Contents

SOC: Automation Homelab

   Oct 15, 2024     7 min read

Security Operation Center: Automation Homelab Configuration

  • Objective: Security Operation Centers (SOC) are commonly centralized units that monitor, prevent, detect, investigate, and repsond to cyber threats on a 24/7 basis.
  • **Common Roles: **SOC Manager, SOC Analyst, SOC Engineers, Incident Responders, Threat Hunters, Forensic Analysts, Vulnerability Analysts, Data Analysts, Threat Intel Analysts, Compliance Specialists,

  • Typical components: SIEM, IDS/IPS, XDR, Firewalls, SOAR, Vulnerability Scanners, Network Monitoring Tools, Log Management, Ticketing, DLP, Active Directory

  • In this lab, we will be using Wazuh as the SIEM and XDR, Shuffle as the SOAR, Virtual Total as an enrichment source for IoCs, and TheHive as a case management platform. Telemetry will be generated from the Wazuh Agent, for this example we will use mimikatz.exe, but there will be a future lab focused on red teaming this blue team environment to see how we can further improve the security stance.

Lab Topology:

Splunk

Telemetry - sensors collect data from equipment, this data is transmitted via a path to designated receiving equipment, which then processes and analyzes the data then present it.

Wazuh Agent & Manager & TheHive

Wazuh Agent - ensure that you check to see which operating systems Wazuh agents support. In this example, I want to use Windows and Wazuh supports all ediitions of Windows 10. Proceeding, you will need to find an .iso file. Also, I will be hosting this iso image in VMWare Workstation Pro 17. I enjoy using all kinds of hypervisors, I noticed this one has 33% market share so I thought it would be worthwhile to use.

  • Sysmon (System Monitor) this Windows system service and device driver will monitor and log system activity to help identify what’s going on within the network. This is a part of Sysinternals, which is owned by Microsoft. The details included will be process creations, network connections, file creation and deletion, file creation time changes, driver and DLL loading, raw disk access, registry events, image load, pipe evens, WMI events. Storage: 128 GB, RAM: 4 GB, Processors: 1. Ensure you later download VMware Tools to add helpful functionalities.

Splunk

  • Download Sysmon > Save sysmonconfig.xml > run PowerShell as admin > verify Sysmon64 is running

Splunk

  • We have a fully functional VM and were able to verify the proper services are running.

Splunk

Wazuh: Security Guard components include the Wazuh Manager / Server, Agent, Indexer, and Dashboard. Agents are installed on endpoints, the Manager receives a variety of data from the agents, indexers is a search engine that stores alerts generated by the Manager. Finally, the Dashbpard provides an interface for user friendly data visualization, analysis, and management.

  • Detection and monitoring of security events

TheHive: Incident Manager allows users to create and manage cases, it consists of TheHive Server, Cortex as an analysis engine to observe analyzers, and Malware Information Sharing Platform (MISP) integrations.

  • MISP is Threat intelligence sharing > Threat Indicators, IoCs, TTPs, Contexual Threat Data » shared IoCs and collective intelligence
  • Virus Total is malware and URL analysis > Files, URLs, Hashes, Analysis Reports » Integrate malware analysis into security workflows via API
  • Cortex is automated analysis and response > Observables (IPs, Hashes), analysis results » automate analysis of security observables
  • TheHive incident response and case management > Incidents, Alerts, Case Details, Evidence » team collaboration and response coordination

Splunk

Digital Ocean this platform is for deploying, managing, and scaling applications. It has an interface that can be used in tandem with a variety of tools to manage the cloud infrastructure efficiently. For the next project I will use Proxmox and will set it up as a red team against this blue team environment.

  • Location: can be your preferred data center location
  • Operating systems: Ubuntu 22.04 LTS » LTS means Long-Term Support, leads to a more stable environment
  • Resources - each droplet must be 8 GB of memory for Wazuh & TheHive
  • Authentication - I chose pasword, but you can select SSH key if you’d like.
  • Droplet - scalable VM that runs on top of virtualized hardware. Each droplet is like an independent server used to host websites, databases, and host applications.

Splunk

  • SSH into the server using the public IP address.

