Home Labbing for Fun and Profit

hey guys welcome uh thank you for coming out to this track we've got a whole series of things going on in the rooms we've got another talk after and then uh the forite workshop will be in here too I'm John I'll be in here all day I'll be helping you guys out um as needed you might have heard me say this earlier as you're walking in I don't mind if you have beverages in here just please be respectful of the room and like clean up afterwards um today we'll kick off this next session we've got Trevor here we're very excited about his talk it generated a lot of really good discussion from us on the cfp side of things when

we're evaluating the talks I think it's going to be great it's going to be good overview well TI experience so with further without further Ado Trevor over to you thank you very much okay everyone can hear me all right oh it does okay if if someone can't hear me let me know um so today uh we'll talk about home labbing for Fun and Profit um so as you can see there if you type home lab into Google or YouTube or anywhere you you'll get a ton of information um and it's pretty wide spectrum as you can see here there's one thumbnail there uh you know built my home lab with only $200 and then right

next to that my $100,000 home lab build um I personally don't have $100,000 to spend on a home lab um and even if I did I probably wouldn't but you can see there's a spectrum here and that's a little bit what we'll talk about is um if you're new to home labbing or maybe you have a small home lab and you want to expand talk about some options here that being said if you have a very specific use case um you know maybe a search for some videos might help you um a little bit but hopefully I can at least um kind of help you wait through everything that's out there um this just focus a little bit on

the cyber security space so if you um are thinking of building a home lab because you like coding or doing some other it type projects um this will still apply but U most of my examples will be in in the cyber security space so uh this talk will be successful if you walk out of here with an understanding that you can do this uh I know some people often are a little bit intimidated by the idea of a home lab and I'll get into a few of the reasons why um but there are options for all skill levels you could be brand new to cyber security or you could not even be in cyber security and want to step into

that space and a home lab could help you um I want to give you confidence to apply what you learn here to go home and build a home lab or um add to your home lab um and if you understand home labbing as a way to um stay up to date on the latest cyber security Trends and tools um and in this field in practice um this will be successful so who am I um I'm a detection and response engineer for a continuous glucose monitoring platform uh which is pretty neat I've been a red teamer a penetration tester cyber operator in the Air Force um blue over here is one of my compatriots um my nonwork home lab um

just so you kind of know where I'm coming from right now I have a PF firewall running some ad blocking um I run a self-hosted ghost blog server um using digital ocean for my cloud platform and several Raspberry p projects so that's kind of where I'm at right now with my home lab so um short hands um who's ever been in an interview and an interview asked you you know hey what's your home Lab look like or how do you stay up on the latest trends um how do you learn new technologies I see a few hands um who here has had a really good answer to that question see a couple of hands too as

well that's good um for those of you who have not been in that position it will probably happen eventually um some of the questions that fall into this category U might be you know do you do ctfs or capture the flags do you do hack the box or try hack me um do you have a home lab do you have do you stay current um all these things um are you passionate about cyber security I don't particularly like that question but it does come up in interviews and people say hey show me that you're passionate about this um and other than just saying like yes I'm passionate I love security um if you have some things to point to

or talk about where you're doing this in your free time um that can help in those situations during an interview so that's kind of where um The Profit side of this starts to come in is is landing those jobs and demonstrating your skills so what is a home lab I keep saying home lab um I don't think there's one single definition here but um there's a couple different things a home lab could be maybe you um are like the picture on the left and you have a whole room uh dedicated to your home lab you have server RS you have wiring you have switches routers all kinds of stuff and you have this really cool awesome robust

home lab um that's not for everyone though and maybe you're more like on the right side here and you've used an Ikea table to make a rack in your living room uh for your media server um all this is fine right the point is learning uh doesn't really matter um how you do this uh the one on the right you might uh see an impact on your heating and cooling Bill there um from those servers running but uh other than that however you choose to do this um is your choice and and to drive the home Point further um the point home further um here's my home lab um that's not pretty I don't know if

you can see down there um there's some Christmas decorations as part of my home lab um some kids toys laying around pretty poor Cable Management um but in all of that you see my Nas my firewall networking equipment um a really awesome sitting desk um because standing desks are a little bit uh overrated these days sitting on the floor with a a keyboard and monitor seem to be uh the right way to address this um so all this to say it can look however it needs to look right don't get hung up on uh it looking perfect or you know needing to be a conversation piece when people come over um you can just do

this um you know the technology there there's an unmanaged Cisco switch uh my firewall runs on Adele optiflex that I bought off eBay um the spare monitor that is from my college days um super cool backl keyboard that my wife didn't like because she doesn't like C keyboards for some reason um but uh you know in here I could knock something over so maybe it's not the best thing in the world yeah take it for what it's worth uh so so really what is this um what types of setups do you consider a home lab um hint it's anything right there is no uh principle around home labbing no one's going to say oh that's

