged it um another one is cribble cribble is one of the ones I keep hearing more and more and it's a fun tool to play with so it allows you to ingest all the things pull all the data and then move all the data so C inovit heart their free tier is I believe one tbte a day which is a very generous free tier um it accepts a bunch

of different inputs raw CIS log CIS log over TLS you can even use other forwarders like file beats log beats uh Splunk Universal forers you can tie into it cribble also can tie into external data sources so do you want it to go pull from an S3 bucket do you want it to go pull API calls stuff like that it can do that on a set schedule it'll come in it allows you to manipulate the data normalize the data remove unnecessary Fields help save your sim costs it's basically a Sim person Swiss army knife and with a one tbyte a day uh you know free tier it's a really good thing to play around with it also helps with

things like send migration so hey maybe you're a smaller shop using security onion and you're taking a look at Greylock how do you do that migration cribble one of those little Swiss Army kns that can help you do it really really quickly or even maintain both Sims in parallel without having to install extra agents or do much in the way of configuration so it's a really cool thing to play around in your home lab highly recommend and that kind of comes to also the architecture data flow question right how does the data flow what does CIS log actually work under the hood like how do you modify how do you do Rex how do you do data

normalization and again especially if you're a Splunk shop Sentinel You Name It Whatever these are very expensive tools that most Enterprises are kind of like hey no no touchy you know we we want to make sure we're being very deliberate here here's your chance to get those skills uh most Sims have some sort of certification track so from the inos SEC you know level up kind of side again go spin up a Splunk and and and go get your Splunk certified administrator why not and then also implementation plans so again whether you're Green Field or going from one vendor to another what does this look like how does you know configuration management work for these

agents are we going to use GP or are we going to use a vendor specific tool stuff like that really this is the chance for you as a home labber you can have your cake and eat it too right and with that we're going to also talk about source security orchestration Automation and response so this is also one of those next things right so if you look at a maturity model of your sock you start off by okay hey we're getting logs we've got detections we've got a team doing actions we've got a team doing responses we've we're building our own detections and this is kind of that Pinnacle everyone wants to get to right

sword does not mean I am I'm firing people from my sock it does not mean I don't need a large of a sock this is how can I make my sock be the best they can be right so whether that's things like web Hooks and API calls to pull in and do data enrichment so hey I've seen this ioc let me go res out and do some scripts you know maybe I'm going to go if I see an alert coming from from one of my endpoints for something I was playing with atomic red team I'm going to go use uh OS query to reach out to the endpoint and pull a bunch of data and put that into my case management

system that security onions managing for me hey that's all open- Source stuff we talked about in the lab that we've built throughout this talk right so this is where you can really start tying it together and seeing that full big picture corrective controls right that's another one so hey you know analyst came in they had the case it was full enriched you had all the data you need oh gosh now what you know it would be really awesome if you just had a single button that said like Network containment again with the API calls web hooks reach out through Velociraptor quarantine that endpoint from your network or hey you know kill this process ID whatever have you this is

where everything we've talked up to this point or reach out into your virtual Fireball and block this IP address this is where you can start doing all that integr that tying together that bigger picture that we've talked about here last 30 minutes or so with that we're going to close it up here and remember not just happy labbing but happy doing those are both of our LinkedIn contact infos there so if anyone wants to reach out to us after the talk we're more than willing and with that we'll open it up to questions comments concerns interpretive dances you name it we'll I'm not going to do the dancing don't worry that that's for you guys

go for it uh so I'm not sure like uh what the group is here for like home lbby and stuff like that it seems like there could be a whole plethora of home labing um I'm not sure like people are looking for like recommendations like on say like a bare metal like hypervisor setting that stuff up or yeah you know I mean like where would you guys like recommend starting with things like for sure and and that's kind of where this talk born from right cuz both Aaron and I have our own home Labs we've kind of had them they kind of sit idle like I said M sets turned off most of the time

because I've got day jobs in a life right um but nonetheless um things like basic connectivity right so you're going to want to have a network built around it so they can communicate you're going to want to have probably a hypervisor of some sort whether you're using hyperv VMware esxi uh nanic I think On's out there prox MOX qmu on just you know like a Linux bare metal kind of thing some sort of hypervisor some sort of virtualizer so that as you go through the rest of this you can spin up tear down stuff like that you're not okay I'm done with the server let me go grab the flash drive where' that flash drive go

let me go reimage it it allows you to be that kind of change around on a win play around with it does that kind of answer your question like because I'm kind of like at that point you know I mean like the hypervisor spun up you know got the buun two server stuff like that but kind of that's one of like like you know what now kind of yeah I'm just trying to look for ideas on yeah spin up security onion yeah yeah spin up security onion enroll some end points with some agents and start playing around with that data yeah so security onions a uh I believe they have both VM and install scripts uh they're one of the sponsors