  • Firewall these devices monitor and control incoming and outgoing network traffic based on predetermiend security rules. It acts as a barrier between your trusted internal network and untrusted external networks, such as the internet. If your building has a security guard, when someone unathorized walks into the building, the guard stops them from further proceeding. A firewall will examine data packets and decide whether to allow them through based on security rules. Functions include: packet filtering, stateful inspection, and proxy services.

Splunk

  • In Digital Ocean, perform the same steps for creating TheHive droplet. Ensure the firewall has your ISP issued public IP address in the firewall settings to allow connections to be established.

  • Fast way to install all neccesary Create a text file > navigate to the /etc directory > use nano to create and edit a file > ctrl + o to save + x to exit and use chmod +x to make an executable > ./script.sh will run it

Splunk

  • If you come across the ‘Daemons using outdated librares’, press enter on dbus.service

  • Dependencies this term refers to extenral components, libraries, modules that a software application requires to function correctly. Example: If you’re making a website, you might need a library to help with animations. If you’re building a game you might need a sound library to add music and sound effects.
  • TheHive: Java, Apache Cassandra (database), Elasticsearch (indexing and searching data), and other utilities (git, curl, wget, pip)…

Cassandra this is the primary database. It’s often used to store alert data, incident data, log data, threat intel, user activity data, configuration data, and vulnerability data. nano /etc/cassandra/cassandra.yaml

  • listen_address - change it to TheHive public IP
  • rpc_address - change it to TheHive public IP
  • seeds - change it to TheHive public IP
  • cluster_name - name of cluster

Splunk

Splunk

Ensure that the status is active (running)

Elasticsearch - search engine: used for indexing and searching large volumes of data in databases such as alerts, cases, and observables. configuration file: nano /etc/elasticsearch/elasticsearch.yml

  • Both .yml and .yaml are the same in terms of functionality, some projects may prefer one over the other, but .yaml is more commonly used

  • cluster name - good idea to give this a different name than the others to avoid confusion
  • node name - uncomment
  • network host - uncomment and change it to TheHive’s public IP
  • http port - uncomment it
  • cluster.initial_master_nodes - uncomment and remove the second node

Splunk

Splunk

TheHive configuration: we must change directory ownership to ensure users and groups have proper access to the /opt/thp file path. chown command is used to change ownership of files and directories. -R will apply the ownership change to the specific directory. Ensure you’re in the right directory before typing in the following command.

Also we will need to edit the config file: nano /etc/thehive/application.conf

Splunk

  • db.janusgraph_hostname - change to TheHive public IP
  • db.janusgraph_cluster-name - change to cluster named on Cassandras config file
  • index.search_hostname - change to TheHive public IP
  • application.baseUrl - change to “https://TheHive_IP:9000”

Splunk

Common errors

When we went to verify that all services (elasticsearch, thehive, and cassandra) are running, it was noticed that elasticsearch failed.

Splunk

journalctl -xe this command will view detailed system logs managed by systemd. Jorunalctl will query and display mesages. -x will provide context for log messages to explain in more detail. -e jumps to the end of the journal to show the most recent log entries first.

Splunk

According to the error, Elasticsearch’s main Java proces (pid=54844) was killed by OOM (out of memory) killer, the device is trying to free up some RAM. Elasticsearch was singled out because its relatively larger.

Splunk

I was looking to connect to TheHive but kept getting an error: ERR_CONNECTION_REFUSED, this tells me to check the service and see if its running, the port is not open. Journalctl was not as helpful to figure out the underlying reason for TheHive startup issues, the command will only show systemd’s view. we should check the /var directory for logs that contain lines marked Error, Exception, or Caused by.

Splunk

Splunk

Had to restart all services, the logs were pointing at Cassandra, JanusGraph could not connect to Cassandra on port 9042, it seems like TheHive’s storage layer was unable to reach Cassandra. When TheHive cannot establish its backend storage connection, it will exit with a failure code as relayed.

Splunk

TheHive web page should now load and you can try the default credentials: username is admin@thehive.local, password is secret

  • I encountered an Authenticaton_Error, services are running.

Splunk