Building a Security Operations Center (SOC) for Home Training

Introduction

A Security Operations Center (SOC) is the central unit that deals with security issues on an organizational and technical level. For cybersecurity professionals and enthusiasts, building a home SOC lab provides valuable hands-on experience with security monitoring, incident response, and threat hunting—skills that are in high demand in the cybersecurity industry.

This guide will walk you through creating a comprehensive virtualized SOC environment that mimics enterprise security operations but runs on home lab hardware.

Planning Your SOC Lab

Lab Architecture and Requirements

A functional SOC lab should include:

1. Infrastructure Components:

   • Attack-detection infrastructure
   • Log collection and analysis systems
   • Security monitoring tools
   • Vulnerable systems for testing

2. Hardware Requirements:

   • Minimum: 16GB RAM, 6-core CPU, 500GB storage
   • Recommended: 32GB+ RAM, 8+ cores, 1TB+ storage
   • Virtualization support (VT-x/AMD-V)

3. Virtualization Platform:

   • VMware Workstation/Player
   • VirtualBox (free)
   • Proxmox VE (enterprise-grade)
   • Hyper-V (Windows)

Network Topology

Here's a recommended network topology for your home SOC:

graph TD
    Internet((Internet)) --- Router
    Router --- Switch
    
    Switch --- FW[pfSense Firewall]
    
    FW --- VLAN10{VLAN 10<br>Security Tools}
    FW --- VLAN20{VLAN 20<br>Windows Network}
    FW --- VLAN30{VLAN 30<br>Attack Systems}
    
    VLAN10 --- SIEM[Security Onion<br>SIEM/IDS]
    VLAN10 --- ELK[ELK Stack]
    VLAN10 --- WAZUH[Wazuh Server]
    
    VLAN20 --- DC[Windows Server<br>Domain Controller]
    VLAN20 --- WS1[Windows 10<br>Workstation 1]
    VLAN20 --- WS2[Windows 10<br>Workstation 2]
    
    VLAN30 --- KALI[Kali Linux]
    VLAN30 --- VULN[Vulnerable VMs]

Core Infrastructure Setup

Setting Up pfSense Firewall

The pfSense firewall serves as the network's edge, providing routing, firewalling, and VPN capabilities:

1. Download and Install:

   • Download pfSense ISO from pfSense.org
   • Create a VM with 2 virtual NICs (WAN and LAN)
   • Assign 2GB RAM and 20GB disk space

2. Initial Configuration:

   • WAN Interface: DHCP from your home network
   • LAN Interface: Static IP (192.168.1.1/24)
   • Enable DHCP server on LAN

3. Create VLANs:

   • VLAN 10: 10.10.10.0/24 (Security Tools)
   • VLAN 20: 10.20.20.0/24 (Windows Network)
   • VLAN 30: 10.30.30.0/24 (Attack Systems)

4. Configure Firewall Rules:

   • Allow VLAN 10 (Security) to monitor all traffic
   • Restrict VLAN 30 (Attack) from accessing your real network
   • Allow VLAN 20 (Windows) to access the internet

Network Traffic Monitoring with Security Onion

Security Onion integrates multiple security tools for network monitoring, intrusion detection, and log management:

1. Installation:

   # Download Security Onion ISO
   wget https://github.com/Security-Onion-Solutions/securityonion/releases/download/v2.3.130/securityonion-2.3.130.iso
   
   # Create VM with:
   # - 4+ CPU cores
   # - 16GB+ RAM
   # - 200GB+ disk
   # - 2 network adapters (management + monitoring)
   

2. Configuration:

   • Follow the setup wizard
   • Select "Standalone" deployment
   • Configure management interface with static IP
   • Set monitoring interface to promiscuous mode
   • Enable "Best Practices"

3. Install Network Tap/SPAN:

   • Connect monitoring interface to a SPAN port on your switch, or
   • Create a virtual TAP in your virtualization platform

SIEM and Log Analysis

Setting Up ELK Stack

The ELK Stack (Elasticsearch, Logstash, Kibana) provides powerful log collection, analysis, and visualization:

