MITRE Att&ck Framework
Mittre Att&ck is a knowledge base of adversary tactics and techniques. This resource attempts to comprehensively categorize all known methods of accomplishing adversarial tactics.
It is a great resource to know how to use. Not something you need to or perhaps even can memorize. I found value in reading through all the different techniques, Googling what I did not understand.
Threat Intelligence Resources
Threat Intelligence Research Groups
You will find many threat research publications and blogs. The groups specified bellow generally offer information relevant to an operational level of understanding. Tactical Intelligence sources are provided bellow in Threat Intel Content Development.
Security Vendors Threat Blogs
Federal Agency Threat Blogs
Meet the Adversaries
Resources to learn about the adversaries that are prolific enough to be identified, named, and tracked.
Basic Web Resources for Operations or Research
Threat Intell Content Development
tags: #file #url #domain #host
IBM X-Force Exchange
tags: #ip #url #domain #email #cve #cidr #filehash #filepath #mutex #yara #tag
Open Threat Exchange
tags: #ip #url #domain #email #cve #cidr #filehash #filepath #mutex #yara
tags: #domains #host #ips #sslcert #contactemail
tags: #domain #ip
tags: #domain #ip #contactemail
tags: #doamin #ip #email #organization
tags: #domain #ip #filehash #email #ssl #ua #filename #registry #mutex
Email Analysis Tools
External Research Tools
Other Favored Blogs
Train Hard, Train Smart
The InfoSec profession does require a good deal of knowledge; but high performing security practitioners are those with an equally impressive skill set through which they can act on that knowledge. Simulations are a great way to strengthen and develop these skills.
Capture the Flag or CTF exercises are a great way to understand some of the tools and thought process of an adversary. Typically, CTF style exercises involve compromising systems to find hidden flags which prove the accomplishment of some gained level of access. While they primary simulate activity of an adversary, you can also attempt to monitor the exercise environment and then review the generated artifacts to practice finding attacks in audit data. This can include system logs from a compromised device, a firewall or IDS such as Suricata and Snort, a network traffic analysis tool such as Zeek, or even simply a packet capture from the exercise.
VulnHub is a created repository of community contributed VMs made vulnerable by design for various training purposes. While you can attempt to detect your self in logs, nothing prohibits you from attempting to secure the VMs from the same attacks you used to gain access.
My home lab consists of the following networks
The following is just some details on what my current home lab looks like. At most, it contains some recommendations. It certainly is not optimal.
- A class B network for community made CTF targets such as those from VulnHub.
- A class B “Attack Targets” network
- Security monitoring controls and domain resources share a VLAN.
- A class C client network for my laptops or attacking VMs.
- A class B network for log collection (Logstash and Splunk Universal Forwarder)
- A Pfsense Firewall that connects to an interface on my home WiFi + Router Combo. This Firewall will be your edge.
The Attack Targets network consists of multiple operating systems both server and client with multiple versions. This network contains various services designed to mimic what might be found in a typical environment. It has grown organically over the years. I advise creating several snapshots of “golden images” that contain configuration for security monitoring software such as Sysmon, Splunk UF, or Logstash. Another alternative is to use something like Ansible or Puppet to automate this configuration.
Pro Tip: I use KVM; however, if you use ESXi, you can take various partial snapshots before major security updates or periodically. This can allow you to restore or create new VMs from snapshots to test attacks on vulnerabilities you may have patched in your environment. I have found this to save on storage requirement
Security Monitoring for Attack Targets
- Windows Event Logs (System, Security, and Application)
- Periodic output of various admin tools (netstat, pslist, etc) Splunk UF is used to Collect Logs + run scripts
- /var/log/syslog (syslog-ng)
- Periodic output of various admin tools (netstat, pslist, etc
A simple $30 TP link switch allows me to select one network interface to use as a mirror for the rest of my networking interfaces. This allows me to use Corelight with a home client to send Zeek and Suricata logs to my Splunk and ELK stack.
Note: I had also performed packet captures with this device in the past; however, am unaware if that would interfere with Corelight currently.