2022 EDSIG Proceedings: Abstract Presentation
A Reproducible Applied Threat Hunting and Incident Response Lab Environment
Cody Welu
Dakota State University
Kyle Korman
Dakota State University
Providing students with applied, hands-on experience in the areas of threat hunting
and incident response can be challenging, especially in an easily repeatable method for faculty.
Not only is building unique lab environments time consuming, but executing active malicious activity
to simulate an incident while students are working is often not practical. To solve this problem, we are building
a virtual environment and scenarios that will allow students to detect and respond to active cyber incidents.
In early iterations of this environment, students had access to network-based and host-based data sources via a
Security Information and Event Management tool (SIEM). Windows event logs and Sysmon logs are valuable free
tools that extend capabilities to detect and respond to an incident by tracking numerous activities including new
process creations, user authentications, network connections, and more. In the lab environment, Suricata, an
open-source network intrusion detection system, was monitoring network activity and generating alerts in the SIEM.
Additionally, students had access to full network traffic details via Arkime, an open-source packet capture and search tool.
A series of questions was created to assess and guide the students through the investigation and development of indicators
of compromise. The linear questions were loaded into CTFd, an open source Capture The Flag platform.
Initial informal feedback from students was positive, with some students noting this lab was their favorite
in the class. In this initial version, an incident scenario was created and manually carried out on the target
infrastructure consisting of three Windows virtual machines. After the data was collected into the SIEM platforms,
the VMs were destroyed. This means students have no ability to access the machines to perform additional
investigation or hunting. The first major enhancement in the next iteration of this lab is to keep the systems
involved in the incident available for additional interrogation. This access will be provided through another
open-source tool, Velociraptor. The second major enhancement to this lab environment is to automate the
attacker’s activities through the incident. This will be done for two primary reasons, first to assist the faculty
in building new labs and scenarios, and secondly to provide students with an active scenario that is happening
right now, not weeks, months, or even years in the past when the lab was created.
Students will have the opportunity to experience the impact and urgency of a live environment
and learn to efficiently respond as an incident response team member.
Thursday at 4:50 pm