not a home lab um whatever you define as your home lab is what it is um it could be easy simple and cheap um as you kind of saw mine might be or it could be big and complicated and expensive there are people whose home labs are in a true server rack um maybe they found a business that was closing down they went and bought a server rack I see I see someone pointing right here so maybe we got one in the room like that so that's awesome um but a couple keys keys here is document your process and journey even if it's just for you um one it's just good practice in case something

breaks and you need to rebuild it but two you might be able to share it with someone else right and I'll get into that a little bit uh on later slides but documenting your journey um can help you both professionally and personally um if you're in a position at work where you have to do some technical writing document what you're doing at work um write Wiki articles or maybe you're you're in some sort of technical writing role and you have to write blog articles or things that need to get published this can be a good way to practice um writing these things in a way that is um readable to the lay person uh and then I mentioned a little

bit in interviews how do you apply this to your job search or current job um sometimes you can do home lab stuff just for fun and a lot of people do um just because we're technologists and we like these kind of things but uh it should at least be in the back of your head of how can I use this for the profit piece um you know how do you answer those questions that I had on the interview slide how can you use this home lab to your advantage uh and show that you are building these skills so I've mentioned the Spectrum a couple times um and so here it is um this is not an official Spectrum in any

way shape or form um is my version of the the magic quadrant of Home Labs if you will on the easy and difficult scale um that's referencing like the knowledge required the time investment the impact from an outage um and then cheap and expensive is is referencing like the money required in the actual investment cost because a lot of people have different ideas of you know how much we should invest here and so easy and cheap on the top left there um the the easiest for most people and usually free is a virtual machine um I'm going to get in 2024 that almost everyone here has experienced with virtual machines in some way shape or form um but it's super

easy there are distribution Linux distributions that are free that are built for security um or other things that you can use lots of TV back there but you guys still got it um or existing Hardware so maybe you already have a PC at home or an old laptop sitting in a drawer somewhere um that you can use um or even a dedicated PC for this but um those seem to be the easiest and cheap options so you can start from what you have available already um on the virtual machine side the only real option used to be like VMware Player which only allowed one virtual machine or Oracle virtual box um VMware just uh I say just

maybe this in the last two or three months U VMware Workstation and fusion on Mac are now free um and those versions allow you uh networking between um between virtual machines some better snapshot options so if if you're getting into this or even if if you have your home lab a home highly suggest going and looking at that it just gives you a lot more options for for how you set up your virtual home lab um getting a little bit more expensive going across the top is is cloud servers so obviously you have to pay for this although um AWS does have some free tier stuff that maybe you could possibly leverage um but at this

point you're paying um you know some money a month depending on how robust of a of a setup you get going even more expensive but still pretty easy would be like a full-on VPC where all of your stuff is isolated on its own in its own virtual cloud um or hosted Services uh in some cases depending on what you're trying to do um a hosted version of some of this stuff might be more appropriate than running stuff on on your own infrastructure getting down into the difficult side um I say ctfs hack the box I I put those in cheap because they can be free or very low cost but but they're a little more difficult because

now you're actually kind of doing something um in your in your virtual machine there there's kind of it's a Choose Your Own Adventure kind of thing so um that stays pretty easy easy because you don't have to do anything you don't particularly want to um now when you get into ctfs and you know hack the Box try hack me now there's challenges and tasks you have to accomplish um that might be outside of your expertise and a great way to learn some of those skills um in that quadrant um I'd say cheap and difficult is pet pet projects and homegrown these are places where you might be doing something where there's not a whole lot

of documentation um and you're kind of out in the wild west of development or or um you know if you're doing security security monitoring or testing whatever the case may be so that can get pretty difficult requires maybe a higher skill set or or more time investment to learn about that um and then staying in difficult is microservices so say you're a security practitioner who wants to start learning about containers or um microservices hosted in clouds like uh Cloud functions um Cloud databases things of that nature um you can start getting into microservices again you have to pay and uh if you're not a traditional developer it might be a difficult skill for you to master so I

put that the difficult category uh on the difficult more expensive side now we're talking physical servers so uh maybe you're actually buying that Hardware maybe you found again a server on eBay but then you realize it didn't come with hard drives now you have to spend uh you know a couple hundred dollars on on raid capable hard drives um don't ask me how I know about that one um dedicated Hardware again maybe you have maybe you go out and buy a really beefy gaming PC because you want to do some crazy AI security you know model training uh at home uh and then lastly probably the most difficult and most expensive would be running critical Services um and so

