UFCFFY-15-M Cyber Security Analytics

Practical Lab 6: DetectionLab


In this lab, we will look at how you can setup the DetectionLab. For our purpose, we will build our DetectionLab within the UWEcyber VM image, as this provides a consistent means of configuring our environment. We will also utilise the documentation for the DetectionLab, available online at: https://www.detectionlab.network/

01. DetectionLab

DetectionLab is developed by Chris Long, Senior Analyst at Netflix, and offers a quick and easy way to create your own virtualised cyber range. It incorporates a number of the tools used today - Splunk, Suricata, osquery, Microsoft ATA, and more. It manages log generation and collection. It has Active Directory built in. This is a perfect set up for testing offensive and defensive security measures against a realistic virtualised infrastructure, without taking hours (or possibly days) to set up.

Alt text

The DetectionLab environment is as depicted above. It consists of 4 Virtual Machines:

  • Logger: This machine is responsible for curating all logging information from the network.
  • DC: Domain Controller machine responsible for hosting the network Active Directory.
  • WEF: Windows Event Forwarder responsible for logging all Microsoft Windows events.
  • Win10: An endpoint workstation typical of a user in an organisation.

02. Deploying DetectionLab

For the purpose of the task, you may choose to use a single UWEcyber VM to host the DetectionLab within, or you may want to host the DetectionLab on your host OS. You will need to decide on your preference. DetectionLab should work on the host OS of UWE lab machines, however having this within a UWEcyber VM also offers a more portable solution.

Please note that deploying the DetectionLab will take some time - possibly 1-2 hours to complete - as this will be provisioning all four machines and instrumenting these together to form our cyber range.

UWEcyber VM (recommended)

The following set of commands should allow you to deploy the DetectionLab within the UWEcyber VM (Ubuntu 20.04). You should create a new instance of the UWEcyber VM on an external drive that is plugged into a UWE computing lab machine. You will need to ensure that you give your UWEcyber VM 16GB RAM as a minimum. You will also need to modify the default Virtual Machine Settings, to enable Virtualize Intel VT-x/EPT or AMD-V/RVI. The screenshot below shows this in detail.

Alt text

Once your UWEcyber VM has been booted, you can run the following commands from the Terminal.

git clone https://github.com/clong/DetectionLab.git
sudo apt install vagrant virtualbox
sudo gem install winrm-elevated
sudo gem install winrm
cd DetectionLab/Vagrant
./prepare.sh
vagrant up --provider=virtualbox

The result should be that you have 4 virtual machines deployed within your UWEcyber VM, using VirtualBox.

Troubleshooting:

  • If you find that your logger machine hangs during the initial setup when initialising Fleet, you can close the machine. This should not impact the machine and should enable the setup to initialise the next machine, dc.

Alt text

Personal Laptop / Home Workstation / UWE lab machine

You are welcome to configure your DetectionLab environment in whichever way works best for you - providing that you have an operational environment to work with. If you are using your own laptop, or if your machine has 16GB RAM, you may prefer the following method:

This approach will create 4 VMs using either VirtualBox or VMware (depending on what is available on your host machine). It is recommended that you then snapshot each individual machine, so that you can rollback all four machines as and when required. NOTE: Should you experience problems with this setup, you will need to conduct your own research to diagnose and resolve the problem, as we will not have knowledge of how your personal machine is configured, and where conflicts may be occurring.

03. Getting Started

First thing you will likely want to do is SSH into the logger machine.

vagrant ssh logger.

Alt text

From here, check the IP address of your logger instance.

ip addr

Alt text

See if you can ping the other machines - consult the diagram above for IP addresses. Can you ping all machines on the DetectionLab?

You can also access the following applications on the logger using a web browser. You will need to determine your IP address for the logger machine - IP_ADDRESS in my example is 192.168.56.101.

Alt text

Now would be a good time to take a snapshot of your UWEcyber Virtual Machine since everything is set up and working. From VMware (hosting your UWEcyber VM), select VM, Snapshot, TakeSnapshot. This will allow you to rollback to this state, which will also help when you move from one computer to another with your external drive.

From here, you will want to start your research - looking at the Usage documentation of DetectionLab may help provide some initial ideas. One of the tools built in to DetectionLab that you could use is Atomic Red Team. You could also perform attacks from your host machine (e.g., UWEcyber VM), or from another VM such as Kali.

The Splunk license will only allow approx 500MB of ingest. It is therefore advised that you bring up the environment, conduct your testing, and then shut down the environment. If the license expires, you can either provision a new DetectionLab environment or you can rollback your UWEcyber VM.

Other lab machines (e.g., Kali, UWEcyber) can then be preserved and re-linked to the testing infrastructure.

**Do not store any work on the DetectionLab VMs in case these should be inaccessible. For your assignment, you should not need to store any information on the DetectionLab machines.**

04. Using Vagrant

As some final guidance, you will find the following Vagrant commands useful whilst working with DetectionLab.

All commands must be run from the “DetectionLab/Vagrant” folder:

  • Bring up all Detection Lab hosts using Virtualbox: vagrant up –provider=virtualbox
  • Bring up all Detection Lab hosts using VMware: vagrant up –provider=vmware_desktop
  • Bring up a specific host: vagrant up hostname
  • Restart a specific host: vagrant reload hostname
  • Restart a specific host and re-run the provision process: vagrant reload hostname –provision
  • Destroy a specific host: vagrant destroy hostname
  • Destroy the entire Detection Lab environment: vagrant destroy (Adding -f forces it without a prompt)
  • SSH into a host (only works with Logger): vagrant ssh logger
  • Run a WinRM command on a host (only works with DC, WEF, and WIN10): vagrant winrm --command hostname --shell powershell
  • Check the status of each host: vagrant status
  • Suspend the lab environment: vagrant suspend
  • Resume the lab environment: vagrant resume
  • Shutdown each host: vagrant halt

More Details...

In [ ]: