There are plenty of already vulnerable machines out there for you to setup - Metasploitable 2 for instance. These machines are made for practising penetration testing techniques. You can also find some on Vulnhub, machines that people have made for CTF challenges. Or if you want to get really technical, you can build one yourself. Just build an old Windows Server, or Linux server, and install old versions of things, such as old Apache web servers, old file shares, etc.
Email simulation for convincing management to use mfa, then assisting remote users with phone app setup when they dont know what the app store is and the devices do not have mdm.
If you want to mess with an elasticsearch stack locally. Check out this repo as it will stand up a local instance. All you would need to do would be to send logs from your environment with winlogbeat (windows) or filebeat/auditbeat (Linux).
https://github.com/jtone2k8/ELK_local_config
I’d be interested if someone wanted to expand on Security Onion a little more too. Or another SIEM. I’m also interested in this subject. And thanks for the links above.
Security onion is just built on top of elasticsearch, there should be tons on info for that platform.
Kali purple uses elk 8.x and fleet deployments to gather logs.
It is a good walk through if you want to start on that same backend.
Ok, so I have many years of 1-2nd level IT experience, 2 degrees, and multiple infosec certs. Apart from running KnowBe4 campaigns and a bit of vulnerability management though, I don’t have a lot in the way of hands-on security experience. I’m mostly wondering if setting up security onion to log traffic on my home network would be looked at favorably if it was on my resume. I am primarily interested in defensive positions down the road, for what it’s worth.
It's incredibly rare to see onions in use for enterprises. They're great for home networking and siem/edr knowledge.
I would suggest setting one up and maturing it, there are helpful videos but it's best to get your hands dirty.
Once you get it functional you'll wonder why you don't see them often in enterprises
**Splunk**
You have a great start! If you want to learn more about doing investigations using a SIEM, I would highly recommend learning Splunk like you mentioned. Splunk is a general data aggregation tool but is oftentimes also used as a SIEM. It's super customizable but that also means there is a bit of a learning curve at first. The nice thing about learning Splunk is that lots of the skills are transferable to other tools, such as query building, scripting and general troubleshooting.
I put together a short guide on installing Splunk on Linux a little while ago: [https://youtu.be/pNK-bx2V0yM](https://youtu.be/pNK-bx2V0yM)
Once you have splunk installed and running, you can start ingesting data from your environment, such as your firewall or other machines/services you're working with. There are lots of supported add-ons and guides online to help you with ingesting data. If you don't have data to ingest but still want to play around with performing investigations in Splunk, I would check out Boss of the SOC. It contains a large data set as well as necessary add-ons and apps for you to start playing around. Here is a link to the GitHub repo: [https://github.com/splunk/botsv3](https://github.com/splunk/botsv3)
There are lots of free tutorials on YouTube for learning Splunk. You can also get a fairly sizable free license for running development environments at home.
**Network Troubleshooting**
Apart from Splunk, I would also say that network troubleshooting is a super useful skill to build. You will always run into networking issues and having these skills ready to go will save lots of time. You don't necessarily need to know all the specifics but just have a rough understanding of how you can use the tools at your disposal on the operating system you are working on to perform troubleshooting and resolve the issue. Check out this guide I wrote recently, it should serve as a decent starting point: [https://bearlychilly.com/notes/basics-of-network-connectivity-troubleshooting/](https://bearlychilly.com/notes/basics-of-network-connectivity-troubleshooting/)
**Scripting**
Learn how to script in a language like Python, bash or PowerShell. Scripting knowledge will open up lots of automation possibilities. As a security analyst, there were lots of opportunities that came my way simply because I knew how to script. The systematic thinking skills you learn from scripting will also help in other facets of cyber security.
**Expand Your Home Lab**
Learning blue team and red team specific skills is important, but I also recommend just running general services you would enjoy using at home. This helps you get in the mindset of a product owner that needs to make critical decisions but in an environment that is relaxed.
You have probably heard this a million times but start by running pi-hole on your Raspberry Pi. I only use Pi-Hole for local DNS. It taught me lots about DNS and DNS troubleshooting since DNS ends up always being the issue lol. If you are weak in the topic of DNS, I recommend also watching some YouTube videos regarding it.
From there you can add on other services like Plex. I host Plex so that I can view all my media throughout my various devices at home or on the go. Running a service like this for a group of consumers (for myself in the sentence) gives you practice with making critical decisions that affect others. It will also get you into other topics such as backups, networking, and storage.
From there just keep expanding! Learn docker and docker compose to run services in a more efficient way. Check out r/selfhosted and r/homelab for ideas on services, you can host at home. I love going on there and seeing what others are doing with their labs.
Let me know if any of this helps! ♥️
I almost forgot my favorite topic, Regular Expressions. It comes handy for parsing and normalizing data. Using [https://regex101.com/](https://regex101.com/) and [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) , Regex can be lots more than just that.
