Skip to content
/ Cyber_Defense_Lab Public

This controlled lab environment emphasizes practical cybersecurity skills, ethical practices, and the importance of proactive defense strategies.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

A9u3ybaCyb3r/Cyber_Defense_Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

237 Commits
Attack Simulation
Attack Simulation
 
 
Incident Response
Incident Response
 
 
Lab Setup Guide
Lab Setup Guide
 
 
Report
Report
 
 
README.md
README.md
 
 

Repository files navigation

Cyber Defense Lab

Objective:

The project aims to simulate a phishing attack in a controlled lab environment and demonstrate the full incident response lifecycle, from attack preparation and execution to threat detection, analysis, and mitigation, using tools like Splunk, Snort, Sysmon, and LimaCharlie. It follows the NIST Incident Response Plan and Cyber Kill Chain framework to provide hands-on experience in detecting, analyzing, and responding to cyber threats while identifying key Indicators of Compromise (IOCs) and improving security measures.

Overview

The project follows the NIST Incident Response Plan for blue teaming and the Cyber Kill Chain for red teaming. The workflow consists of several phases:

  1. Preparation Phase: Setting up defenses.
  2. Attacking Phase: Simulating a cyber attack.
  3. Detection, Analysis, and Response Phases: Handling the incident.
  4. Post-Incident Activities: Discussing lessons learned and improvements.

Attack Scenario

On a standalone Windows 10 machine, an attacker sends a phishing email containing a malicious payload disguised as a critical software update. The victim downloads and executes the payload, establishing a reverse TCP connection to the attacker’s machine using DS Viper. To make the attack more realistic, the attacker employs techniques to bypass Windows Defender. The attacker escalates privileges, creates a new user account, and compromises the machine, gaining admin access. Sensitive data is exfiltrated from the machine, and the attacker clears logs to erase traces of the attack.

Skills Learned:

  • Intrusion Detection: Configuring Snort IDS to identify and alert on network-based threats.
  • Endpoint Threat Monitoring and Response: Using LimaCharlie EDR to detect and contain endpoint threats in real-time.
  • Security Information and Event Management (SIEM): Setting up and managing Splunk SIEM for log analysis, alert configuration, and network anomaly tracking.
  • Incident Response: Applying the NIST Incident Response Plan framework to handle each phase of cyber incidents, from detection through to remediation.
  • Threat Analysis: Leveraging the MITRE ATT&CK Framework and Cyber Kill Chain to analyze attacker tactics, techniques, and procedures (TTPs).
  • Threat Simulation: Creating realistic attack simulations, including phishing campaigns, reverse TCP sessions, and persistence tactics, for testing detection and response capabilities.
  • Blue Team Operations: Building defensive security skills and applying them to monitor, detect, and respond to threats in an Active Directory environment.
  • Network Traffic Analysis: Gaining insights into network behavior, identifying suspicious patterns, and filtering malicious traffic.
  • Malware Analysis Fundamentals: Basic reverse-engineering of malware behaviors, such as persistence and lateral movement, to understand the threat landscape.

Tools Used in the Lab

This lab leverages various industry-standard tools and frameworks for comprehensive threat detection and incident response:

  1. Snort IDS - Network intrusion detection system for real-time monitoring and alerting on suspicious network traffic.

  2. LimaCharlie EDR - Endpoint Detection and Response platform providing continuous endpoint monitoring, threat detection, and response.

  3. Sysmon - Windows system service and device driver that monitors and logs critical system activity to the Windows Event Log

  4. Splunk SIEM - Security Information and Event Management system for log analysis, alerting, and security incident management.

  5. Cyber Kill Chain - A model that breaks down each phase of an attack, assisting in identifying and mitigating threats at various stages.

  6. Meterpreter - A Metasploit payload used to simulate attacks, such as reverse shells, persistence tactics, and lateral movement.

  7. NIST Incident Response Plan - Structured framework for managing each phase of incident response, from preparation to recovery.

Each tool is integral to achieving a practical and robust cybersecurity defense and incident response setup.

Disclaimer

This project is intended solely for educational and research purposes in a controlled lab environment. All simulations, tools, and techniques demonstrated are designed to enhance knowledge in cybersecurity defense and incident response. Do not deploy or execute any offensive security techniques or tools against systems you do not have explicit permission to test.

Unauthorized access, testing, or modification of networks or systems is illegal and unethical. The project creator is not responsible for any misuse of the provided information or tools. Please adhere to legal and ethical guidelines when practicing cybersecurity skills.

About

This controlled lab environment emphasizes practical cybersecurity skills, ethical practices, and the importance of proactive defense strategies.

Topics

incident-response cybersecurity siem network-analysis security-training threat-detection home-lab soc-analyst

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published