SOC Lab: Building a Cybersecurity Environment for Threat Detection and Defense

Creating a home cybersecurity lab is one of the most effective ways to gain a deep understanding of network security, traffic management, and threat mitigation. This project was designed to provide a comprehensive learning experience by simulating both offensive and defensive cybersecurity tactics in a controlled environment. By setting up a virtual lab using tools like Kali Linux, Windows 10, pfSense, Snort, and Splunk, I was able to develop hands-on skills in detecting, investigating, and responding to cyber threats. The goal was not only to understand how attacks are carried out but also to learn how to effectively monitor and defend against them through real-time log analysis.

System Architecture Overview

To understand the components of this setup, let’s first clarify the system architecture:

Virtualization Platform:

VMware Workstation Pro (or VirtualBox as an alternative) was used to host the virtual machines. VMware offers advanced features that are ideal for creating and managing virtualized environments.

Key Machines in the Lab 1. Kali Linux (192.168.19.15) — Splunk Server
A powerful penetration testing tool used as the attacker machine in the lab environment.

Detailed Setup: Setting Up Kali Linux on VMware for Your Cybersecurity Lab

2. Splunk Enterprise — The centralized log server that receives and analyzes logs from pfSense, Windows, and Sysmon.

Detailed Setup: Setting Up Splunk for Log Management on Kali Linux

3. Splunk Universal Forwarder — Installed on Kali to forward logs to the Splunk server.

Detailed Setup: Setting Up the Splunk Universal Forwarder on Kali Linux

4. pfSense (192.168.19.16) — The firewall and router that segregates internal and external traffic.

Detailed Setup: Setting Up pfSense for Network Segmentation and Security Rules

5. Snort — An Intrusion Detection and Prevention System (IDS -Intrusion Detection System/IPS- Intrusion Prevention System) used to monitor network traffic for suspicious behavior.

Splunk Universal Forwarder Setting Up Snort for Network Monitoring on pfSense

Configuring Custom Rules in Snort for Network Monitoring on pfSense Interface: Configuring Custom Snort Rules

6. Windows (192.168.19.12) — The client/server operating system that communicates with both Kali and pfSense.

Detailed Setup: Sysinternals Tools and Sysmon for Windows Monitoring

Splunk Universal Forwarder & Splunk Universal Forwarder

Splunk Universal Forwarder: Setting Up Splunk Universal Forwarder on Windows 10 for Your Cybersecurity Home Lab

Network Configuration:

For efficient communication and functional testing, I configured each machine with two network adapters:

First Adapter (NAT): Configured to NAT (Network Address Translation) mode, allowing each machine to access the internet for updates, tools, and packages.

Second Adapter (Host-Only or Internal Network): Configured to Host-Only or Internal Network mode, creating an isolated network for communication between the virtual machines. This setup facilitated secure, internal traffic and allowed for accurate attack simulations without risking exposure to external networks.

Key Benefits of the Two-Adapter Setup:

1. Isolation of Internal Traffic: Keeps internal traffic isolated within the lab environment, minimizing the risk to the host machine or other networks.
2. Internet Access for Updates: NAT adapter ensures that virtual machines can access the internet for necessary updates.
3. Secure Internal Communication: Host-Only network allows internal communication while keeping external networks segregated.
4. Realistic Attack Simulations: Kali Linux (the attacker) can target Windows 10 (the victim) within the internal network, mimicking real-world attack scenarios.
5. Network Segmentation: pfSense helps to manage both internal and external traffic, simulating real-world segmentation between public and private networks.

Log Capture and Intrusion Detection

By configuring Snort and Splunk in the lab, I was able to capture valuable logs for analysis:

Splunk provided centralized log management, enabling easy access to all logs generated by Kali Linux, Windows 10, and pfSense. These logs were essential for understanding network activity, detecting potential threats, and correlating events.

Snort was used as an IDS to identify suspicious activity. It was configured to generate alerts for anomalies, which were then forwarded to Splunk for further analysis.

Simulating Attacks and Analyzing Logs

With the virtual lab fully set up, I simulated various types of attacks such as network scans, exploits, and brute-force attacks to test how effectively Snort and Splunk could detect and respond. These attacks were carefully designed to emulate real-world scenarios where attackers attempt to bypass security defenses, exploit vulnerabilities, and compromise systems.

Detailed Setup: Simulating Attacks and Analyzing Logs in Your Cybersecurity Home Lab

Project Summary

Event Management During Attacks

Throughout the project, managing events during attacks was crucial to understanding the different phases of a cybersecurity breach. I documented each step of the simulated attacks, including initial access attempts, lateral movement, and data exfiltration, as well as how the defensive tools (Snort, Splunk) detected and responded to each.

A key lesson was differentiating between legitimate security events and false positives. For example, Snort alerts might flag normal network traffic as suspicious due to misconfigured rules. This is a challenge I had to address by fine-tuning Snort’s rule set to avoid false alarms and improve detection accuracy.

Lessons Learned and Problem-Solving Approach

One of the major challenges was configuring pfSense with Snort for traffic monitoring and ensuring that logs were forwarded correctly to Splunk. At first, the log forwarding from pfSense was inconsistent, delaying the log collection process. After adjusting syslog-ng settings and reviewing the firewall and logging configurations, I resolved this issue. This taught me the importance of detailed configuration and how small misconfigurations can prevent effective monitoring.

Another critical takeaway was understanding how IDS systems behave under attack scenarios. By reviewing logs in Splunk, I was able to trace the sequence of events during an attack, correlate suspicious activity across multiple sources, and refine my approach to incident detection and response.

Suggestions for Further Improvement

To enhance the security posture of the lab, I recommend:

1. Tightening Firewall Rules: Adjusting pfSense firewall rules to minimize unauthorized access attempts.
2. Expanding Snort IDS Rules: Including detection for suspicious traffic patterns at both the IP and application levels.
3. Automated Blocking: Configuring Snort to automatically block traffic from suspicious IP addresses upon detection.
4. Incorporating Multi-Factor Authentication (MFA) for accessing management interfaces (like pfSense or Splunk) to add an additional layer of security.

Conclusion and Final Thoughts

This project has provided me with practical, hands-on experience in both offensive and defensive cybersecurity techniques. It has deepened my understanding of network monitoring, threat detection, and incident response, as well as taught me how to adjust security configurations based on attack scenarios.

As I continue to develop my skills in the cybersecurity field, I will refine my approach to threat management and stay proactive in securing networks against evolving cyber threats.