Project: I’m going to play around with different formats to see what works best. For this first iteration I’m going to keep things as concise as I can. I used to have a homelab, I moved, I no longer have a homelab. Just pieces of the old one. The idea is to get a runnable SOC and IR pipeline going in my office so that we can start “responding” to outside events and threats made by us.
The idea sounds like a huge undertaking, and I’m probably biting off more then I can chew. But I’m going to give this a serious try to dust off some cobwebs and get to learn some of the tech I’ve wanted to mess around with. It comes with the additional benefit of giving us an easier way to go about looking into lower level topics later on.
Timeline – I’m really shooting myself in the foot with this but if I could have this setup in about 3 months’ time, I’d be happy with myself. That’s barring any large purchases anyways. I’m familiar with about half of it and the other half is new to me, so with that in mind for everything I do I’ll be posting how I did it and who on the internet helped me.
Technology Applied – So for the pipeline I have a simple vision, a SIEM, a case management platform or SOAR, some form of EDR, a sandbox solution, a threat intel platform, an IDS, a packet capture, and a firewall. Ideally this is what I’m going to attempt to deploy:
That of course goes without saying that I will need to setup quite a few other internal networking components to ensure there’s some safe communication channel between all of these. So, I need a domain and TLS certificates. I may or may not setup something like Zabbix. Not sure yet. This is a giant infrastructure that is normally supported by multiple teams and multiple full-time employees with more experience then me, so this is going to go really well.
I have a Proxmox server right now with around 1TB storage, 18GB RAM, and an old FX-6300 (I think?, Im pretty sure it’s an old Vischera or BullDozer processor, 6 cores and 6 threads?). So I’m not blowing anybody away with that hardware. I’m going to spec out what I want to do here and get the hardware aligned. Actually why don’t I go ahead and do that?
- ELK – I’m most likely going to use docker since that’s what I’ve used in the past, and it looks like nothing has changed much, just need 4GB RAM min.
- Velociraptor – It looks like I can use… .0008GB RAM and… .0002 processors. So ill give it 1 CPU core and processor and 1GB RAM. We’ll see how that goes. I’ll just re-spec if it goes to shit.
- TheHive – This thing is greedy. But I also don’t know how much of this comes from the idea that multiple analysts would typically be using this. 8 CPUs and 8 GB of RAM and 60GB of disk. I’ll probably bump all of that down honestly.
- Cuckoo – There seems to be a direct requirement that I’ve strayed away from in the past…I found that just a base UNIX box with 4GB RAM, 2 CPUs and like 30GB of disk did the trick. But I may be remembering this wrong. Specs from that page say 320 GB disk, 4 CPUs and 4 GB RAM.
- Suricata – This comes up with numbers immediately which seem manageable, 4GB RAM and multi CPU cores. So I don’t know, maybe I don’t make this a VM? Not sure yet.
- Pfsense – Clean and simple, 1GB RAM, 8GB “disk”, 1 CPU. Pretty nice honestly. I’m pretty sure this is getting slapped onto a raspberry pi. So I’ll leave that.
- Cortex – So, for this more of the same thoughts echoed from Cuckoo honestly. I’ve “underclocked” this unintentionally going by these docs and I don’t know that it needs 8GB RAM/CPU and 60GB of disk? I’ll cut this down for sure and then see how it goes.
- Arkime – Easily the biggest pain in my ass at this point. But I WANT it. Even at a 1/4GB per second over the wire it’s asking for 3TB for a day’s worth of retention. I am going to HAVE to play with this. Its CPU and RAM heavy too. This will probably take the longest so I may backlog as well due to how much testing I’ll have to do.
- MISP – Dropping this to the bare minimum looks manageable. 2GB of RAM and Disk and 1CPU? I’ll resize the disk but this seems RAM intensive. So actually. I may just postpone this. I’ll backlog this just because it’s easy to plug-in to the stack I’ll be working with anyways.
- ClamAV – Endpoint dependent, will most likely be implemented on a test box when analysis begins.
Approximate RAM Total: 17GB, Approximate CPU Total: 20 CPU’s.
Those numbers aren’t pulled from that list directly, I’ve adjusted them in my head either by taking half of what I think it’ll need or by outright not including it. At a glance I’m not too far off, looks like I’ll need 3-4 more TB of disk if I want to store anything actually long-term (longer than a week/month) and maybe another 6-8 GB of RAM. A better CPU wouldn’t hurt, but we’ll see how the one I have now holds up. Takeaways from doing this so far is that SIEM, “EDR”, and SOAR look like the mostly likely primary rollouts at first, with the IDS and firewall being deployed on dedicated hardware. So, I need to find my pi’s or find new ones.
I’ll try my best to post consistent updates on the progress that I’m making. I fully expect Barry Allen and Mr. Buvelle to keep me true to my word, plus it’s on my to-do list. Thanks for reading, have a great day.