what comes in mind there is there are a lot of people who will get into kind of nonprofit security work um and what I've seen is is they'll start running these like what I would consider critical services for free um for like a nonprofit kind of as a volunteer thing but then you start realizing like oh oh I have to do this now I have to maintain this or I'm creating more risk for that organization um so that's an option and certainly way for you to exercise these skills in like a real way that isn't on the job uh but might um start to get you into some hot water or could be critical services at home even you know if you

want to run um you know your security system as a home lab thing and attach security monitoring to that um that might break the system that's the kind of stuff we talking you say critical services so with all that in mind um all these ideas floating around where do you where do you start like I want to build a home lab all this sounds really awesome but I have no idea where to start short of throwing a dart at this chart and seeing where to start um the first step is set goals and expectations so if you want to build a home lab say you even have one what's your goal and this will help set expectations uh a

little bit so um if your goal is learning that's great you might build it a certain way if your goal is career advancement you might focus in a different area um if you're just maintaining your skills that that creates yet a different situation um and if you're a hobbyist like maybe you just have a bunch of things laying around um I will not in any way shape or form claim to be a Raspberry Pi expert but I have like five floating around the house for various things that keep getting repurposed um and and that's fine because that's my hobby stuff uh but setting those goals would be really really important so you don't oversubscribe yourself you don't go buy

things you don't need um or or you don't burn yourself out at home because we all know burnouts a big problem in the industry you don't want to compound that by jumping off the into the deep end of home labbing and then creating more stress for yourself uh what are you expecting to get from the home lab um this will also Drive how and what you do maybe how you document it how you showcase this um so are you trying to Showcase this okay cool I might do some more professional Technologies um if I'm applying for uh jobs with you know modern startups it probably isn't as useful for me to do a bunch of VMS it might be more useful to

do doctor containers to learn that because I know that they're using modern Technologies um you might be trying to solve a tricky problem either for work or because you went to a conference like this and saw something that was interesting to you and you want to solve the problem um if you're trying to learn something new sure maybe you just set up a VM and that's fine um if you've done any certification courses or or any learning that's usually what happens anyways as you do it on VMS um or maybe um what you're expecting is just that you want something to discuss while you have beers and you want your friends to see the Blinky lights in your living

room and ask you what that is um they might not be interested uh what you do not want from a home lab you should Define this but uh like I mentioned you don't want headaches from this right this is EXT usually extra to work usually takes time away from other personal Hobbies you don't want this to create more stress in your life right um so you should approach this with that in mind um and you could end up with a considerable time investment on maintenance um if you say hey I want to learn how to secure a web server so I'm going to run the web server in my living room and open up my

firewall and have to defend this thing um now I have to maintain it keep it up to date I have to write new rules I have to I have to monitor those alerts uh that come in and actually do something about them um and that can be overwhel to the point where you just say hey I'm going to shut this down um so again make sure you understand how much you're willing to invest um and and what that looks like in your life speaking of investment um I did mention that this can cost money um it doesn't have to but it can especially if you get deep into this so um me when planning my home lab in terms of money

we have no money um I'm a big fan of Open Source things and like I've mentioned eBay a couple times uh very good way to get cheap Hardware but um maybe it does or doesn't work or does or doesn't come with the hardware that you need uh in the case of a server uh so think in terms of both money and time so even though uh you could set up an entire home network setup in a virtual machine you could run your your firewall in a virtual machine you could potentially run active directory in a virtual machine um using some free Microsoft licenses you can do a lot of things for free only to find

out that this requires a lot of time investment um my story is I decided to put my whole house on an active directory domain to learn active directory um and my wife was very angry every time I made any change that broke everything um when I told her like oh you just need to relog in to active directory through this part of your phone in order to to get here um that that wasn't the solution she wanted so um be mindful of who's impacted by by your home lab and what you're doing uh also the initial investment versus continuing costs again you may be ready for um buying the hardware or licenses or whatever need and installing it and

getting everything configured and then not thinking that six months down the road you need to keep that stuff maintained how much time are you willing and able to spend be realistic um I personally have kids so U my home lab time has decreased U maybe you're in a similar situation but if you're doing something that requires daily input say you set up security monitoring on your home network and you want to clear alerts every day what happens when you go on vacation for a week um does that demotivate you from coming home and having to clear hundreds of alerts that popped up while you were out um those sorts of things and and you start

getting into the same kind of mindset as work here um you're like oh I have to do these things I have a requirement to get work done um but it's your home lab so you want to make sure that you um are anticipating uh the the time investment as well um and then also when you're looking at those free and sheap options um that may limit your capability or capacity so a lot of free things um don't have all the features that you might be looking for in a Homeland and so in some cases spending money might actually save you time uh and you want to make those considerations as well um my example on that one uh again

