2022 EDSIG Proceedings: Abstract Presentation

A Reproducible Applied Threat Hunting and Incident Response Lab Environment

Cody Welu
Dakota State University

Kyle Korman
Dakota State University

Providing students with applied, hands-on experience in the areas of threat hunting and incident response can be challenging, especially in an easily repeatable method for faculty. Not only is building unique lab environments time consuming, but executing active malicious activity to simulate an incident while students are working is often not practical. To solve this problem, we are building a virtual environment and scenarios that will allow students to detect and respond to active cyber incidents. In early iterations of this environment, students had access to network-based and host-based data sources via a Security Information and Event Management tool (SIEM). Windows event logs and Sysmon logs are valuable free tools that extend capabilities to detect and respond to an incident by tracking numerous activities including new process creations, user authentications, network connections, and more. In the lab environment, Suricata, an open-source network intrusion detection system, was monitoring network activity and generating alerts in the SIEM. Additionally, students had access to full network traffic details via Arkime, an open-source packet capture and search tool. A series of questions was created to assess and guide the students through the investigation and development of indicators of compromise. The linear questions were loaded into CTFd, an open source Capture The Flag platform. Initial informal feedback from students was positive, with some students noting this lab was their favorite in the class. In this initial version, an incident scenario was created and manually carried out on the target infrastructure consisting of three Windows virtual machines. After the data was collected into the SIEM platforms, the VMs were destroyed. This means students have no ability to access the machines to perform additional investigation or hunting. The first major enhancement in the next iteration of this lab is to keep the systems involved in the incident available for additional interrogation. This access will be provided through another open-source tool, Velociraptor. The second major enhancement to this lab environment is to automate the attacker’s activities through the incident. This will be done for two primary reasons, first to assist the faculty in building new labs and scenarios, and secondly to provide students with an active scenario that is happening right now, not weeks, months, or even years in the past when the lab was created. Students will have the opportunity to experience the impact and urgency of a live environment and learn to efficiently respond as an incident response team member.

Thursday at 4:50 pm