Build Your Lab: Overview
Learning by doing - build labs and use them to train and enhance your skills!
Virtual labs are a crucial resource for developing cybersecurity skills. By actively engaging in hands-on learning, you will encounter various challenges and work towards solutions that will deepen your understanding of how things operate. This practical approach is fundamental in establishing a solid base in cybersecurity fields.
Goals: By gradually building a virtual lab from a single machine to a small enterprise-like environment, you will gain basic hands-on experience that required for any cybersecurity professional. From there, you will want to have an advanced lab, ready at all times, which you can use to continue to test and learn new skills.
How: Below are three examples of lab setups, including instructions on how to build and use them with software that is freely available. These labs are designed to build upon each other, starting with basic, then medium, and then advanced. Before getting started, be sure to familiarize yourself with the basics of Virtualization Software.
Resources: Keep in mind that once these labs are built, you may need to account for additional resources such as
- Adding your Windows forensic workstation (VM) (or alternatively the SANS SIFT Workstation) or install forensic tools on one of the existing, non-compromised systems.
- Adding real-time event monitoring through Splunk or similar SIEMs technologies.
What: The guide includes instructions for setting up a Windows VM within a simple VirtualBox environment.
Why: This is all you need to get started and dive deeper into digital forensics. Since digital forensics in enterprise environments mostly involves analysis of Windows systems, a great deal can be learned by deploying, acquiring, and analyzing a Windows VM that is running malware or contains tracks of malicious user behavior.
Learning and understanding these essentials is typically the starting point for any DFIR analyst.
Requirements: 2-4 GB RAM
Medium Lab
What: The medium lab enhances the Basic Lab by adding a Domain Controller (Windows Server) and enabling Active Directory services.
Why: In any enterprise environment, users and workstations are managed by Domain Controllers. Learning how to set this up and understanding the interactions between a Windows client and server are the first steps into incident response.
Requirements: 4-8 GB RAM
Advanced Lab
What: This lab includes Windows clients and a Domain Controller (Windows Server) providing Active Directory, DHCP and DNS services. It further includes a pfSense firewall that serves as the internet gateway.
Why: This lab setup allows for learning and applying Incident Response methodologies at scale. By just walking through the setup process, basic concepts of Windows enterprise networks will become clearer, concepts which are often important functionalities that an analyst needs to understand. This setup is also the foundation for adding additional tools for testing and learning, such as log aggregators, IPS, IDS, EDR solutions, etc.
Requirements: 8<Â GB RAM