here and out in the lobby they will happily get you hooked up with all the links and everything else you need but it's uh effectively a soer in a box mhm so you got a little bit of everything right there at your fingertips really quick yes sir you recomm anything um yeah so for sure security onion does take a little bit of resources to run um because it does do a lot so that's where we'd start saying okay hey maturity model wise like let's start splitting out so maybe you want to run an El stack for the Sim portion use something like archim for the packet capture and pcap Analysis and just kind of split it off so maybe you don't need

that full secur the onion Suite you just want to play around with a Sim tool so go spin up Greylock or Splunk or you know stuff like that so that's where I'd say start diversifying yes um try wazo wazo is fun it actually comes in security onion security onion um but it is a standalone as well and it's open source so it's it's a great tool the only other thing I wanted to say you guys probably have these beautiful 19inch rack absolutely not it sits on a desk at the edge of my office that's why it's also powered off because I don't want to listen to that during the work me yes cuz my home lab you know

those 3M sticky strips that you can get I put them on the backs of little nuts and things like that and I stick them in a coat closet and then when I'm done with certain ones I can take them down and reuse them for other things your Labs don't have to heat your home in the winter time they should it's a very inefficient way you're does oh I knew one of them yeah I'm an infrastructure guy it's going to happen my my my rack is uh large yeah so whereas I've been taking the opposite stance of I've been transferring more things onto nooks and other fanless devices so he's got a lot of my old you

know 19in equipment as well another good resource that's always fun to pick on is if you go to IKEA there's these lack tables that happen to be exactly 19in posts apart do with that information what you may wait the lack the lack tables from Ikea the lack okay yep so the if you go to Google and type in lackrack Ikea you'll get a whole subreddit of people modifying these it's great I was about to say to piggyback on the questions about the different software and whatnot there is very I won't say there's no wrong answers when it comes to the home lab but there's very few wrong answers because even if you install something and set something up in your home lab

and go oh this is garbage tear down tear down yeah there's it's if getting uh getting that experience is worth the garbage we got one in the back actually first sorry do the lab playing around how would you say the best way to present these on resume for sure absolutely and that's a great question because that's one of the ones where uh right so I think the the best answer I can give you is it depends and that's the worst answer I can also give you ways I've done it in the past is things like if I can get something tangible out of it that tends to be a little bit easier to put on a resume for

example if you spin up a juniper vmx and you go play with that and you get your jncia Juniper I think it's $85 hey I spent $85 and now I have a certificate so that's one way you can abstract away or talk about that in like a skills and experience section would be another possible method for that as well I have a suggestion actually for that one of the tools that I was using or I still use is hunter. it's another platform where you can import jobs what it actually does it highlights some of the key points within the job description so if you open that up in one Tab and in the other tab have

your resume now you can see okay have I done this before then you put that in your res it kind of visualizes it for you for sure especially you know gentl saying if you've done it in a lab before you have your handle or just put a home lab section on resume yeah if you have room on your resume for that absolutely software you use and what you've accomplished in for sure and like as I help review resumes and stuff like that that is something that does catch my eye and I am biased towards it to be honest with you I don't know how that's shared throughout the industry but hey that shows to me you've

taken time out of your own day to go and try and better yourself and that reflects positively in my opinion and I think a lot of others as well from an IT management perspective I would have to agree as before I became a cyber security engineer I was a manager for desktop engineering and that's one of the things I look for is what do you do in your spare time are you a hobbyist are you a home labber are you what are you doing to better yourself to explore to are you still curious and are you still hungry what are you doing and and that was that's my always a standard question I would ask when I was interviewing and

something I would look for on rums I've never seen it on a resum to me oh be honest with you but if it was there it would have stay stood out to me y or you know when I help with interviews and stuff like that one way I kind of phrase the question a little bit differently is hey cyber security is an Ever Changing environment how do you stay current and I've had people in interviews go oh I've got a home lab I play with this this this and this and I'm sitting here going I love this so it sometimes you just have to wait till you get the interview but it's definitely I've yet to see it be a

detriment anywhere yes just yes yep so VM workstation Pro and fusion I think it's called for the Mac series both of those broadcom kind of switched it around so esxi is I believe they got rid of the sxi free tier but they did make workstation and stuff like that you also have Oracle Oracle virtual box um that's another good one there qmu if you're running Linux platforms bunch of tools bunch of options M anything else all righty thank you everyone thank you