1. Create Ubuntu Server VM:

   • 4 CPU cores
   • 8GB RAM
   • 100GB disk

2. Install ELK Stack:

   # Install dependencies
   sudo apt update
   sudo apt install -y apt-transport-https wget openjdk-11-jdk
   
   # Add Elastic repository
   wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
   echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
   
   # Install Elasticsearch
   sudo apt update
   sudo apt install elasticsearch
   
   # Configure Elasticsearch
   sudo nano /etc/elasticsearch/elasticsearch.yml
   # Set network.host: "localhost"
   # Set cluster.name: "soc-lab"
   
   # Start Elasticsearch
   sudo systemctl enable elasticsearch
   sudo systemctl start elasticsearch
   
   # Install Kibana
   sudo apt install kibana
   sudo systemctl enable kibana
   sudo systemctl start kibana
   
   # Install Logstash
   sudo apt install logstash
   

3. Configure Filebeat for Log Collection:

   sudo apt install filebeat
   sudo nano /etc/filebeat/filebeat.yml
   # Configure inputs and outputs
   

Wazuh for Endpoint Monitoring

Wazuh provides endpoint security monitoring, detection, and response capabilities:

1. Installation:

   # Download and run installer
   curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
   sudo bash wazuh-install.sh
   

2. Configure Wazuh Agents:

   • Install agents on Windows and Linux systems
   • Add systems to appropriate groups
   • Enable active response for automated remediation

3. Create Custom Rules:

   <group name="windows,authentication,">
     <rule id="100100" level="10">
       <if_group>win_authentication_failed</if_group>
       <field name="win.eventdata.targetUserName">^Administrator|admin|root</field>
       <description>Windows: Failed authentication attempt against privileged account</description>
     </rule>
   </group>
   

Windows Environment for Monitoring

Domain Controller Setup

1. Create Windows Server VM:

   • Windows Server 2019/2022
   • 2+ CPU cores
   • 4GB+ RAM
   • 80GB disk

2. Install Domain Services:

   • Install Active Directory Domain Services role
   • Promote to domain controller
   • Create new forest (e.g., soc-lab.local)

3. Configure Domain Policy:

   • Enable enhanced auditing
   • Set up Windows Event Forwarding
   • Configure Group Policy for security settings

Windows Workstations

1. Create Windows 10/11 VMs:

   • Join to domain
   • Install standard software (Office, browsers, etc.)
   • Create realistic user accounts and data

2. Enable Logging:

   # Enhanced logging for Windows workstations
   wevtutil sl Microsoft-Windows-Security-Auditing /e:true
   
   # Enable PowerShell script block logging
   reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
   

3. Install Monitoring Agents:

   • Wazuh agent
   • Sysmon (Microsoft Sysinternals)

Adversary Emulation Systems

Kali Linux Setup

1. Create Kali Linux VM:

   • 2+ CPU cores
   • 4GB+ RAM
   • 80GB disk

2. Install Additional Tools:

   sudo apt update
   sudo apt install -y metasploit-framework bloodhound responder empire-framework
   

3. Configure Network Settings:

   • Place in isolated attack network (VLAN 30)
   • Configure SSH for remote access

Vulnerable Systems

1. Metasploitable:

   • Download from SourceForge
   • Import VM into your hypervisor

2. DVWA (Damn Vulnerable Web Application):

   # On Ubuntu server
   docker run --rm -it -p 80:80 vulnerables/web-dvwa
   

3. Vulnerable Windows VM:

   • Windows 7 (unpatched)
   • Disable Windows Defender
   • Install outdated software

Detection Engineering and Alerts

Creating Detection Rules

1. Sigma Rules for Common Attacks:

   • Create a repository of Sigma rules
   • Convert to platform-specific formats

   title: PowerShell Encoded Command
   description: Detects encoded PowerShell commands
   status: experimental
   author: SOC Lab
   logsource:
     product: windows
     service: powershell
   detection:
     selection:
       EventID: 4104
       ScriptBlockText: '*-enc*'
     condition: selection
   falsepositives:
     - Legitimate administrative activities
   level: medium
   

