Building My Ultimate Home Detection Lab - Oliver Creed

hey so welcome to my talk I'm going to try and speak slow because I'm very nervous um so I'm going to give my talk on about build my ultimate home lab um my take on Ultimate might be a little bit different what you think of um so hopefully my key takeaways from this talk is if you haven't got a home lab maybe you want to build what you're on just get started it's easy or you know if you do have one maybe you'll think about how you're doing your home lab maybe you want to change it you know see if we get somewhere so bit about me or who am i s in a talk once s wanted to do

it um I'm a security engineer for an insurance firm um I've been a stock analyst and a detection engineer previously um big app obviously for having a home lab uh I think it's a really great tool to learn with um and also attribute to being able to progress to my different roles quickly in my career um because I was able to learn new technology before they were implemented in the organization I worked for um dog person not cat person um so what is my ultimate so my ultimate is something that is cost effective um and also flexible um so I want it to be able to do what I want to do um easily be able

to access it easily um compact so I don't want a big server Rack in my office which is quite small um I want something that I could probably put in the cupboard once I'm done with it um so it's to test the wat so one of the main things I like doing in my home lab is what if we didn't have AV or detection engin stopping maare at stage one what if the maare got all the way through it executed all of it what it wanted to do and how does that look in the log Telemetry um that's what I'm most interested in seeing what the log tery looks like with no restrictions on execution um I don't really want a

second job so I want a low maintenance to no maintenance lab um so I don't really care if it's got vulnerabilities um and build think about in such a way um and also focused on what I want to test I don't want lots of unnecessary bloat lots of other things I have to maintain or oh I really want to test this thing but I need to fix my DC first and get authentication working yeah I just want it to be really focused really streamlined um go more into it but I only really install things or set it up in a way I want to do when I go to test or try and simulate something um I think the first thing you

should do is probably setting your lab's goal um so having a goal again helps with Focus being able to really streamline what you want to do um avoiding that second job syndrome um do you want to try so some sort of goals you can have so do you want to try a new software maybe you got uh job interview coming up Etc and they're using a particular software particular seene solution that you've never touched before most of these vendors have a trial or a free trial you can get access to it's a really good way to like say no I've not used that software but I know what it looks like I know how it feels

and I use this software and it's all very similar because if you use one scene you probably may use you know queries languages you know how to build queries you're going to be able to use most scams within a couple of days um see what attack look like maybe you want to see what attacks look like from a Defender and attacker standpoint so you know think about your purple team in there um so you really want to like run for your attack and then so what that look like from the defense standpoints and being me myself I'm very defense focused so I don't often see like what the attack ATT has to do to execute

something um I just see what it looks like in your process command line and obiously I know what you wrote to do that but yeah um again P software said that cool um so the first step is probably your Hardware choices so what kind of Hardware do you want um while it looked really cool in like posts online I'd probably recommend avoiding servers you don't want a power hungry fan spinning machine in your office or anywhere in your house really um especially if you're not going to pay any electricity bills um I've got come from a networking background so I really wanted like a switch that has some VL and um span for Port mirror capabilities you tend to

probably have to look at like business class switches for that but you can get them pretty cheap if you want to like look like net gear um well I wouldn't recommend them in a production environment they're pretty good in a home scenario um I think obvious one here you're going to probably be buying secondhand um you don't care about if the hardware fails or you don't want to get ripped off but you don't really care about your availability of your Hardware because it's a lab um so Facebook eBay old stuff um you want to be careful not to go too old uh otherwise again you like Power issues and just you want to be able to run some stuff um one thing

I've heard before which I think is really good is old laptops even if the screen broken it's great it's like a it's like um it's a server of a built in UPS um don't underestimate the cost of ram ram is crazy expensive for some weird reason I don't know um and also old Hardware as well people seem to think 10y old Hardware can still fetch crazy amounts of money um so just just be wary or you really just under appreciation how old the hardware is um even may want to think about stuff like NYX so you want additional Network ports in your single PC or mul PCS you want to switch Ram Etc so that's what

you think about your Hardware software so you probably going to want some sort of virtualization unless you've got servers coming out your ears um so VMware I think that's kind of like dying house um props MOX is kind of like the way to go I think in most scenarios it's really feature Rich you could probably spend a day on just installing prop Mo and um for anyone who's not familiar with that it's l um on the box virtualization so type zero I think um and then obviously Docker containerization really great for saving resources you got multi multiple things you want to run uh recommend going with containerization want second mation you're going to save a lot of resources

in running big VMS um windows or Linux you're probably going to want both um firewall um really I think the most people tend to lean towards open sense or PF sense so really really feature Rich fir lots of modules um I think that's the way to go there's definitely probably other options out there but that's what I'd recommend Windows servers so think if you la is Expendable I just want to mention that windows you can get eval license windows for most Windows licenses so it's a really good way to get a license server um if you want to have liced servers um you want a seam so again I come from a detection background um I am

currently a seam engineer so my lab obviously has a seam you may not want to see in your lab um because that's not what you're interested in maybe you just want to attack an attack and attack um but I want to see what the trity look like so I wanted a theme solution shows elastic um great Seam for easy very it's quite free compared to other seams so with like Splunk on you get on your trial license you get limited on gigabytes you're not limited in the same way you are with elastic um they do have some premium features but it's very easy to AC activate a trial license so set a snapshot activate a trial license 30

days just roll it back um so you want some way to collect your elemetry so you look at stuff like cismon probably hopefully stuff you may be using in your production networks um you probably want to use in your lab um really allows the playground there so yeah elemetry so you looku like sisom EDR tools a few free ones out there elastic also comes with a EDR capability um got some really useful Network Technology so while he does very expensive um you could use something like elastic and see what kind of capabilities going to get from a commercial grade EDR um again so maybe you don't want to create your own data maybe you want to

