
Security Onion is a free and open platform for Network Security Monitoring (NSM) and Enterprise Security Monitoring (ESM). NSM is, put simply, monitoring your network for security-related events. It might be proactive when used to identify vulnerabilities or expiring SSL certificates, or it might be reactive, such as in incident response and network forensics. Whether you’re tracking an adversary or trying to keep malware at bay, NSM provides context, intelligence, and situational awareness of your network. ESM takes NSM to the next level and includes endpoint visibility and another telemetry from your enterprise.
From a network visibility standpoint, Security Onion seamlessly weaves together intrusion detection, network metadata, full packet capture, file analysis, and intrusion detection honeypots. In addition to network visibility, Security Onion provides endpoint visibility via agents like Beats, osquery, and Wazuh.
For devices like firewalls and routers that don’t support the installation of agents, Security Onion can consume standard Syslog.
We will set up our Azure first time so that we can create a lab environment. It is very easy to step to do. The first step is always the toughest but that makes you a winner!
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
Learner: Too much explanation, please keep it simple!!
Me: I just copied from google!!
I want to create a windows 2010 workstation machine where we will deploy all agents for SOC/SIEM and we will also host our industrial applications. The Very very simple task of my life!
First a time connection to our newly configured engineering workstation.
Learn how to deallocate and sleep peacefully all night, this is an important step or otherwise Azure will charge you for the complete night till when you are using that machine. And do this for all machines of azure.
Let's create our SOC/SIEM machine which is the main engine of our lab, and follow step by step, many engineers commit some mistakes in this method. Relax, take time and install.
Installation done, now let's configure....but carefully!!
Whoooooo..... now we need to establish communication!!
Configure and install Security Onion in evaluation mode, including license acceptance, hostname, management interface, and network settings, create administrator account, and enable web access with elastic stack and salt.
Reconnection is key, we need to focus on key !
Now, I am unstoppable, my machine is up, and I will update rules! My life my rulas!
Hey, how do you look? See my dashboard!
The host intrusion system agent is Wazuh, we will install this.
Integrate as well!
Sysmon is also need to install and integrate!
I need a firewall as well in my virtual lab!!! Here you have ...go get it installed!
A little bit of configuration !! Easy stuff!
What is the purpose of a firewall? To safeguard, to do IPS/IDS bla bla bla!!
But our focus is to ship Syslog to SIEM
Lets enable SNORT IPS on our firewall as it is connected to WAN to better keep it in IPS mode.
Firewall: Hey "Onion" are you receiving my Syslog?
Onion: Let me check, I think yes we do, Thanks!
Let's install a server in our Lab, without a server it feels lonely and boring!
Server: I am a server, please make use of me!
Me: Okay will make you the great domain server, let's face this!
EWS01: I want to be your first subscriber!
AD Server: Welcome to my Domain! we will, we will rock!
ADServer: Still I don't have to do much, give me some more tasks!
Me: Okay, let's handle the WSUS ( Windows Server Update Services) role as well!
WSUS: Configure me please, I am unconfigured so I am clueless about what to do!
Integration of two systems is always a tough job, lets face an fail!
What is reverse DNS, How does that work, learn about it somewhere else, here I just want to make my WSUS work, so it requires. Full communication we will see later after troubleshooting!
Install Wazuh on AD server as well, so that we can fetch all logs from host to security onion.
ICS: Aren't you ignoring your core capabilities which are ICS applications and protocols?
Me: I am sorry, please have Modbus for your breakfast!
Here you have DNP3 as lunch!
Whooo..we have OPC in dinner!
Let's learn to navigate and see what is there, please spend more time here to explore the system and functionalities.
NOC? Network Operation Center, of course, not much valued but for SOC Analysts and engineers it is of great value. Also with beautiful graphics!
Are we getting events in case of a windows update? Yes, we get some also now our WSUS is working !! Wow
What is asset management?
This is what we want to do with just 2 systems, need to do the same for thousands of systems in the plant environment.
Configure Nessus for vulnerability scanning by creating host discovery and basic network scans, launching scans, and reviewing results to support vulnerability management by identifying SSL/TLS and SMB issues.
I want to see a DOS attack in my environment!
Just launch a Nmap scan and you will similar type of behavior.
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
*MAKE YOUR OWN ICS SIEM/SOC LAB SETUP WITHOUT HARDWARE*
Welcome to our comprehensive course on ICS Cybersecurity from end-to-end deployment. This course covers key concepts essential to safeguarding Industrial Automation and Control Systems cybersecurity.
We will delve into critical cybersecurity components such as Security Information and Event Management (SIEM), with a focus on Elasticsearch-Logstash-Kibana (ELK Stack), SIEM Dashboarding/ Query: Kibana, and NOC- Network Monitoring/ Operations Dashboarding: Grafana.
You will also learn about EDR/HIDS - Endpoint Detection and Response/ Host Intrusion Detection: Wazuh, Log Management: Beats/Sysmon (Log collector for Windows Event logs and more), Asset Management: OSQuery - FleetDM, Endpoint Visibility: Sysmon, Malware Detection: Strelka, Firewall: pfsense (Firewall), and IPS-Intrusion Prevention System: Snort Based.
We will also explore Nmap for network-based queries, Vulnerability Management: Using Nessus, Active Directory- Windows Server, WSUS-Windows Server Update Services, Modbus Communication, DNP3 communication, and OPC Server-Client Communication.
By the end of this course, you will have a comprehensive understanding of ICS Cybersecurity from end-to-end deployment, including key concepts and tools essential to safeguarding your systems. Enroll now to gain valuable knowledge and expertise in this critical field.
This course is totally practical, in all chapters we are installing, configuring, or deploying something on machines located in azure infrastructure, and it's simple, I promise.
We will cover some key concepts of ICS Cybersecurity from end-to-end deployment which are as follows:
Security information and event management (SIEM): Elasticsearch-Logstash-Kibana (ELK Stack)
SIEM Dashboarding/ Query: Kibana
NOC- Network Monitoring/ Operations Dashboarding: Grafana
EDR/HIDS - Endpoint Detection and Response/ Host Intrusion Detection: Wazuh
Log Management: Beats/Sysmon (Log collector for Windows Event logs and more)
Asset Management: OSQuery - FleetDM
Endpoint Visibility: Sysmon
Malware Detection: Strelka
Firewall: pfsense (Firewall)
IPS-Intrusion Prevention System: Snort Based
Nmap for network-based queries
Vulnerability Management: Using Nessus
Active Directory- Windows Server
WSUS-Windows Server Update Services
Modbus Communication
DNP3 communication
OPC Server-Client Communication
And this is a dynamic list, and with time keeps on updating and increasing to increase coverage.
* Connect to me on Linkedin/ or visit cyberotsecure{dot}com website to get discounts.*
The environment is deployed on Azure with the cheapest region and minimum resource requirements. All the steps are guided and well explained so that you can follow and create your own ICS SOC easily. after doing this course you will have a good understanding of cybersecurity technologies that are in use in the ICS landscape as well as in the overall industrial control system environment. You can run all types of tests and simulate this environment, you can also install applications from your organization to test in a similar mode.