Building a Comprehensive Lab Environment for Cybersecurity Research Part-1: Introduction & Design

“We don’t rise to the level of our expectations, we fall to the level of our training.” -Archilochus

As the frequently used quote from Archilochus emphasizes, training has a very important and restrictive part in achieving success. Among many others this is a very applicable concept for cyber security as well. Whether you are working on the defensive or the offensive side; being prepared, having proper knowledge and experience are the key elements. As you can relate, It feels a lot different when an incident occurs on a type of system that you have never even heard of versus a system that you have done many similar investigations and forensic analysis on. Similarly, as a red team operator it can be way more difficult to disguise/hide your footprints if you have never checked which logs are generated by a certain offensive technique or evade an EDR that you face for the first time during an engagement than the one you have already practiced with many times before.

Thus, there is a sound rationale for a cyber security professional to have his/her own lab environment. In this series I will design a small -but as comprehensive as possible- lab environment with many features that can be seen in today’s enterprise networks.

Since there is a lot to consider, I will try to divide the series to multiple articles with distinct main topics. In this article I will draw a roadmap and explain the planned lab infrastructure’s design. Below are the distinct concepts that I will try to include in the lab design and present in different articles:

• Setting Up Networks, LAN segments and Firewall Rules
• Active Directory Setup: Forests, Domains & Trusts
• Active Directory Setup: Populating Users, Groups and adding Relations
• Adding Linux support to the AD Environment Using Centrify (or a similar solution)
• Setting Up a Proxy for Internet Access, Setting up the Exchange Infrastructure
• Systems Logging, ELK setup and SIEM app on Kibana, Working on Acquiring Different Log Types
• Setting Up Microsoft Advanced Threat Analytics ( or another UEBA product) & Inspecting Results
• Workshop Cases

As a note, I would like to state that although I like gathering information from multiple sources and vetting them either by comparison or experimentation, throughout this series there may be parts where the only information that I provide would be from my own experience and therefore subjective. There are lots of different technologies involved in an enterprise network, I am in no way an expert in all of these technologies, and there may be better individual guides & documentation so I will try to give reference to such guides whenever possible.

So without much further ado, lets talk about the lab environment design:

Initially our Lab will include 6 Different Active Directory Domains with different trust settings in between. Below is the initial plan for trusts in the AD infrastructure:

The complete network will have multiple different local network segments and a simulated WAN interface with various access control rules. The simplified network diagram is as shown in the following figure:

In order to mimic an enterprise environment, we will implement access control rules between different networks. Some of the network segments will eventually simulate restricted server subnets, some of the subnets will allow all incoming connections but restrict outgoing connections and some of the subnets will mimic client device networks with limited WAN access. Moreover, since the roadmap for this series includes centralized logging and SIEM setup, there is a plan on using one of the subnets to mimic a dedicated security operations network.

Finally, it is time to talk a bit about estimated minimum technical requirements for this design. As we are not going to be usually running complex calculations in the LAB environment, a modern CPU may handle high number of low activity virtual machines. However, RAM allocation is static among virtual machines and it may be the limiting reagent for such setup. You can find a rough estimate for bare minimum RAM requirements below:

• Host OS Reserved: 4GB RAM
• 6 Domains -> 6 Domain Controllers (At least 1.5GB Ram Each): 9GB RAM
• 1 Extra Domain Controller for multi DC scenarios: 1.5GB RAM
• 1 Exchange Server: 1.5 GB RAM
• 4 Windows Clients (At Least 1 GB RAM Each): 4 GB RAM
• 4 Windows Servers (At Least 1 GB RAM Each: )4GB RAM
• 2 Linux Servers (At least 512 MB RAM Each): 1GB RAM
• 4 Virtual Firewalls (At least 512 MB RAM Each): 2 GB RAM
• 1 Linux DNS Server : 512 MB RAM
• Proxy Server: 1 GB RAM
• ELK & SIEM Bundle 4–6 GB RAM
• (Optional) Advanced Threat Analytics Server: 2 GB RAM
• (Optional) Centrify or a similar Infrastructure: 1.5 GB RAM

As it can be seen from above the minimum memory requirement for such a lab is above 32 GB.

Note that in addition to the above systems, we may also need to run a decent attacker system, command control server or a redirector for some attack scenarios. If you’d like to create a similar design, depending on the amount of RAM available, you may need to take some of the (unused) virtual machines offline for some scenarios.

You can now read the Part 2 of the series: “Setting Up Networks, LAN segments and Firewall Rules”