I use digital ocean to host some some of my stuff uh probably one of the more expensive um Cloud providers out there and I could definitely go cheaper but the work to migrate my setup to another server uh has kind of prevented me from doing that so in that case my I wasn't considering the follow investment of having to migrate something in my it's not it's not worth the the monthly bill for me to sit down for several hours on a weekend and migrate to something else so that that's an example of where that might pop up so then talking about the impact of a home lab so uh it's easy to ignore this part when you're just having fun

learning something and the impact is just the joy of uh something working you're like ah I set up security onion and it works and I'm getting alerts like cool U and maybe you stop there because you get that dopamine hit of like I was successful um but you should consider the impact in your planning so are you just learning or are you trying to create right again this will drive how you approach this uh I mentioned uh setting up active directory uh at home so do other people rely uh on parts of your home lab right and are you able to address that in in a way that is acceptable um again I run a a home

firewall block ads and um oddly enough a lot of apps and websites don't work when you block ads um so the people who use my firewall often don't like it that I run that so I have to be able to support that um you know and have time to to update rules and make allow lists and things of that nature um what happens when something breaks and you don't have time to fix it again um say you're on vacation um and your home lab breaks for some reason does that cause any issues when you're not at home uh are you planning to show other people the results of your work is are just for you this will drive how

professional it needs to look how your documentation might need to be displayed um what services you use um where it's hosted those sorts of things um so definitely understanding where you're trying to make the impact uh can you scale up and down as life and work allows no one's life is consistent uh in how much free time you have um so are you able to shove things when you need can you turn it off easily and just not look at it for six months while you focus on something else um you should think about those things uh and then lastly document document document um both for yourself and again for profit which I'll talk about a little B more

towards the end of the the deck here but the value in a home lab is Amplified when you able to share this stuff okay it's certainly valuable on its own you can teach yourself things you can gain skills you can learn new things transition careers um all without documenting but all of that's Amplified when you do document um you can share it um you can go to a conference and be chitchatting with someone and realize that they have a problem that maybe you've solved in your home life lab and point them to a Blog link and say hey I've done this already in my home lab um here's some you know instructions on how to do it uh what that looks like totally

up to you maybe you run Confluence internally or you pay for hosted Confluence maybe you have a Blog either hosted or um self-hosted uh medium is very popular I'm sure everyone here has searched for something and ended up at a medium article or GitHub um either just in GitHub as like markdown files or you could use GitHub pages to kind of create yourself a fancy looking website um but what I recommend is something that can be verifiable to an interviewer So when you say when they ask you hey do you have a home lab how do you stay current how you do these things you say oh I do have a home lab you explain your whole

home lab by the way here's my website where you can see all my work that I've done um and then obviously you could have faked that I guess but that's a lot of work to fake that but then they can go there and say oh this person wasn't just making it up on the Fly there's actually some stuff here that matches what they said that can be really really helpful in those interview situations so I've been about uh a lot about the ideas um the ways that you can approach a home lab um now we can get into some some real examples of things that uh people have done for home Labs or or how you can further your cybercity

learning using a home lab um so kind of three sections here and it's a little fluid where things actually fall but um this is the best way I could think to organize this so basically free and low impact uh which I'd call like the easy stuff um the middle one um free or low cost and medium impact a little bit harder and then medium or high cost and higher impact um this is the stuff that uh maybe requires a little bit more uh investment if you will so free and low impact um the easy stuff um and these are generally free is CTS hack the Box vulnerable VMS um I have a list on the next page of tools

but if you've heard of vul Hub it's a place where you can download intentionally vulnerable VMS run it in in workstation or something like that and and hack your your way through it um some people might say this isn't a true home lab um I would probably call that gatekeeping as well um they achieve a similar effect right um You you get some learning you get to try out some skills in a real environment um and and you can easily show your passion for the field in this way um I say may require a VM or or certainly does require a VM in some cases um something like Ci Linux or parrot seems to be popular I put running

on Virtual box but uh like I mentioned VMware Workstation is now free so um honestly I'd probably recommend that uh just a little bit more robust but you do you um and many of these um you'll see announcements for CTF events like ah cool you know besides Boulder is hosting a CTF during the conference but you can't go to the conference a lot of these persist after the fact um there's like pico CTF Google CTF I think both of those have their history in there if you're into the Sans holiday hack they have the entire catalog of past years still up and available um with the advantage that uh there's writeups then um for some of these if if you're doing

