How to Gain Hands-On Cybersecurity Experience w/ Security Onion

SOC Analysts have highly sought after skills like Incident Handling & Threat Hunting. Tools like Security Onion help you build and maintain a successful career.

Disclaimer: The tools described in this post can lead to incarceration if misused. Please operate on a network where you have the proper authorization to do so.

The goal here is to challenge, motivate, and inspire cybersecurity professionals looking to gain some hands-on experience. During my time as a presenter, trainer, and mentor, one of the questions I get all the time is, “How do I gain hands-on experience?” Yes, it is what hiring managers and employers request the most? I’m here to help you solve that problem.

What is Threat Hunting?

Threat Hunting is the proactive activity of searching for malware or attackers that are on your network. 

What is Security Onion (SO)?

Security Onion is a FREE and open-source Linux distro designed for security monitoring, intrusion detection, and log management. Its core components are Elastic Search, which is used to ingest and index logs, Logstash, used parse and format logs, and Kibana which is used to visualize the ingested log data. The combination of these three tools is also known as the ELK Stack. I will walk you through the requirements, setup and installation tasks, requirements, and troubleshooting but if you get stuck you can find a lot of answer in the official Security Onion Documentation

Security Onion also includes tools like:

  • Squert – a web application used to query and view event data, typically IDS alert data, stored in a Squil database
  • Snort – lightweight intrusion detection system (NIDS)
  • Zeek (formally known as Bro) – an open-source platform that performs network security monitoring
  • CyberChef (The Cyber Swiss Army Knife) – a web application, with around 300 operations, that easily provides for tasks like encoding, encryption, and conversions of various data types

Requirements:

  • Standard Intel/AMD 64-bit processors only
  • Two network interfaces (Bridged)
  • Management Interface (DHCP or preferably static IP) – allows administrators and analysts to access the web portal
  • Monitoring Interface (no IP) – does nothing but “listen” to the network traffic
  • Uninterruptible Power Supply (UPS) (optional)
  • 4 CPU Cores
  • 8GB Memory
  • 40GB+ ROM (Hard Drive Space)

Installation & Setup

The first challenge is to research how to install properly and setup Security Onion. As always, you should go to the source. That would be the original video series by Doug Burks and his team at Security Onion. Should you need additional assistance, Jesse Kurrus (Jesse K) has an excellent, and more up to date video on his YouTube channel.

Update Software

This is the command to run after setting up your interfaces and tools (most likely Evaluation Mode). Do not run the update at the beginning of the install.

# sudo soup

Allow access to https

There are multiple ways to edit the firewall to allow access to the tools (Kibana, Squert, etc.) via the web. On my network, since I know I’m the only one using it, I just allow port 443. The so-allow command allows you to be a little more granular with your access.

# sudo ufw allow 443
# sudo so-allow

Troubleshooting

Restarting Kibana

Sometimes you have to restart the Kibana service. This is the first command I issue when Kibana isn’t creating new logs.

# sudo so-kibana-restart

Restart all services

It is sporadic, but there are times where I would just restart all of the services.

# sudo so-restart

Adding another user

Typically, you would just use the account you created during the initial setup stage. There may be teams where you want to allow your colleagues, family, friends, or students 😉 web access to your tools (Kibana, Squert, etc.). In this case, you would issue the following commands.

# sudo so-user-add

About Kibana (Threat Hunting)

One of the two tools we’ll focus on at the moment is Kibana. It lets you visualize your Elasticsearch data. Its mostly a GUI version of Wireshark … but on steroids. It allows you to track all of the traffic captured by your monitoring interface and displays it in a very pleasing visual format. Kibana also will enable you to filter certain aspects of all the traffic you captured for Threat Hunting purposes.

  • Elastic – Kibana 
  • Security Onion (Read the Docs) – Kibana

About Squert (Intrusion Detection)

Squert is a web application used to query and view event data stored in a Squil database. It is the primary tool used to view alert data from the built-in Intrusion Detection System (IDS). In a nutshell, it will display all the alerts created by the Snort IDS rules. Yes, you can switch to Suricata if you like.

  • Squert Project – Squert 
  • Security Onion (Read the Docs) – Squert 
  • Bammv (GitHub) – Squil 
  • Security Onion (Read the Docs) – NIDS 

Creating .pcap files

To create sample .pcap files, you will need a protocol analyzer (Wireshark or TCPDump) to capture the traffic and a tool to issue enumeration commands that creates the traffic. A common example is the use of Wireshark Capture Filters. You can also fine-tune your results with the help of Wireshark Display Filters.