import data so you got like Mal samples sorry Network captures and then also the atomic red team is great if you want to just run Atomic or what can't the command and see what all the atomics look like in your environment and upset your computers um again there is also loads of pre-built platforms and many projects out there maybe people much smarter than me like sof elk and HK um which are really great and I would recommend checking them out I would say you want to try building stuff I think on your own at first to understand the building blocks um but once you're comfortable with the building blocks and understand how that always links in really check

out them projects and get you a head start um yeah so deploying so when you got your Hardware you got your software you made your software choices you got your goal you want to put them look into deploying it um so I would all SE setting up automation to deploy is great I'd always recommend knowing what your automation is doing don't just search for scripts on GitHub and then run them actually read through rible scripts because when things break and you're not sure why knowing what should have ran and seeing why there's a effect why is it knowing why it's failing makes it much easier maybe bet make your own anable script make them open source let

other people have a go um before maybe like doing anything set some vmw snap shots really lowering that maintenance you need to do to recover from playing in your playground is set a snapshot and then you can roll back really simple stuff but I've forgotten it I'm sure someone else will um so what fire rules do you want to put in place one thing I really like to do is keep my lab really segregated so I block all outbound access so if I do make a mistake and put something M on there maybe have the worm capability it's not going to get out onto my home laptop and up to my my work PC um install Tri trial licenses you

really want to use the premium features vendors hide all the best features behind the pay wall um so if they H if they are a decent vender hope it's really easy to access their trial and you don't have to contact sales um and a lot of vendors do give like development licenses if you purchase a prod product from your commercial environment so it's always work speaking with your vendors about um seeing what your lb normal is so how do things normally run this is again a detection Focus here so seeing like what logs should I expect to come in can I filter them out um reduce the costs one of the big costs will probably

be storage along with ram um and then do you want to monitor things do you really care at 3:00 a.m. if your lab is not no longer working um so think hard about if you really care about monitoring I take the approach recom monitor anything if it broke I just reinstall it that's my lab very simple didn't do this before the talk or today at any point promise um so again just have a laptop actually have a Chromebook um to give you the Shivers um as just RDP or htps to a portal that's exposed um on the proxim VM which is then running an elastic instance um so on Pro MOX I tend to run a DC a Windows

client and then a Linux server the Linux server will run all the development all the the blue tun side of stuff in terms of Astic any log stash any additional pass wants do the client will have an EDR installed um and be domain joined then you attack It Whatever attack you want to do the my instance so maybe just ping some ransomware seeing how that looks from a on the on the through a seam solution is quite interesting especially when majority of Ransom Wes tend to be blocked quite early these days in terms of Av and MD will kill it as soon as the file drops um so turning off MD and then running it seeing the log really

interested and see an encrypt all the files what that look like um again so with a Nick you multiple ports so I like to actually have in doing it all virtually I like to have some physical things I can unplug and cut and hit if it's not working um so I like to have a port switch where I can do port miring on and then link that back to it looks like a bit like a loop like the computer's talking to itself because we have a different Nicks assigned to different VMS it's really different VMS talk to each other um and some final points um I like just saying catle not pets so really think of your lab as cattle and not pets

don't get attached to something be don't be afraid on just deleting it or reinstall All in St and fresh um if you've done things right and got your anable scripts and such really quick to reset up so don't get attached don't try and fix something that you don't know why it's broken or some Mal we screwed up it's not worth the time um I'd always say probably try and start small and build out to start with a small goal and build out you don't need to build the best and the greatest and the most powerfulest lab that can you can have before you start doing you much much learning as you can do um you can do many learnings by just

having a very simple single PC single laptop and just install just installing software especially if you want to be like a systems administrator or skuy engineer just installing a seam solution can be a really great Head Start um you could all do it so you could do it all in the cloud if you really really want to um I don't know how big your wallet is and also it's there's a a problem where always have to be on the internet if you are in the cloud which is a thing to think about because you're going to have to access it somehow um keep labbing Labs is um but I want to tell you a story here I had a colleague

of mine at one of my previous companies he had a home lab that became his home network and he had to have a maintenance windows with his partner to bring down the lab to do maintenance I really not think that's a good idea and you should keep your lab labbed I keep mine specifically not running my home network or touching my home NE Network in any way because I want to do detection stuff in my lab so I want to deploy malware got to be a little bit responsible with that um but you know if you want if if you're going to run like um I don't know some sort of file server or something I

don't think that's labbing at that point I think that's running a service for your house so I'd keep that separated from labbing in my opinion a lab is a playground um and should be gated as such um um try not to get lab Envy uh you can go on like subreddits and online and see people's with like five servers and just just try not to be jealous on how they've afforded that and the budgets people seem to have on spend on their Labs I have prob priorities um so try not to get lab envy and just remember they're probably spending £500 a day in electricity um and then I think one final point is a

little bit of a negative so bit of a shame to probably end on it I've rush through my slides um but Labs do have their limits and understanding what their limits are so from a detection standpoint one of the bigest limits is access to vast amounts of data you're probably going to find it very difficult to generate about a terabyte of dat over a terabyte of data a day and good quality data and you also don't have the developers doing weird stuff in your environment for you to test against um so they do have their limits but I think the positives and the learn you can gain from them vastly outweigh that

questions any questions no it's in the cupboard I recently moved F so it's not actually turned on at the moment sorry but if you wanted to know a picture it it looks like that PC there um literally with uh a switch on top of it very simple um so I think it's a Dell oplex that's one thing I did to mention um Dell I think small form factors PC if you go too small you tend to get like the price problem where things get really expensive because it's really small too large you got something big and heavy so medium siiz PC is the best awesome thank you very much