them after the fact uh so if you're learning and you get yourself to a place where you're stuck uh you can pull up a write up and then do the write up in your home lab um and then you're getting some hands- on learning from from what you're doing and all you have to do is type in like holiday hack 2023 write up and you'll get somebody's write up and then you go to Holiday hack 2023 and and start doing it um in some of these cases there are paid versions um like hack the box if you pay you get like better VPN access it's a little faster you can get historical uh machines so there are some

cases where this stuff we spending money might be unofficial but uh generally they're free um coding challenges and GitHub issues are are another place where you can focus some effort um coding challenges the the big one that I've seen people use is the Advent of code um it's a a yearly Christmas Advent themed uh coding challenge with a daily challenge and you can do it in whatever language you want so this is a good way to learn a new language say you know python but you want to go learn I don't know rust um you could go do something like that uh GitHub issues you could start searching GitHub for issues that have security or vulnerability in the

title uh and start going out and seeing how some of these vulnerabilities pop up in code maybe how to fix them um or see how other people have fixed them you could you know do is closed and has vulnerability in it and start looking at how some other people did some of this stuff completely free um you know there's probably millions of of repos out there that you could try um even better if it's something you're familiar with or or that you are in the space of uh but could be anything and and those allow you to go beyond core cyber security U the cyber security world is changing towards code um and a lot of

organizations want you to have that coding experience for cybercity jobs so this is a way in a home lab environment to do this uh or uh outside of coding is you could use different Technologies um so you could say uh something runs um in a Docker container you want to Port that over to running in Cloud functions and um reddis or something as like a non-persistent data store I don't know uh you could do some of that to learn new technologies based on something that already exists so you're not having to come up with an idea from scratch these have little to no urgency U and time commitment can be completely variable like as much as you want or

don't want to do um these are probably not ideal for people who kind of need a push um because they're again there's no urgency here no one's going to say like you must get this done by a certain date um but pretty ideal for those with bu busy schedules and don't want to spend money say you're pretty busy and you can only dedicate two hours a week and it has to be on a Saturday morning before everyone else wakes up like this is perfect there's no schedule for this uh what other strategies I've seen that are pretty successful for stuff like this is just set time on your calendar maybe twice a week an hour and just call it

training um I think most employers would allow that as well say hey I'm bettering my skills for an hour a week by by doing some of these things uh to keep myself fresh but uh again nothing is is forcing you into these so some examples I've mentioned hack the Box try hack me is another one Sans holiday hack um I mentioned Pico and Google metasploitable is a vulnerable VM that specifically leverages metlo B Hub full of vulnerable VMS uh of various difficulties and types um Advent of code Advent of cyber so if you're looking for somewhere to start here these would be some good places um anything not on this list does not mean it's not valid just that uh I didn't

want the list to be too long uh you could also just Google search you know list of free ctfs and you'll get a bunch of people who posted about that kind of stuff so getting into kind of free to low cost and medium impact this is kind of your um medium difficulty stuff would be it infrastructure um and so I said this talk with focus focus on cyber security the way I see it infrastructure um benefiting people in this room who are probably security practitioners is you can set up simple it infrastructure and then layer security monitoring on top of that as a way to keep your skills fresh um so then you're learning two skills

one how to manage some it components but then how do you actually secure those how do you monitor those how do you detect tax um so this could be a web server blog uh DNS filtering or blocking like a uh like a PF blocker that I use or py hole is the other big popular one um home security monitoring whether that's uh you know your security secur system for your home or um monitoring the network um that kind of also falls into it security um things that fall into this category are things that just can't be left unintended it would probably be uh wrong to spin up a web server put it on the internet and then just leave it for

years and years and years and never touch it uh I guarantee you that thing is hacked um and you should probably not use it anymore but these things require at least some consistent input um maintenance update uh maybe some lowcost Hardware if you want to run it at home instead of in the cloud um if it stops working someone may notice which increases the Buy in a little bit um on the blog side for example I have a Blog if it goes down I'm going to notice maybe no one else in the world would notice but I would and that increases some of my buyin because I don't like that it's down um so uh on

the previous slide I mentioned maybe not ideal for people who need kind of a push into this space um this might be a little bit more uh in that realm where hey you need something to to motivate you to to stay in your home lab uh does require some investment again Hardware Cloud servers Raspberry Pi eBay gear uh real estate in your in where you live um maybe the people you live with are okay with you taking up the broom closet with servers maybe they're not uh just depends on on how close you all are um and it's up to you how critical you make this right um if my pie hole breaks or I