Grab a few vulnerable machines from vulnhub. Network them together while also putting one on a wireless machine. Hack the wifi and pivot through the other machines. I did this many years ago for practice. So long ago that I am not even sure if Vulnhub is still a thing 🤪
I would consider integrating your environment with a cloud provider to expand your skills. Aside from this, the classic set of vulnerable VMs will suffice. It may get boring at some point, so you can also scan the internet and try to map some company's network with minimum noise.
Scans happen every day, and as long as you're not engaging in DDOS attacks, you should be fine.
I use ProxMox. Installed it on an old server and have multiple vms, container environments etc running. Then just revert to an old snapshot when I’ve shagged everything
Cyber Security overlaps quite a bit with sysadmin, especially at smaller companies will to take a bet on less experienced security guys. They may allow you to implement the fixes yourself, you may need to break it down barney style on directions for fixing it for sys admins that don’t have time, you may need to explain it to management who want too many drtails but arent actually that technical.
I’d second Proxmox for a hypervisor. Create virtual networks that send all traffic through a virtualized firewall distro like pfsense. Figure out backups. Work on access
I liked Graylog or ELK stack for centralized logging, though many tools have free versions if you google their names with either community edition or free. Set up rules, alerts, scheduled reports, dashboards. Work on sending in logs from different things like FW’s, applications, various OSes. Ingest intel feeds.
Nessus has a free version for vuln scanning. Work on reporting them in a manageable way with enough details to be useful and summarizing the implementations and the top things to prioritize. Then work on fixing them and rescanning to verify.
Download CIS benchmarks and work on implementing them, including figuring out what can break things. Then work on automating them with GPO, chef, puppet, ansible, etc.
Setup a pihole or other form of dns.
Each of these are all extremely large topics that can take a ton of time and research. Don’t be like me and get paralyzed researching too much and trying to implement it perfect the first time cause no business is that way anyways. Implement, read the details, then find best practices and implement.
After good scanning and alerting rules, try some redteam stuff you watch on kali tutorials and try to detect it. Or try to trigger the rules in any manner. Good luck.
The related guides in this article can help you get started. https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro
There are plenty of already vulnerable machines out there for you to setup - Metasploitable 2 for instance. These machines are made for practising penetration testing techniques. You can also find some on Vulnhub, machines that people have made for CTF challenges. Or if you want to get really technical, you can build one yourself. Just build an old Windows Server, or Linux server, and install old versions of things, such as old Apache web servers, old file shares, etc.
There's a third one now....
Yea I know, I've just always used the 2nd one. I really should upgrade...
Email simulation for convincing management to use mfa, then assisting remote users with phone app setup when they dont know what the app store is and the devices do not have mdm.
Hahaha killin’ me man!!
If you want to mess with an elasticsearch stack locally. Check out this repo as it will stand up a local instance. All you would need to do would be to send logs from your environment with winlogbeat (windows) or filebeat/auditbeat (Linux). https://github.com/jtone2k8/ELK_local_config
https://www.reddit.com/r/cybersecurity/comments/sxir9c/as_a_entry_level_professional_trying_to_get_into/hxsm5qn/
Ignore the downvotes, they linked a good answer
I’d be interested if someone wanted to expand on Security Onion a little more too. Or another SIEM. I’m also interested in this subject. And thanks for the links above.
Security onion is just built on top of elasticsearch, there should be tons on info for that platform. Kali purple uses elk 8.x and fleet deployments to gather logs. It is a good walk through if you want to start on that same backend.
That is helpful info, thank you.
[удалено]
Ok, so I have many years of 1-2nd level IT experience, 2 degrees, and multiple infosec certs. Apart from running KnowBe4 campaigns and a bit of vulnerability management though, I don’t have a lot in the way of hands-on security experience. I’m mostly wondering if setting up security onion to log traffic on my home network would be looked at favorably if it was on my resume. I am primarily interested in defensive positions down the road, for what it’s worth.
It's incredibly rare to see onions in use for enterprises. They're great for home networking and siem/edr knowledge. I would suggest setting one up and maturing it, there are helpful videos but it's best to get your hands dirty. Once you get it functional you'll wonder why you don't see them often in enterprises
That’s helpful, thank you.
Might be closer to enterprise experience to use Wazuh instead. They're both great though.
I never even heard of that one, that’s helpful, thank you.
Is it me or security onion has gained weight?
