Home Lab Setup | Building an Effective Cybersecurity Learning Environment
Home or online labs are crucial for advancing your cybersecurity career as a SOC Analyst or Penetration Tester. It is also a great way to gain the hands-on experience and talking points needed to succeed in job interviews.
Disclaimer: This is only a guide and not inclusive of every single tool in the industry. It’s in your best interest to research via Google and YouTube as well for additional information.
Home Lab Setup
Having a home or online lab is crucial for advancing your career in information security. It is also a great way to gain the hands-on experience and talking points needed to succeed at job interviews. You should be willing to experiment and “break” things in your lab. Troubleshooting errors and solving problems will help you learn the ins and outs of hardware, software, and networking. Additionally, it will provide you the ability to talk about tools, techniques, and procedures used in the real world. Although most of your tools may be free and have a different name, the concepts of network monitoring and defense will be the same.
Understanding networks will give you a very valuable skillset for your cybersecurity journey. While it is not necessary, you should consider purchasing a separate router and connecting it to the one already given to you by your service provider. It helps keep your lab environment isolated from your home environment. Also, spend some time familiarizing yourself with the service provider’s router as well. Chances are, it has a default username and password that hasn’t changed. Log in to the router’s console and take a look at the current settings and options. You may want static IP addresses for your home devices, a guest network, or even an IPv6 island for testing (more on that later). Another crucial concept is to understand the difference between Bridged, NAT, and Host-to-Host configurations.
Hardware is crucial because it will contain most, if not all, of your processing power and memory. If you’re just starting, you should be just fine using your laptop. Today, a typical laptop can host two or three virtual machines without any issues. If you want to step it up, you can invest a little into a portable server… feel free to customize these systems as you see fit! Once you have some lab experience and you’re ready to take things to the next level, you can purchase refurbished servers. Just keep in mind that they may require additional power sources and cooling.
A hypervisor comes in two forms, Type I or Type II. We will most likely start with a Type II. It is software that allows you to use the processing power of your hardware (laptop/CPU/server) to create and operate virtual machines (VMs). Think of a virtual machine as having a computer inside a computer. Essentially, the hypervisor is your virtual machine manager.
With virtualization, you can quickly create VM’s and save the state of the VM should you need to revert back to that point in time. It is also excellent for testing and development environments.
As experience with your lab grows, you will notice that the ability to use virtualization will get addictive, and you will want more machines. That will require more space and processing power. All of the leading cloud providers allow you to create VMs with the click of a button. Look into Digital Ocean, Amazon AWS, The Google Compute Engine, and Microsoft Azure. In case you want to scale later, it would help to do some comparison shopping and interface familiarization to find the best service for your needs.
Network Monitoring and IDS/IPS
It is imperative to monitor your network so you can better understand the types of traffic and information that may flow through it. It is also helpful to understand “why” everything works the way it does. An excellent tool for the protocol analysis aspect of networking monitoring is Wireshark. Regardless of what area of cyber interests you, becoming familiar with Wireshark is the way to go. It is also suggested to learn Tcpdump as a quick alternative.
A great IDS option is Security Onion, you can check out our article How to Gains Hands-On Cybersecurity Experience w/ Security Onion for more details. Doug Burks and the Security Onion Solutions team consistently produce ISOs with updated builds, so be sure to keep your instance up to date.
Being able to detect vulnerabilities is another crucial part of network defense and exploitation. Just like any other technology, there are many different tools available. Now, discovering vulnerabilities is a little different than finding malware. For that, you can use any of the 60 or so antivirus engines out there. We’ll also save that for a later date.
An excellent place to start is with the Nmap Scripting Engine (NSE). It’s free, and it contains hundreds of scripts that you can use separately or chained together to serve as your vulnerability scanner. Popular options include OpenVAS, which comes preinstalled in Kali Linux or Nessus, which is free for the first 16 IP addresses.
The firewall is only as good as its access control list and signatures, and attackers will continuously try to work around both. No matter the operating system, you should familiarize yourself with your host-based firewall. It is always good to know what ports and services are allowed in and out of your host. For Ubuntu Linux users, you should learn about Iptables.
If you wanted to take it a step further, I’d invest some time and energy in getting familiar with pfSense®. Besides being free, pfSense can also serve as your router, VPN solution, and much more. The pfSense install and configuration are a bit advanced, so be sure to take your time, watch plenty of YouTube tutorials and practice, practice, practice!
Security Information and Event Management (SIEM) Tools
SIEM tools are perfect for analyzing various types of data inputs in near real-time. Also, because most are web-based, with the proper configuration, you can monitor your home or work environment from anywhere in the world. Yes, HTTPS is your friend! I’d recommend Splunk, which is free for the first 500MB a day. Depending on your setup, you may be able to get away with this. At a minimum, you can send your logs from your Windows 2012 Server (more on that soon) to the Splunk box. You can easily send over your Nessus results as well.
Adding Virtual Machines
If you made it this far, then great, eventually, you’ll want some virtual machines to add to your lab to increase your testing and hands-on experience. Here’s a quick list of sites you can use to research, download, and add vulnerable machines to your lab:
- Kali Linux – The most popular choice for an “attack platform.”
- Ubuntu Desktop – We highly recommend familiarizing yourself with this Operating System to create a custom attack platform
- Metasploitable2 (Linux) – The “punching bag” for your early pentesting career. It is already equipped with vulnerable services along with a Web Application Testing Tutorial.
- Metasploitable3 (Windows) – An updated version of Metasploitable built on a Windows Server.
- Windows Server Evaluation Center – Mircosoft’s repository for various versions of server software. The licenses typically last about 180 days.
- Microsoft Edge – Provides a 90-day evaluation of Windows 10 so you can test Internet Explorer 11.
- VulnHub – A repository of purposely vulnerable virtual machines.
- OWASP Security Shepherd 3.0 – A web and mobile application security training platform provided by the Open Web Application Security Project (OWASP).
- Damn Vulnerable Web Application (DVWA) – A vulnerable PHP/MySQL application to help better understand web application security.
- Buscador Investigative Operating System – A custom Open Source Intelligence (OSINT) virtual machine.