guess I use PF bler um but if it breaks you can just there's a toggle to turn it off and and everything's fine so if you know I'm in the middle of a busy week at work and you know my son's mobile games that have ads Galore are uh breaking I can just turn it off and say hey go for it I'll fix it later uh I don't like to do that but sometimes that's just what you got to do these are a little easier to demonstrate uh the skill and investment required so again when you want to go into an interview um or have discussions with people and demonstrate what you're doing and learning in a home

lab uh this starts to up the Annie a little bit and say hey I'm actually like I'm doing some real stuff um it's very easy to say I do ctfs and then people just assume like sure maybe you spent five or 10 minutes on a CTF to say you did it versus now I have things to show you I have examples I have stories of where this stuff worked or didn't work um so we're upping the an a little bit there uh so um some ideas on what you can do here um a hosted blog um so maybe you go out to Wordpress um and say I'm going to pay you the you know $10 a

month to host a website s um just so it exists uh you still kind of have to manage it but but maybe they're managing it uh on their own uh pie hole security onion open source security monitoring so maybe you want to monitor some of this it infrastructure you're spending up or your home network uh maybe you have multiple other things in your lab you want monitored maybe you want to monitor uh devices on your home network especially if you have um kids at home who maybe are starting to use tablets and things um so security un there's others um if you were at to talk downstairs you mentioned surata as another one um I think surcot is

actually in security onion but um you have some options there for open source security monitoring um and maybe you want to solve some uh some personal problems with scripting this is a good way to uh spin up infrastructure learn coding um my example was I I made a campsite reservation bot um which maybe here in Colorado that makes me the bad guy I'm not sure um but I really really wanted a reservation at this one campsite uh if you're familiar with it it's the fire lookout tower on uh out near Idaho Springs could never get a spot always filled up so I had a bot that would text me um whenever a reservation opened up so kind of a cool

use of the home lab for personal gain if you will um but you can solve any other problem maybe uh you're into stock trading and you want to you know create a bot around that but um all these fall into that kind of it infrastructure uh type realm and then on the kind of more uh more difficult and uh higher impact side um this is actually like running critical service is that when they break they really actually impact people again home firewall active directory um own or manage an open source project um so maybe you wrote a tool or took over a tool um and it's out there open source and you have to deal with people coming

into your issues que and telling you how dumb your tool is or how it doesn't work um self-hosted web server or blog rather than hosted by a vendor um maybe you have an iot test bench maybe you're into car hacking or just testing iot devices and you need space where you can hook all that that stuff up or maybe you have to solder uh connectors down to pins uh so that that's a little little more involved I would say all of these require at least $100 in initial startup costs and if not more um and you saw the um the title Slide the the $100,000 home lab um you could take this to Infinity I

suppose uh downtime here might impact other people or or requires immediate input from you to solve an issue again if you're doing like some volunteer work uh for like a nonprofit it's probably not acceptable for that stuff to go down uh but the reward reward is high here you're probably going to learn more uh you might be able to demonstrate uh more involvement again in an interview type scenario um or uh what this might do is is be the start of a of a startup or a product that you want to Market um as you go down this route uh usually you're going to get into physical Hardware uh at this point um so you have to consider power

requirements so there's a cost you you may not have plan four servers kind of eat up a lot of power where you put the servers uh can your home cooling uh deal with the heat uh storage um all that sort of stuff you start getting into things external to the h l that you have to consider some options here um for firewalls like pfSense or OPN sense active directory I mentioned um create or adopt an open source project so if there's a tool you use frequently at work and you want to be involved get into the issue queue on GitHub and establish yourself as a professional there um and start inter acting that's one way to get uh yourself uh recognized

maybe you end up on a list of contributors it's a verifiable way to show your work in the security space um or maybe you build a wholly new tool because you you couldn't find a tool that does exactly what you wanted um I would also say based on the talk downstairs um you know maybe you get into building AI Bots space uh I would say blog on your Hardware or Cloud Server um so again having to figure out how to set up a web server reverse proxies secure that make sure it's accessible over the internet to you and no one else um again this is all good stuff in the security space so that when you go and do this at work uh

you're not completely foreign to the things that your development and infrastructure teams are having to do um and then I put VM Network here um a baseline VM network is pretty easy but say you want to network more than that you know say you want to get to like 10 20 Network to devices for your home lab purposes that starts to get a little difficult you start having to work in vlans and and um how you manage that network uh so that that ends up in the difficult uh category here as well uh so say none of this strikes your fancy or or perhaps um you've done all of this and you have a really robust