2. YARA Rules for Malware Detection:

   rule Suspicious_PowerShell_Downloader {
       meta:
           description = "Detects suspicious PowerShell downloader script"
           author = "SOC Lab"
       strings:
           $download_1 = "Net.WebClient" nocase
           $download_2 = "DownloadString" nocase
           $download_3 = "DownloadFile" nocase
           $exec_1 = "Invoke-Expression" nocase
           $exec_2 = "IEX" nocase
       condition:
           (any of ($download*)) and (any of ($exec*))
   }
   

Setting Up Alerts

1. Email Notifications:

   • Configure SMTP settings in Security Onion
   • Set up alert thresholds

2. Slack/Teams Integration:

   # Example webhook script for Slack
   #!/bin/bash
   
   SLACK_WEBHOOK="https://hooks.slack.com/services/YOUR_WEBHOOK_URL"
   
   curl -X POST \
     -H 'Content-type: application/json' \
     --data "{\"text\":\"$1\"}" \
     $SLACK_WEBHOOK
   

SOC Operations and Procedures

Creating SOC Playbooks

Document standard operating procedures for common alert types:

1. Malware Detection Playbook:

   • Initial assessment
   • Containment steps
   • Analysis process
   • Remediation actions
   • Post-incident follow-up

2. Account Compromise Playbook:

   • Validation of alert
   • User account lockdown
   • Password reset procedure
   • Scope of compromise assessment
   • Recovery process

Threat Intelligence Integration

1. MISP (Malware Information Sharing Platform):

   # Install MISP on Ubuntu Server
   git clone https://github.com/MISP/MISP.git
   cd MISP
   ./INSTALL/INSTALL.sh
   

2. OpenCTI:

   • Deploy using Docker Compose
   • Connect to MISP for automatic synchronization
   • Enrich alerts with threat intel

Running SOC Exercises

Red Team Exercises

1. Basic Attack Scenarios:

   • Credential harvesting with Responder
   • Remote code execution with Metasploit
   • Web application attacks against DVWA

2. Advanced Persistent Threat Simulation:

   # Using Atomic Red Team (install on attack system)
   git clone https://github.com/redcanaryco/atomic-red-team.git
   cd atomic-red-team
   
   # Execute a test
   Invoke-AtomicTest T1003.001 -GetPrereqs
   Invoke-AtomicTest T1003.001
   

Creating Incident Response Reports

After each exercise, document the incident:

1. Executive Summary:

   • Attack overview
   • Impact assessment
   • Response effectiveness

2. Technical Analysis:

   • Attack timeline
   • Techniques used (MITRE ATT&CK mapping)
   • Detection gaps identified
   • Evidence collected

3. Remediation Actions:

   • Immediate containment performed
   • Permanent fixes implemented
   • Detection improvements

Advanced SOC Lab Enhancements

Threat Hunting Capabilities

1. Hunting Tools:

   • Install OSQuery across endpoints
   • Deploy Velociraptor for digital forensics
   • Set up Jupyter notebooks for data analysis

2. Data Visualization:

   • Create custom Kibana dashboards for threat hunting
   • Implement Timeline visualization for incident reconstruction

Automated Response

1. SOAR Implementation:

   • TheHive for case management
   • Cortex for automated response
   • Custom playbooks for common scenarios

2. Automation Scripts:

   # Example Python script to isolate infected endpoint
   import requests
   
   def isolate_endpoint(hostname):
       # API call to firewall/NAC to isolate endpoint
       api_url = "https://firewall-api/isolate"
       response = requests.post(
           api_url,
           json={"hostname": hostname, "reason": "Malware detected"}
       )
       return response.status_code == 200
   

Conclusion

Building a home SOC lab provides invaluable hands-on experience with security monitoring, detection, and response. By following this guide, you'll create a functional SOC environment that simulates real-world security operations, allowing you to develop and practice critical cybersecurity skills.

Remember that your SOC lab is also an excellent platform for preparing for certifications like CompTIA Security+, CySA+, SANS GCIA, and SANS GCIH.

Additional Resources

• SANS SOC Survey
• MITRE ATT&CK Framework
• SOC-CMM Model
• NIST SP 800-61: Computer Security Incident Handling Guide
• Detection Engineering OSS Resources