Building a Detection Engineering Home-lab
Installing/configuring a Security Onion, and Windows 11, Virtual Machines.
This article will cover the following information:
How to build a standalone instance of Security Onion in VMware 17.5.0.
How to install VMware tools on the windows instance.
How to verify the Security Onion install by pinging the gateway.
How to confirm access to the Security Onion instance via the web browser.
Introduction
A few weeks ago, I had the pleasure of speaking with a senior cybersecurity professional and he brought up the concept of Detection Engineering. Detection Engineers help identify detection gaps in IDS/IDP/EDR systems, and then help the SOC analysts tune those defensive systems to close the detection gaps. There is a trade-off between security and convenience for the user that Detection Engineers have to balance. If you are too strict on your rules, then you run the risk of swamping the SOC Analysts with false positives. If you are too loose with your rules, there is a strong chance that a real alert might be missed. That is why Detection Engineering is both a science and an art. As someone who does cybersecurity research and analysis for fun, this role seemed really interesting and I started to dig into the internet. I came across a GIAC Gold Certification paper from 2021 titled, "Detection Engineering: Defending Networks with Purpose" by Peter Di Giorgio (https://www.sans.org/white-papers/40400/). After I read through the paper, I realized that all the materials Mr. Di Giorgio used to run his experiment are free and open sourced. What better way to learn than to build a home-lab specific to this paper and try to reproduce the scholarly work!
Purpose
The purpose of this project is to reproduce the research conducted by Peter Di Giorgio. I will be using the following tools:
VMware Workstation Pro version 17.5.0 build - 22583795
Security Onion (SO) 2.4.20
Wazuh
Sysmon
Sigma
AtomicRedTeam
At the conclusion of this project I will have hands on experience with building a network and integrating it into a SIEM. I will be able to run Adversary Emulation using Atomic Red Team and I will be able to build sigma rules to tune detection systems. I will have hands on experience working through the MITRE ATT&CK framework and a better understanding of how to new threats to improve overall detection rates.
Building the Home-lab
Security Onion 2.4.20
I'll preface this with there was a lot of Layer 8 (human) error when it came to my initial install of security onion. While I do understand networking, each hypervisor (Virtual Box, and VMware) has some nuances which make them unique. My hope is that as I go through my own steps for building the lab, you will be able to successfully build a lab too.
A special thanks goes out to David Pennock and Lazaro Rivera for their help in troubleshooting the security onion install. They taught me a lot about how to approach the install and helped me explore different configurations until we got the right set up to replicate the findings as close as possible.
So what is this lab going to look like?
This structure is meant to replicate how Peter Di Giorgio built his lab. In future iterations, I will include an outside Linux aggressor that will be used to attack the gateway and the Windows 11 nodes to generate alerts.
Initial Install of the ISO
Materials Required:
VMware Workstation 17.X installed on your computer (Eval version is fine)
Latest Security Onion ISO (I used 2.4.20 for this experiment)
Around 5-6 hours and a lot of patience
Minimum HW Requirements:
***Note: While the minimum requirements state 16GB RAM minimum for a Standalone SO Install, Security Onion will have an error and state it actually needs 24GB RAM.
Step 1. Establish the HW for your Standalone SecurityOnion VM
Open VMware Workstation and select create new VM
Use the typical install.
Click Installer disc image file (iso) and identify the location of the ISO you download before starting this build.
Name the server and set up a saved location if you want the VM stored somewhere other than the default location.
It is recommended in the Security Onion Documentation to have at a minimum 200GB of space on the VM. I personally like to store my VMs as a single file to assist in movement from desktop to storage or cloud whenever I want to keep a VM but don't need immediate access to it.
After this point, you need to click the customize hardware button.
For a standalone instance you need at a minimum 16GB (24576MB) of memory to dedicate to the SO Instance... I prefer 32GB (32768MB) for mine.
Update Processor cores to 4
Add a Network Adapter and set it to NAT.
Make sure that the second network adapter is on NAT as well. This second adapter will be your listening adapter for the SO instance.
With the above hardware settings complete click finish and begin your install.
Step 2. Run initial install
During this step you will initiate the ISO, establish a admin username and password, and then wait a long time for the application to set itself up. The following are the basic inputs needed to get the SecurityOnion instance installing.
Select the first line.
Type yes to proceed, set up your admin username, and make a memorable password. This is how you will access the web interface for Security Onion.
Observe that Security Onion is going to install a ton of applications. This can take a while. It may look like it is hanging up on the "Running post-installation scripts" phase, but that is normal and takes a long time (5-6 hours it seems). Once it is done you will see the following message:
Step 3. Configure Your Security Onion Instance.
In this step, we will configure both the management node and the sensor node as DHCP instead of Static IP. As the hypervisor sees NAT based VMs as using the same IP range, it ensures that the VMs do not have any issues communicating to each-other. In other articles authors encourage the use of bridging and host-only settings on network adapters. I understand why it would make sense to isolate the VM from outside influence, but for this particular exercise, DHCP is controlled within the hypervisor making two NAT adapters more viable.
***NOTE: Before you begin, go to the dropdown menus, select edit-->Virtual Network Editor and open that instance. Observer the subnet address for VMnet8 (192.168.246.0). Highlight that line and select NAT Settings. Note that the Subnet IP, Subnet Mask, and Gateway IP are all identified here. you will need this information later in the install process.
Login with previously created credentials:
The server will spin up an install gui to walk you through the process of installing and configuring Security Onion.
Select Standalone as the installation type. This is the same type of installation previously used by Peter Di Giorgio for this exercise. Standalone is a full production install
Select the first Network Interface Card (NIC) that you will use for the Management Interface and select DHCP to configure the management interface.
Select Direct connection to the internet and keep docker ip range in the next setting:
Add the NIC for the Monitor Interface, then enter an e-mail for logging into Elastic Search and Kibana. It must have an @blank.com added to the username or the interface might not work. Set your password after that point.
This part is important. Remember when I reminded you to get your gateway IP and the IP range? We're going to use that information now.
Select IP. IP is the easiest to get to work on the Windows Node
Select yes.
Pick an interface IP within your IP range that you will access from the windows machine.
Confirm your settings and click OK. Then go do something else.... lift weights, play D&D, get some coffee... It's going to be a bit. When the setup is complete you will see the following screen. When you press ok, the command prompt will be pulled up.
run the following command:
you should see the following output:
Congratulations! Your Security Onion is running
Step 4. Building a Windows 11 Node.
For this step you will build a Windows 11 test VM. This VM will be used to access the SO instance via web browser and run the AtomicRedTeam.
The best way to approach this process is to download an ISO and install the Windows VM as if you were installing windows off-line on your computer. John Hammond does a fantastic walkthrough here:
Step 5. Install VMware tools
Make sure your Windows VM is fully shut down. Right click the Windows 11 VM in VMware and select Settings.
Select CD/DVD(SATA) and click use ISO Image. Navigate to where you installed VMware Workstation (by default it is here: C:\Program Files(x86)\VMware\VMware Workstation)
Log on to the Windows VM and open explorer. You should be able to select the C drive and run the Windows.exe. You should see the following set up. Just go by the defaults.
Once the set up is complete. Open a powershell instance. Ping your gateway. For example:
This will confirm you have a connection as well as create some traffic for you to observe on the web interface. Once it is successful, open your web browser and put http://managerIP (ex. 192.168.246.131) and access the web terminal.
Input the username and password that you use for the security onion server. You should be greeted with the following dashboard:
The two VMs are operational and in place!!!
Conclusion
In this article we outlined the the process we are going to take to recreate Peter Di Giorgio's Detection Engineering research project from 2021.
We walked through the process of building a standalone instance of Security Onion.
We installed VMware tools on the windows instance.
We verified the SO install with our Windows VM system by pinging the gateway.
We connected to the Security Onion Dashboard.
For Part 2 we will install Wazuh and integrate it into the Security Onion tool suite on Windows 11. We'll also build an AtomicRedTeam instance on the Windows vm and run our first test. Thank you very much for joining me on this journey and I hope to share more of what I am learning in the future.
Return to the Archive
Last updated