home lab and you're just out of ideas and you're like what do I do next um really I don't want to say easy um ways to get those ideas might be uh rebuilding existing components um in a different language in a different automation framework um porting something that runs as like a python script to a uh to a container or a microservice that runs as needed um or porting into the cloud in some way um all of these would be good ways to learn something new um but you already have a framework in place so you're rebuilding something that exists um that at least takes that part of the equation out you can focus more on on just learning what

you want to do um in those new technologies um super helpful uh if you know there's a technology that you have a gap on or if you're trying to to apply for a job or jobs that you know use certain types of Technologies um or say you want to change careers completely um out of security or into security um this going help you uh and then uh going on like fullon tools um would be you know can you optimize a tool if you if you use a tool and you're like man it's really annoying every time this tool does something or it's really hard for me to run um it takes days to install whatever the case

may be um maybe you can optimize it maybe it's missing functionality that you can add um and maybe you can Port it over to platforms that you do know and understand so again um maybe something is running very well as a Google Cloud function but you want to learn Azure Cloud functions um might be a good way to to learn some of those things I've talked a lot about the interviews um how you can make profit from this but but here we'll talk about it directly um everything that you build in your home lab can be a steppingstone to uh bug bounty hunting so a lot a lot of people in our space are into bug

bounty hunting and as you do that and build out about your testing infrastructure I will say um that is part of your home lab or maybe you did all of this for hack the box or for VMS off vulnhub and now you have exactly what you need to go do bug bounty hunting and it's already all set up and ready for you to go uh if you want to do additional security research again having done some of the stuff previously you might already have all the tools ready to go and the knowledge um that you need to go do security research exploit development if you're into that um you know say you want to do go to the

pwn to own competition one year and win all the Buu bucks uh maybe that all started in your home lab because you bought a car head unit off eBay and you started hacking away at that and then you went up there and figured out how to steal a Tesla freelancing or Consulting um this is not uncommon in our field so um kind of the I guess I would call that overemployment but some people as they're trying to decide if they want to leave the corporate world for freelance consulting or starting their own business this could be the start of that maybe you just pick up a gig here and there based on what you did in your home

lab and you're successful um which then drives you into this next one which is entrepr rship again this might be the start of a startup for you uh as as you get to your home lab you might find a tricky problem to solve or you might solve a solved problem better um and now you've done that uh in a way that that's hopefully documented and and ready for you to turn into a business uh and then lastly that one is development so uh again if you're a security practitioner uh and you want to learn coding or how your development teams create apps and and why they continue to put vulnerabilities in their apps um this

might be a good way for you to kind of become a developer without having to go become a developer uh the caveat here requires much more effort and skills Beyond cyber security right if you start wanting to monetize this stuff um your organizational skills come into play your ability to interface with others start coming into play um which is beyond the scope of this talk but I just don't want anyone to think that they're going to walk away from their home lab and instantly make a million bucks and so uh with that um here's the conclusion use whatever you have uh and whatever level of Home lab is appropriate start there you don't have to start with a racka servers and 20 VMS

you can start with a free Cali box and the Free Hack the box subscription and be Off to the Races and maybe that's all you ever do and and that's good enough um don't let the barrier to entry here stop you from starting something uh do document your journey and put it on your resume again either through a blog or GitHub or a medium account something document it um if you're doing ctfs or hack the Box write up your process show them that you know how to write report um ideally it's easily accessible but maybe you just don't feel comfortable with that maybe you keep private or password protected that's fine too and then you can just share it

as you need and you don't need to be a cybercity influencer for this to be successful so uh you saw the YouTube thumbnails on the first slide there there's a lot of uh people who are like look at my amazing awesome perfect home lab um I don't know how many people have heard the statement don't let perfect be the enemy of good uh I think that definitely applies here it's better that you start and do something than it be perfect perfect it's better that you do it today and then don't do it again for six months and then pick it back up uh that that's the point here is that you can do this it can get whatever level of

effort you want it's still beneficial almost no matter what you do um you see the big brain meme uh there so everyone should get to the big brain uh picture there by sharing this and using it for profit but also have fun while you do it any questions

um do you use any of the automated home labbing uh products like Snap labs for doing something in the cloud or like Ludas for doing something on PR I have not um and honestly at my stage in life right now I I probably don't have the BWI to learn new technologies um at the moment uh so I have not but um I do those are those useful have you used those I've used snap laabs before but yeah because like one of the things I was looking for is like uh my barrier right now is just like the there's so many choices available and like I know that it would be a short amount of time

to set up like an automated lab with either snap laabs or ludus but it's still a lot of like upfront like configurations whereas I could just go piece me like as you're saying and then move through that way yeah um yeah I think it depends on your goals you know if you're planning to spin up a bunch of BMS then like certainly that that probably makes a lot more sense um if you just need your 1 VM and you're going to go to ctfs then yeah you know maybe not the investment but um yeah that's good call do you have any recommendation for uh doing like Hardware separate sub networks in your home so that maybe you

