Which blue team Labs do you know?

u1trasu1tras OSCP, eCTHPMoscowPosts: 81Member ■■■□□□□□□□
There are plenty of red teams virtual labs where attackers can sharpen their offensive skills. But what about blue teamers? Which blue team labs for sharpening defensive skills do you know (free is preferable)?
Certs: OSCP, eCTHP
2019 Goals:
eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
«1

Comments

  • supasecuritybrosupasecuritybro Posts: 206Member ■■■■□□□□□□
    There isn't a lot of labs for detection online but there are a few people who have built something for you to build.

    https://github.com/clong/DetectionLab

    There is also a great book called Wireshark for Security Professionals, that book has a lab that they reference as well.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • MooseboostMooseboost Senior Member Posts: 775Member ■■■■□□□□□□
    I think one of the best ways to sharpen your blue team skills is to setup your own lab. There simply isn't a lot of blue team labs online. Best of both worlds is to setup a blue team VM (SecurityOnion or something similiar) and a vulnerable VM, then attack it. It doesn't have to be a VM from VulnHub or anything either. Want to see what an Apache Struts exploit looks like? Setup a vulnerable version and slam it, then go back and review on the blue team VM. What did you see? Could you identify the IOCs? Run exploits on boxes and try to do forensics.You'll improve your blue and red team skills and you will better understand the tools used by both.
    2020 Certification Goals: OSCE GXPN
    Blog: https://hackfox.net
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    Thanks a lot! Do you know any paid options?
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • yoba222yoba222 Posts: 1,068Member ■■■■■■■■□□
    Blue team labs. . . could always download a handful of CIS benchmarks and start hardening away. There's probably a hundred of them you can download from CIS for free.
    2017: GCIH | LFCS
    2018: CySA+ | PenTest+ |CCNA CyberOps
    2019: VHL 20 boxes
    2020: OSCP eCPPT OSCP eCPPT (a bit undecided)
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    I mean some interactive labs, where you can detect, respond, hunt for threats etc. Like SANS Netwars or ISACA CSX, but cheaper or free at all.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,064Member ■■■■■■■□□□
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,064Member ■■■■■■■□□□
    u1tras wrote: »
    tedjames, thanks for your links. Seems like both of them are about "offense informs defense" approach.

    That's the way I see it. The best way to know and beat your enemy is to think like him.
  • cyberguyprcyberguypr Senior Member Posts: 6,848Mod Mod
    Boss of the SOC

    Haven't tested it myself but have heard it's good.
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    Very interesting cyberguy, thank you!
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • evopilotevopilot Posts: 16Member ■□□□□□□□□□
    subscribed to this on the basis of your prep, i like what you have done so far, good luck buddy
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • Danielm7Danielm7 Posts: 2,269Member ■■■■■■■■□□
    u1tras wrote: »
    So, what about Immersivelabs? Has anyone tried this? Seems like their Labs contain different blue team exercises (as it's stated on the website).
    If you have a .edu email address it's free. Very good stuff there if you can access it.
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    Thank you Daniel! I've asked them about access and prices for individual infosec professional, not a student.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    And the answer from Immersive Labs: "Unfortunately we do not offer individual licenses."icon_sad.gif
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • the_Grinchthe_Grinch Posts: 4,162Member ■■■■■■■■■■
    Blue team stuff is pretty hard to come by in the lab sphere. You could always monitor your own network and see whats rolling around there. Also, for some training with labs perhaps look at the following:

    https://www.elearnsecurity.com/course/practical_network_defense/

    https://www.elearnsecurity.com/course/threat_hunting_professional/

    https://www.elearnsecurity.com/course/digital_forensics_professional/

    Good luck!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,064Member ■■■■■■■□□□
    Set up a VM and then create another VM. Attack the first VM from the second (or vice versa) and practice both red and blue teaming at the same time.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,504Admin Admin
    Seeing as how a SIEM is a cornerstone in any non-trivial Blue Team, I sure would like an online lab featuring Spunk loaded with plenty of indexed data to practice searches, rule writing, and dashboard creation. I can download and use Splunk Free/Light, but getting sample data (syslog) filled with security issues to discover is the difficult bit.
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    There is a summary of all options we've collected for Blue Team Labs during this thread:
    1. Chris Long Detection Lab (free).
    2. Hand made Security Onion/Vulnhub lab (free).
    3. Boss of the SOC Datasets with Splunk (free).
    4. Traffic analysis exercises on Malware-Traffic-Analysis.net (free).
    5. Cybrary Insider Pro labs (cheap)
    6. SANS NetWars (Core Continuous/DFIR) (very expensive).
    7. ISACA CSX Labs (expensive).
    8. Immersive Labs (free if you have a .edu email).
    9. eLearnSecurity Hera Labs (expensive).
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,504Admin Admin
    u1tras wrote: »
    JDMurray, you can use a special prepared "BOSS of the SOC" Datasets for Splunk, as cyberguy suggested earlier.
    That's a good start, but to teach how to be a SOC analyst I need to utilize more capability from Splunk than just searching.
  • KapitalKapital Posts: 33Member ■■□□□□□□□□
    u1tras wrote: »
    There is a summary of all options we've collected for Blue Team Labs during this thread:
    1. Chris Long Detection Lab (free).
    2. Hand made Security Onion/Vulnhub lab (free).
    3. Boss of the SOC Datasets with Splunk (free).
    4. SANS NetWars (Core Continuous/DFIR) (very expensive).
    5. ISACA CSX Labs (expensive).
    6. Immersive Labs (free if you have a .edu email).
    7. eLearnSecurity Hera Labs (expensive).
    Thank you for the list. I was looking for security onion course.
  • jwdk19jwdk19 Member Posts: 65Member ■■■□□□□□□□
    Thanks for the list!
  • KAmes4545KAmes4545 Posts: 13Member ■■□□□□□□□□
    If you're trying to be a soc analyst. I can't recommend enough Investigation Theory - by Chris Sanders https://www.networkdefense.io/home/ This course has great fundamentals of what a security analyst should be and how to get there, it's not all technical. An analyst should be able to read/interpret data, but also be able to communicate their finding. That's why I also recommend Visual Intelligence: Sharpen Your Perception, Change Your Life - by Amy Herman. This was also recommended in Chris's course and that book should be read by every analyst.
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    Thanks KAmes, very interesting resource!
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • SnotFunkSnotFunk Posts: 4Registered Users ■□□□□□□□□□
    Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

    Malware-Traffic-Analysis.net

    Or if you just want to analyse pcaps, use wireshark.
  • u1trasu1tras OSCP, eCTHP MoscowPosts: 81Member ■■■□□□□□□□
    SnotFunk wrote: »
    Why not setup you're own security onion lab, install a SIEM or use Kibana and then use tcpreplay and the pcaps from here:

    Malware-Traffic-Analysis.net

    Or if you just want to analyse pcaps, use wireshark.

    Interesting resource with traffic analysis exercises! Added to the list.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • SnotFunkSnotFunk Posts: 4Registered Users ■□□□□□□□□□
    Here are some more as well as a link to using sec onion and tcpreplay

    https://github.com/Security-Onion-Solutions/security-onion/wiki/Pcaps
  • nicoletteannicolettean Posts: 19Member ■■■□□□□□□□
    Did anyone ever try any of these labs? If so, which ones?

    Curious to try one but want to know if one is better than another.
    2018 Goals - AWS Certified Solutions Architect


    Linkedin Profile : https://www.linkedin.com/in/andrew-nicolette-454721109/
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,064Member ■■■■■■■□□□
    Did anyone ever try any of these labs? If so, which ones?

    Curious to try one but want to know if one is better than another.

    I've used bWAPP a bit. It's great if you can actually get it to work. The buggy web app has some bugs...

    Test Site is a good practice site as is Supercar Showdown - Supercar Showdown
Sign In or Register to comment.