When you think of SIEM, some of us automatically assume that it's just another tool deployed into a SOC (Security Operations Center) that is used by security analysts and incident responders to identify and react to events occurring on their network. That wouldn't be a false assumption, however, there are practical applications for using an open source security tool such as OSSIM for our own personal advantage.
The back story...
For the past two years, I've held a role at a large secondary school as Director of Technology. I came into this role having consulted on matters of security for years, and I continue to do so in conjunction to my position at the school. I am not a teacher – I’m in the dark shadowy realm of the school's IT underbelly.
It didn't take long after my arrival (within a month or so) before I had several students approach me in regard to getting some hands on experience working in IT. I took the responsible students up on their offer to help out with support related issues, but that wasn't enough to satisfy their hunger. They demonstrated a genuine interest in security. Not the security that we are all accustomed to in the real world. Instead their minds were jogged with all kinds of stories of cyber attacks and (flavor of the month) hacktivist groups that the media served up on a daily basis. I would constantly get questions, “How did they take down Company X?” or “How can I try this without getting caught?”. I wanted to answer them the best that I could without opening up a can of worms, because let's face it... they're kids!
Around this time, I was implementing various security controls through the school's infrastructure and testing them out. I had OSSIM in place, which I was consistently monitoring for activity and alerts to ensure that everything was working properly. Then it dawned on me... I can set up a lab, a controlled environment where the students can learn about infosec from both sides of the fence. Rather than blindly executing scripts against an unknown target (probably landing them in trouble), they can use the lab to execute an attack and on the flip side, they can see what kind of activity was taking place on the target. With the availability of open source security tools at our fingertips it all worked out tremendously well and has since evolved into a number of activities. Soon our lineup will include our very own Capture The Flag event. Fun!
I originally gravitated towards OSSIM, because it is free (of course) and it integrates easily with other tools such as Snort and OSSEC, which are also free and well documented. Not to mention my prior experience – one of my previous jobs required me to monitor the security of our network environment, and after a ton of research, I eventually stumbled upon OSSIM.
How does this story apply to you?
Simple. Like my students, we (as security professionals) need hands-on experience. We need to “hone” our skills. If you are a security engineer, you need to know that the security controls you have put in place are configured correctly and that they are doing their job. If you are an analyst, you need to limit the number of false positives, and have the ability to identify legitimate threats. Penetration Testers... You will undoubtedly find yourself coming up against various obstacles, and it pays to know what is working against you and your clients, and to take it a step further, you will be able to offer better insight as to how your clients can remedy the problems that you do identify. You need to know how much noise you are making (or aren't making).
Now, the intention of this post is not to get into the fine details. I am going to whip up a few recipes from my own cookbook in subsequent posts, but I do want to give some insight so that this information proves to be useful on some level.
It only makes sense that this post is here the AlienVault blog, because I use OSSIM as the backbone for my lab. Therefore, all of my recipes use OSSIM as their main ingredient and it gets used in different capacities depending on the goal of the experiment. I chose OSSIM because it is flexible, free, there is a large community for support and suggestions, and it works. Plain and simple.
The general lab architecture that we will be using in subsequent posts typically consists of SIEM, an attacking machine, and high interaction honeypots (in some instances there may be only one, but in most cases there are several). To be cost effective, we will virtualize everything, but there are occasions when you may want to test various appliances or networking equipment and that will require you to have some physical machines or additional networking hardware on-hand. Again, this all depends on what your goals are and what your budget is. My lab at the school was built with minimal investment. Occasionally, I do have to reach into my pockets for my personal lab, but that is usually job specific.
With so many amazing open source security tools available, you really don't need to go for broke, and to ensure that everyone who is following along can participate from start to finish, I'm going to stick to using a virtualized environment, open source tools, and I will not be including any additional networking equipment. But, I can't say that I wouldn't want to hear about what you've done, so please share!
In my next post, we are going to get our hands dirty. I am going to walk you through the lab setup, and from there we will begin to get cook'n with our OSSIM-based learning lab. In the meantime, if you want to start experimenting with OSSIM yourself, you can find and download it from here.
About James Taliento
James Taliento is the Director of Technology for a large secondary school in the North East. He is also an active security consultant focussing primarily on offensive security / ethical hacking. When he's not breaking things, he’s divulging books and / or (lot’s of) craft beer. You can find out more about James on his website, manipulatesecurity.com