have you know your spouse and Stu one one and then you have your lab separate and then there's kind of an easier division definitely um and I've gotten dangerously close to doing that um most Wi-Fi uh systems at home provide a guest in a in a primary Network um if you're running your own firewall you can then VLAN those off into different VLAN and absolutely do that um if I were to go and start over again I probably would do that um so I I do recommend that for anyone who who might want to run critical services at home that's probably a really good recommendation also uh if you have guests over it you know it helps them I've I've had

multiple people not be able to uh check their email uh connect to their work VPN um all their apps don't work um from family members and friends who have come over and connected to Wi-Fi and they're like your internet never works oh it works exactly as intended it's very secure yes no one cares I care I saw this one first and then there an unaffiliated plug for game of active directory it's a scripted um it literally sets up an active directory domain with five Windows servers with active directory so you can practice all the latest Windows hacks on a domain that they probably work and if you're not at the point where you can actually

do the research they have walkthroughs there's like 15 different walk walkthroughs that you can do from using pivoting pass the hash that kind of thing so it takes you from Ground Zero I've never hacked Windows box to actually understanding a decent amount of an internal awesome thanks for that plug and and i' recommend as well if you go down that route that's great uh add to that security monitoring and then you can walk through each of those steps learning how to pass the hash and pivot through an active directory Network while monitoring and see if you can catch yourself uh and that will be immensely help for as well I was going to tack on top of that write everything

up on that so yeah use go yeah write up all the vulnerability whatever you find just so they you can provide a write up to whoever hey yeah I like researched this I write this you know that's going to be a big key can you write communic absolutely uh back to the interviews um we could probably raise the hands but like how many people have read through a job description and one of the required skills like soft skills writing all this like it's you think it's boilerplate until you start interviewing people and realize that like there's a lot of people that literally cannot write um so this is a good way for you to practice and and see

how you do or even right consistently your one report is fantastic but the next seven our trash you're not getting that job absolutely thanks do you have an opinion on like lbm kbm platforms like prox smart um sorry prox MOX yeah uh I don't have opinion on which ones to use again it will depend on your setup like if you have one VM then you know you probably don't need that but if you're setting up a whole it infrastructure with active directory and a firewall and and all these things then then probably really useful um I will say that for me at least that does become a barrier to me doing things is when I start thinking

about like oh man am I going to need like multiple keyboards and monitors and all this um being able to remotely remotely access them um can be one of those things that helps you uh you know get past that barrier of of having cables running everywhere um in order to connect to random things um but it also can be an interesting exercise in home networking uh if you want to be able to like SSH into things um or set that set up you know one of those KVM type capabilities and having to do your internal firewall to allow all that the stuff happening with VW broadcom I just see a lot of people moving to that so I

didn't I messed with it a little bit but not a crazy amount yeah um I I would also this this was a cybercity focused talk but there is a lot of value from the it side of things and I think as a cyber security practitioner you gain a lot of credibility if you know how to use and Implement tools that maybe your it uh brothers and sisters are using so stuff like that if you know that that at work people are using those sorts of things to access uh different resources it might be beneficial for you to do it just for that reason just so you can get it under your belt if you want yes um so so I got in here a little

late um so I'm not sure if you already went over this but I think you did a really great job with present presentation um I'm just kind of curious what do you do currently uh as my job yeah yeah see if I can get there there we go um so I'm a detection and response engineer for continue post moning platform um I would say so like detection to response so defensive blue team side the value to me for a home lab is knowing how to detect things going on um which initially was why I first ever put a firewall on my network was because I wanted to do pcap at the edge and figure out what devices were doing what and

talking to what um so I would probably have a vested interest in doing like security onion um which I've done in the past do some home network monitoring figure out how to um triage alerts uh in my example I did set that up I set up security onion on My Cloud Server uh and set it up to forward uh alerts as emails to my Gmail account and because I didn't do it right the first time I ended up with like a thousand emails a day um from security onion which was super awesome not um but that's what I might focus on that being said maybe I want to get back into red teaming and I haven't done red

teaming in the last year so I need to like get up to speed on the latest tools cool I'm going to take a pause from that maybe I have a kill switch if you will or a way to just turn that off and ignore it while I go back and do some hack the box work um so again your goals matter um but yeah and I will say at least for me um doing that security onion type monitoring at home was one of the things that helped me build the skills to get the job that I

have other questions all right well thank you all very much appreciate it good luck on your home lab