DFIR Lab — Security Onion (SIEM), Linux Ubuntu, and Kali Linux

TL;DR — It’s a high overview and not too much technical 😌

Security Onion — is an open-source network security monitoring and intrusion detection system (IDS) platform. It is designed to provide a comprehensive and integrated solution for monitoring, analyzing, and defending computer networks against security threats. The platform combines several powerful open-source tools into a single distribution, making it easier to deploy and manage network security monitoring infrastructure.

Network Security Monitoring (NSM): Security Onion leverages the principles of NSM to capture and analyze network traffic for the purpose of detecting and investigating security incidents. It supports various methods of network traffic capture, including full packet capture and session data capture.

Intrusion Detection System (IDS): Security Onion incorporates IDS tools such as Snort and Suricata for real-time detection of malicious activities and network intrusions. These IDS engines analyze network traffic and generate alerts when they detect suspicious or malicious behavior.

Log Management: The platform integrates tools like Elasticsearch, Logstash, and Kibana (collectively known as the ELK stack) to facilitate the centralized collection, storage, and analysis of log data from various sources within the network. This helps in identifying security events and performing forensic investigations.

Host-based Intrusion Detection System (HIDS): Security Onion includes OSSEC, a host-based IDS tool, to monitor and analyze the activity on individual hosts or servers. This allows for the detection of malicious processes, file integrity monitoring, and other host-centric security checks.

Analysis and Visualization: Security Onion provides a web-based interface that allows security analysts to investigate and visualize security events, network traffic, and log data. The interface includes various pre-configured dashboards, search capabilities, and visualizations to aid in incident response and threat hunting.

Threat Intelligence Integration: The platform supports integration with threat intelligence feeds, enabling the correlation of security events and network traffic with known malicious indicators. This helps in identifying and responding to threats based on up-to-date threat intelligence.

Scalability and Flexibility: Security Onion is designed to be highly scalable, allowing for deployment in various network environments, from small networks to large enterprise networks. It can be deployed as a standalone system or in a distributed architecture to accommodate different network sizes and traffic volumes.

Linux Ubuntu — is a popular Linux distribution that is based on the Debian architecture. It is an open-source operating system known for its user-friendly interface, stability, and strong community support. Ubuntu is designed to be accessible to both beginners and advanced users, making it one of the most widely used Linux distributions worldwide.

Kali Linux — is a specialized Linux distribution designed for advanced penetration testing, ethical hacking, and cybersecurity-related tasks. It is developed and maintained by Offensive Security, a leading provider of information security training and certification.

The security onion will have 2 network adapters which will connect to the (LAN) where we created earlier on the previous blog.

Linux Ubuntu configuration:

Kali Linux Configuration:

Open the VM (security onion) input the userame and password. This will take time to load, since security onion does have a quite packages :)

To view the statuses of the services, you may check input this command: so-status

The Ubuntu will be a target hostname where the kali linux perform the ICMP protocol.

Logging in security onion credentials.

Navigator — MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Fleet — security management refers to the practice of implementing security measures and protocols to protect a fleet of vehicles from various risks and threats. It involves the application of security policies, technologies, and processes to ensure the safety and integrity of the vehicles, drivers, passengers, and cargo within the fleet.

CyberChef — is an open-source, web-based tool designed for data analysis and manipulation in the field of cybersecurity. It provides a visual interface that allows users to perform various data transformation tasks, decoding and encoding operations, cryptographic operations, and more.

Alerts — in security operations refer to notifications or warnings generated by security systems and tools, indicating potential security incidents or suspicious activities within a network or system. These alerts are designed to proactively detect and respond to security threats in order to minimize the impact of an attack or prevent unauthorized access.

Security operations centers (SOCs) and security teams rely on alerts as a key component of their incident response and monitoring processes. When an alert is triggered, it typically contains information about the nature of the event, such as the source IP address, target system, timestamp, and a description of the observed activity.

Alerts can be generated by various security tools, including:

Intrusion Detection Systems (IDS): IDS monitors network traffic and identifies patterns or behaviors that may indicate an ongoing attack or unauthorized access.

Intrusion Prevention Systems (IPS): IPS builds upon IDS by not only detecting but also actively blocking or preventing malicious activities based on predefined rules.

Firewalls: Firewalls monitor and control incoming and outgoing network traffic based on predefined security policies. They can generate alerts when a rule violation occurs or when suspicious traffic patterns are detected.

Security Information and Event Management (SIEM) systems: SIEM platforms collect and correlate log data from various sources, such as firewalls, IDS/IPS, servers, and applications. They use this data to identify security events, generate alerts, and provide a centralized view of the security posture.

Endpoint Detection and Response (EDR) solutions: EDR tools monitor individual endpoints (e.g., workstations, servers) for malicious activities and generate alerts when suspicious behavior is detected, such as unauthorized file access or process manipulation.

Upon receiving an alert, security analysts or incident responders will investigate the event to determine its severity, impact, and potential remediation actions. Alerts can range from low-level informational notifications to critical alerts indicating a confirmed security breach or ongoing attack.

To effectively manage alerts, security teams often prioritize them based on their criticality, reliability, and potential impact. Automated systems can also be employed to filter and correlate alerts to reduce the noise and focus on the most important and actionable ones.

Overall, alerts play a crucial role in security operations, enabling organizations to proactively identify and respond to security incidents, enhance their incident response capabilities, and strengthen their overall security posture.

IP address of the Ubuntu. It can ping the kali linux.

It basically generated an alert from ubuntu to kali.

Kali linux pinged the Ubuntu, to know if the host is alive or not

Created an alert too from source to destination.

Tried nmap command from kali to ubuntui. The command was: nmap -sV IP Address. The “-sV” means checking on the version of the open ports and services to a target host.

Logs everywhere; :>