Wireshark

Sample capture filters
Capture filters allow you to filter your initial traffic capture. The following are just a few options:

  • host [attacker ip]
  • net [source subnet]
  • not arp
  • dst net [destination subnet]
  • portrange 1-1024
  • tcp port 23
  • udp port 167
  • host www.cover6solutions.com
  • ip6

     

  • Wireshark – Capture Filters

Sample display filters
Display filters allow you to filter the traffic from the initial capture.

  • ip.addr == [attacker ip]
  • ip.dst == [your ip address]
  • ip.src == [attacker ip] && ip.dst == [your ip address]
  • telnet
  • ipv6

     

  • Wireshark – Display Filters

An amazing feature of Security Onion is that it already contains a sample .pcap files. They are found in the /opt/samples directory.

Sample Enumeration Tools & Commands

NBTScan

A tool used to discover the NetBIOS name information.

# nbtscan [target(s)]
# nbtscan -v [target(s)]

 

Nmap

Free network mapper used to discover hosts and services on a computer network.

Verbose | host discovery (ping sweep) | only show “alive” hosts

# nmap -v -sn [target(s)] --open

Verbose | very fast | port discovery (half open/stealth scan) |  don’t ping | top 10 most popular ports | only show open ports

# nmap -v -T4 -sS -Pn --top-ports 10 [target(s)] --open

Verbose | very fast | full connect, TCP port discovery | don’t ping | top 50 ports | only show open ports

# nmap -v -T4 -sT -Pn -F [target(s)] --open

Verbose | very fast | UDP port discovery | don’t ping | top 50 ports | only show open ports

# nmap -v -T4 -sU -Pn -F [target(s)] --open

Verbose | very fast | service version discovery | don’t ping | all ports | only show open ports

# nmap -v -T4 -sV -Pn -p- [target(s)] --open

Verbose | very fast | spoof the source IP 8.8.8.8 | port discovery half open (stealth scan) | top 50 ports | only show open ports

# nmap -v -T4 -D 8.8.8.8 -sS -F [target(s)] --open

Importing & Replaying .pcap Files

Whether you have personally created .pcap files, acquired them from the wild, or you decided to use the built-in samples, you can use the import or replay options to have Security Onion ingest the traffic.

There is a big difference between the two. The so-replay-pcap command will have the timestamps of the original files, and the so-import-pcap command will have the timestamp of the day/time you imported the file.

# sudo so-replay-pcap [filename]
# sudo so-import-pcap [filename]

 

Extra Practice & Challenges

Learn additional Nmap and enumeration commands (tools)

  • Learn additional Wireshark display and capture filters
  • Create a blog post or video of your custom snort signature alerting you based off of network activity you created
  • Create an entire website or GitHub account dedicated to your research
  • Malware Traffic Analysis Exercises (Brad Duncan @malware_traffic)
  • Practice analyzing Wireshark SampleCaptures 
  • Take your .pcap analysis to the next level, learn to use Zeek (formerly Bro) to break down further and analyze your packet captures
  • Create a publicly accessible Security Onion instance in the cloud
  • Create a series of .pcap challenges for yourself, friends, family, or colleagues
  • Create a working instance of Metasploitable 3 on your network

Closing Remarks

  • Take notes! Computers run out of memory so will your brain
  • Consider how the entire process of researching and understanding a tool, installing it, troubleshooting the issues, and finally getting it to work made you feel
  • Being able to do just that is what will bring you lots of success in the information security industry
  • Upon completion, Security Onion and tools, concepts, and technologies could be a large portion of critical words and selling points for your resume
  • We would not do you justice if we did not mention the MITRE ATT&CK® Framework. To be a good defender, you must be aware of the offensive Tactics, Techniques, and Procedures (TTPs). ATT&CK, a globally-accessible knowledge base of real-world observations allows you to familiarize yourself 100’s of tactics along the with the associated tools and adversaries that use them
  • You can now speak to and say you have experience:
  • Analyzing some of the worst malware tactics, techniques, and procedures (TTPs)
  • Analyzing .pcap files for fun to identify various Indicators of Compromise (IOC’s)
  • IP & email addresses, file names & hashes, email headers, etc.
  • Performing various Incident Handling & Response Procedures
  • Implementing different Threat Hunting Procedures
  • If you told a hiring manager or employer that you set up your network defense solution and you monitor your home network, perform incident handling and threat hunting, and you research and analyze network traffic from the top malicious threats of the past five years, then there is a very high chance you will get the job
  • Embrace the journey and the struggles
  • You WILL need to make sacrifices to be better
  • Be confident in yourself and yes you belong here too

You can be ANYTHING you want in this industry and I will ALWAYS be here to assist

 

Additional Threat Hunting Resources