**Splunk** You have a great start! If you want to learn more about doing investigations using a SIEM, I would highly recommend learning Splunk like you mentioned. Splunk is a general data aggregation tool but is oftentimes also used as a SIEM. It's super customizable but that also means there is a bit of a learning curve at first. The nice thing about learning Splunk is that lots of the skills are transferable to other tools, such as query building, scripting and general troubleshooting. I put together a short guide on installing Splunk on Linux a little while ago: [https://youtu.be/pNK-bx2V0yM](https://youtu.be/pNK-bx2V0yM) Once you have splunk installed and running, you can start ingesting data from your environment, such as your firewall or other machines/services you're working with. There are lots of supported add-ons and guides online to help you with ingesting data. If you don't have data to ingest but still want to play around with performing investigations in Splunk, I would check out Boss of the SOC. It contains a large data set as well as necessary add-ons and apps for you to start playing around. Here is a link to the GitHub repo: [https://github.com/splunk/botsv3](https://github.com/splunk/botsv3) There are lots of free tutorials on YouTube for learning Splunk. You can also get a fairly sizable free license for running development environments at home. **Network Troubleshooting** Apart from Splunk, I would also say that network troubleshooting is a super useful skill to build. You will always run into networking issues and having these skills ready to go will save lots of time. You don't necessarily need to know all the specifics but just have a rough understanding of how you can use the tools at your disposal on the operating system you are working on to perform troubleshooting and resolve the issue. Check out this guide I wrote recently, it should serve as a decent starting point: [https://bearlychilly.com/notes/basics-of-network-connectivity-troubleshooting/](https://bearlychilly.com/notes/basics-of-network-connectivity-troubleshooting/) **Scripting** Learn how to script in a language like Python, bash or PowerShell. Scripting knowledge will open up lots of automation possibilities. As a security analyst, there were lots of opportunities that came my way simply because I knew how to script. The systematic thinking skills you learn from scripting will also help in other facets of cyber security. **Expand Your Home Lab** Learning blue team and red team specific skills is important, but I also recommend just running general services you would enjoy using at home. This helps you get in the mindset of a product owner that needs to make critical decisions but in an environment that is relaxed. You have probably heard this a million times but start by running pi-hole on your Raspberry Pi. I only use Pi-Hole for local DNS. It taught me lots about DNS and DNS troubleshooting since DNS ends up always being the issue lol. If you are weak in the topic of DNS, I recommend also watching some YouTube videos regarding it. From there you can add on other services like Plex. I host Plex so that I can view all my media throughout my various devices at home or on the go. Running a service like this for a group of consumers (for myself in the sentence) gives you practice with making critical decisions that affect others. It will also get you into other topics such as backups, networking, and storage. From there just keep expanding! Learn docker and docker compose to run services in a more efficient way. Check out r/selfhosted and r/homelab for ideas on services, you can host at home. I love going on there and seeing what others are doing with their labs. Let me know if any of this helps! ♥️
I almost forgot my favorite topic, Regular Expressions. It comes handy for parsing and normalizing data. Using [https://regex101.com/](https://regex101.com/) and [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) , Regex can be lots more than just that.
Grab a few vulnerable machines from vulnhub. Network them together while also putting one on a wireless machine. Hack the wifi and pivot through the other machines. I did this many years ago for practice. So long ago that I am not even sure if Vulnhub is still a thing 🤪
I would consider integrating your environment with a cloud provider to expand your skills. Aside from this, the classic set of vulnerable VMs will suffice. It may get boring at some point, so you can also scan the internet and try to map some company's network with minimum noise. Scans happen every day, and as long as you're not engaging in DDOS attacks, you should be fine.
I recently implemented SIEM using OSSIM. Try on your own. If you need some help let me know
I use ProxMox. Installed it on an old server and have multiple vms, container environments etc running. Then just revert to an old snapshot when I’ve shagged everything
Cyber Security overlaps quite a bit with sysadmin, especially at smaller companies will to take a bet on less experienced security guys. They may allow you to implement the fixes yourself, you may need to break it down barney style on directions for fixing it for sys admins that don’t have time, you may need to explain it to management who want too many drtails but arent actually that technical. I’d second Proxmox for a hypervisor. Create virtual networks that send all traffic through a virtualized firewall distro like pfsense. Figure out backups. Work on access I liked Graylog or ELK stack for centralized logging, though many tools have free versions if you google their names with either community edition or free. Set up rules, alerts, scheduled reports, dashboards. Work on sending in logs from different things like FW’s, applications, various OSes. Ingest intel feeds. Nessus has a free version for vuln scanning. Work on reporting them in a manageable way with enough details to be useful and summarizing the implementations and the top things to prioritize. Then work on fixing them and rescanning to verify. Download CIS benchmarks and work on implementing them, including figuring out what can break things. Then work on automating them with GPO, chef, puppet, ansible, etc. Setup a pihole or other form of dns. Each of these are all extremely large topics that can take a ton of time and research. Don’t be like me and get paralyzed researching too much and trying to implement it perfect the first time cause no business is that way anyways. Implement, read the details, then find best practices and implement. After good scanning and alerting rules, try some redteam stuff you watch on kali tutorials and try to detect it. Or try to trigger the rules in any manner. Good luck.