Which blue team Labs do you know?

u1trasu1tras OSCP, eCTHPMoscowMember Posts: 81 ■■■□□□□□□□
There are plenty of red teams virtual labs where attackers can sharpen their offensive skills. But what about blue teamers? Which blue team labs for sharpening defensive skills do you know (free is preferable)?
Certs: OSCP, eCTHP
2019 Goals:
eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
«1

Comments

  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    There isn't a lot of labs for detection online but there are a few people who have built something for you to build.

    https://github.com/clong/DetectionLab

    There is also a great book called Wireshark for Security Professionals, that book has a lab that they reference as well.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • MooseboostMooseboost Senior Member Member Posts: 775 ■■■■□□□□□□
    I think one of the best ways to sharpen your blue team skills is to setup your own lab. There simply isn't a lot of blue team labs online. Best of both worlds is to setup a blue team VM (SecurityOnion or something similiar) and a vulnerable VM, then attack it. It doesn't have to be a VM from VulnHub or anything either. Want to see what an Apache Struts exploit looks like? Setup a vulnerable version and slam it, then go back and review on the blue team VM. What did you see? Could you identify the IOCs? Run exploits on boxes and try to do forensics.You'll improve your blue and red team skills and you will better understand the tools used by both.
    2020 Certification Goals: OSCE GXPN
    Blog: https://hackfox.net
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Thanks a lot! Do you know any paid options?
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • yoba222yoba222 Senior Member Member Posts: 1,142 ■■■■■■■■□□
    Blue team labs. . . could always download a handful of CIS benchmarks and start hardening away. There's probably a hundred of them you can download from CIS for free.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    I mean some interactive labs, where you can detect, respond, hunt for threats etc. Like SANS Netwars or ISACA CSX, but cheaper or free at all.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,156 ■■■■■■■■□□
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,156 ■■■■■■■■□□
    u1tras wrote: »
    tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.

    That's the way I see it. The best way to know and beat your enemy is to think like him.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,896 Mod
    Boss of the SOC

    Haven't tested it myself but have heard it's good.
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Very interesting cyberguy, thank you!
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • evopilotevopilot Member Posts: 16 ■□□□□□□□□□
    subscribed to this on the basis of your prep, i like what you have done so far, good luck buddy
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • Danielm7Danielm7 Member Posts: 2,296 ■■■■■■■■□□
    u1tras wrote: »
    So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).
    If you have a .edu email address it's free. Very good stuff there if you can access it.
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Thank you Daniel! I've asked them about access and prices for individual infosec professional, not a student.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    And the answer from Immersive Labs: "Unfortunately we do not offer individual licenses."icon_sad.gif
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Blue team stuff is pretty hard to come by in the lab sphere. You could always monitor your own network and see whats rolling around there. Also, for some training with labs perhaps look at the following:

    https://www.elearnsecurity.com/course/practical_network_defense/

    https://www.elearnsecurity.com/course/threat_hunting_professional/

    https://www.elearnsecurity.com/course/digital_forensics_professional/

    Good luck!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,156 ■■■■■■■■□□
    Set up a VM and then create another VM. Attack the first VM from the second (or vice versa) and practice both red and blue teaming at the same time.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,753 Admin
    Seeing as how a SIEM is a cornerstone in any non-trivial Blue Team, I sure would like an online lab featuring Spunk loaded with plenty of indexed data to practice searches, rule writing, and dashboard creation. I can download and use Splunk Free/Light, but getting sample data (syslog) filled with security issues to discover is the difficult bit.
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    There is a summary of all options we've collected for Blue Team Labs during this thread:
    1. Chris Long Detection Lab (free).
    2. Hand made Security Onion/Vulnhub lab (free).
    3. Boss of the SOC Datasets with Splunk (free).
    4. Traffic analysis exercises on Malware-Traffic-Analysis.net (free).
    5. Cybrary Insider Pro labs (cheap)
    6. SANS NetWars (Core Continuous/DFIR) (very expensive).
    7. ISACA CSX Labs (expensive).
    8. Immersive Labs (free if you have a .edu email).
    9. eLearnSecurity Hera Labs (expensive).
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,753 Admin
    u1tras wrote: »
    JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.
    That's a good start, but to teach how to be a SOC analyst I need to utilize more capability from Splunk than just searching.
  • KapitalKapital Member Posts: 33 ■■□□□□□□□□
    u1tras wrote: »
    There is a summary of all options we've collected for Blue Team Labs during this thread:
    1. Chris Long Detection Lab (free).
    2. Hand made Security Onion/Vulnhub lab (free).
    3. Boss of the SOC Datasets with Splunk (free).
    4. SANS NetWars (Core Continuous/DFIR) (very expensive).
    5. ISACA CSX Labs (expensive).
    6. Immersive Labs (free if you have a .edu email).
    7. eLearnSecurity Hera Labs (expensive).
    Thank you for the list. I was looking for security onion course.
  • jwdk19jwdk19 Member Member Posts: 67 ■■■□□□□□□□
    Thanks for the list!
  • KAmes4545KAmes4545 Member Posts: 13 ■■□□□□□□□□
    If you're trying to be a soc analyst. I can't recommend enough Investigation Theory - by Chris Sanders https://www.networkdefense.io/home/ This course has great fundamentals of what a security analyst should be and how to get there, it's not all technical. An analyst should be able to read/interpret data, but also be able to communicate their finding. That's why I also recommend Visual Intelligence: Sharpen Your Perception, Change Your Life - by Amy Herman. This was also recommended in Chris's course and that book should be read by every analyst.
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Thanks KAmes, very interesting resource!
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • SnotFunkSnotFunk Registered Users Posts: 4 ■□□□□□□□□□
    Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

    Malware-Traffic-Analysis.net

    Or if you just want to analyse pcaps, use wireshark.
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    SnotFunk wrote: »
    Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

    Malware-Traffic-Analysis.net

    Or if you just want to analyse pcaps, use wireshark.

    Interesting resource with traffic analysis exercises! Added to the list.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • SnotFunkSnotFunk Registered Users Posts: 4 ■□□□□□□□□□
    Here are some more as well as a link to using sec onion and tcpreplay

    https://github.com/Security-Onion-Solutions/security-onion/wiki/Pcaps
  • nicoletteannicolettean Member Posts: 19 ■■■□□□□□□□
    Did anyone ever try any of these labs? If so, which ones?

    Curious to try one but want to know if one is better than another.
    2018 Goals - AWS Certified Solutions Architect


    Linkedin Profile : https://www.linkedin.com/in/andrew-nicolette-454721109/
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,156 ■■■■■■■■□□
    Did anyone ever try any of these labs? If so, which ones?

    Curious to try one but want to know if one is better than another.

    I've used bWAPP a bit. It's great if you can actually get it to work. The buggy web app has some bugs...

    Test Site is a good practice site as is Supercar Showdown - Supercar Showdown
Sign In or Register to comment.