Which blue team Labs do you know?

u1tras

There are plenty of red teams virtual labs where attackers can sharpen their offensive skills. But what about blue teamers? Which blue team labs for sharpening defensive skills do you know (free is preferable)?

supasecuritybro

There isn't a lot of labs for detection online but there are a few people who have built something for you to build.

https://github.com/clong/DetectionLab

There is also a great book called Wireshark for Security Professionals, that book has a lab that they reference as well.

Mooseboost

I think one of the best ways to sharpen your blue team skills is to setup your own lab. There simply isn't a lot of blue team labs online. Best of both worlds is to setup a blue team VM (SecurityOnion or something similiar) and a vulnerable VM, then attack it. It doesn't have to be a VM from VulnHub or anything either. Want to see what an Apache Struts exploit looks like? Setup a vulnerable version and slam it, then go back and review on the blue team VM. What did you see? Could you identify the IOCs? Run exploits on boxes and try to do forensics.You'll improve your blue and red team skills and you will better understand the tools used by both.

u1tras

Thanks a lot! Do you know any paid options?

yoba222

Blue team labs. . . could always download a handful of CIS benchmarks and start hardening away. There's probably a hundred of them you can download from CIS for free.

u1tras

I mean some interactive labs, where you can detect, respond, hunt for threats etc. Like SANS Netwars or ISACA CSX, but cheaper or free at all.

tedjames

I honestly have not heard of any labs like that, but you might find something among these sites:

https://www.checkmarx.com/2015/04/16/15-vulnerable-sites-to-legally-practice-your-hacking-skills/
https://www.checkmarx.com/2015/11/06/13-more-hacking-sites-to-legally-practice-your-infosec-skills/

u1tras

tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.

tedjames

u1tras wrote: »

tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.

That's the way I see it. The best way to know and beat your enemy is to think like him.

cyberguypr

Boss of the SOC

Haven't tested it myself but have heard it's good.

u1tras

Very interesting cyberguy, thank you!

evopilot

subscribed to this on the basis of your prep, i like what you have done so far, good luck buddy

u1tras

So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).

Danielm7

u1tras wrote: »

So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).

If you have a .edu email address it's free. Very good stuff there if you can access it.

u1tras

Thank you Daniel! I've asked them about access and prices for individual infosec professional, not a student.

u1tras

And the answer from Immersive Labs: "Unfortunately we do not offer individual licenses."

the_Grinch

Blue team stuff is pretty hard to come by in the lab sphere. You could always monitor your own network and see whats rolling around there. Also, for some training with labs perhaps look at the following:

https://www.elearnsecurity.com/course/practical_network_defense/

https://www.elearnsecurity.com/course/threat_hunting_professional/

https://www.elearnsecurity.com/course/digital_forensics_professional/

Good luck!

tedjames

Set up a VM and then create another VM. Attack the first VM from the second (or vice versa) and practice both red and blue teaming at the same time.

JDMurray

Seeing as how a SIEM is a cornerstone in any non-trivial Blue Team, I sure would like an online lab featuring Spunk loaded with plenty of indexed data to practice searches, rule writing, and dashboard creation. I can download and use Splunk Free/Light, but getting sample data (syslog) filled with security issues to discover is the difficult bit.

u1tras

JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.

u1tras

There is a summary of all options we've collected for Blue Team Labs during this thread:
1. Chris Long Detection Lab (free).
2. Hand made Security Onion/Vulnhub lab (free).
3. Boss of the SOC Datasets with Splunk (free).
4. Traffic analysis exercises on Malware-Traffic-Analysis.net (free).
5. Cybrary Insider Pro labs (cheap)
6. SANS NetWars (Core Continuous/DFIR) (very expensive).
7. ISACA CSX Labs (expensive).
8. Immersive Labs (free if you have a .edu email).
9. eLearnSecurity Hera Labs (expensive).

JDMurray

u1tras wrote: »

JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.

That's a good start, but to teach how to be a SOC analyst I need to utilize more capability from Splunk than just searching.

Kapital

u1tras wrote: »

There is a summary of all options we've collected for Blue Team Labs during this thread:
1. Chris Long Detection Lab (free).
2. Hand made Security Onion/Vulnhub lab (free).
3. Boss of the SOC Datasets with Splunk (free).
4. SANS NetWars (Core Continuous/DFIR) (very expensive).
5. ISACA CSX Labs (expensive).
6. Immersive Labs (free if you have a .edu email).
7. eLearnSecurity Hera Labs (expensive).

Thank you for the list. I was looking for security onion course.

jwdk19

Thanks for the list!

KAmes4545

If you're trying to be a soc analyst. I can't recommend enough Investigation Theory - by Chris Sanders https://www.networkdefense.io/home/ This course has great fundamentals of what a security analyst should be and how to get there, it's not all technical. An analyst should be able to read/interpret data, but also be able to communicate their finding. That's why I also recommend Visual Intelligence: Sharpen Your Perception, Change Your Life - by Amy Herman. This was also recommended in Chris's course and that book should be read by every analyst.

u1tras

Thanks KAmes, very interesting resource!

SnotFunk

Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

Malware-Traffic-Analysis.net

Or if you just want to analyse pcaps, use wireshark.

u1tras

SnotFunk wrote: »

Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

Malware-Traffic-Analysis.net

Or if you just want to analyse pcaps, use wireshark.

Interesting resource with traffic analysis exercises! Added to the list.

SnotFunk

Here are some more as well as a link to using sec onion and tcpreplay

https://github.com/Security-Onion-Solutions/security-onion/wiki/Pcaps

nicolettean

Did anyone ever try any of these labs? If so, which ones?

Curious to try one but want to know if one is better than another.

tedjames

nicolettean wrote: »

Did anyone ever try any of these labs? If so, which ones?

Curious to try one but want to know if one is better than another.

I've used bWAPP a bit. It's great if you can actually get it to work. The buggy web app has some bugs...

Test Site is a good practice site as is Supercar Showdown - Supercar Showdown