This lab provides a hands-on opportunity to learn security automation and orchestration concepts through a simulated scenario. It's like a flight simulator for security operations - it creates a controlled environment where learners can practice skills safely. You'll deploy a security monitoring and response system to detect and counter attacks from the notorious "Dark Kittens" hacking group.
Globomantics runs an artificial island in the Gulf of Mexico that has been repeatedly targeted by the notorious hacking group Dark Kittens. As a SOC analyst and security engineer at Globomantics, you've been tasked with implementing automated security monitoring and response capabilities to detect and thwart these attacks.
Intelligence reports suggest the Dark Kittens use specific patterns in their attacks, including port scanning, brute force login attempts, unusual file access patterns, and data exfiltration techniques. Your job is to set up a system that automatically detects these patterns and responds appropriately.
This lab simulates the Globomantics' security operations center (SOC) using:
- Python-based monitoring system
- Bash-based automated response scripts
- Simulated log files and attack patterns
- Reporting capabilities
This interactive lab provides valuable hands-on experience with security concepts. It allows learners to understand the principles of security monitoring and automation.
The lab environment consists of:
- A simulated attacker (Dark Kittens) - represented by the
simulate_attack.pyscript - A security monitoring system - implemented in
monitor.py - An automated response system - implemented in
response.sh - Log files and configuration data
- Ubuntu, Kali Linux or any Unix-based system (or a Windows machine configured with Windows Subsystem for Linux (WSL))
- Python 3.6 or higher
- Bash shell
- Basic packages:
pip3,tabulate,colorama,json5
-
Clone this repository:
git clone https://github.com/AngelSayani/Security-Automation-and-Orchestration-Lab.git cd Security-Automation-and-Orchestration-Lab -
Run the setup script to create the lab environment:
bash setup.sh
-
The setup will create necessary directories, deploy monitoring scripts, and prepare the test environment.
- Examine the
config.jsonfile - YOUR TASK: Modify the
alert_thresholdvalue inconfig.jsonfrom 6 to 5 to increase detection sensitivity - Start the monitoring system:
When prompted, choose "y" to start monitoring
bash check_status.sh
- Examine the
threat_intel.jsonfile - YOUR TASK: Add a new indicator to the
ip_rangesarray inthreat_intel.json:"98.76.54.0/24" - List three TTPs (Tactics, Techniques, and Procedures) used by Dark Kittens in your notes
- Open a new terminal window (keep the monitoring system running)
- Run the attack simulation:
python3 simulate_attack.py
- YOUR TASK: Choose option #2 (Brute Force Login) for your first test
- Observe the monitoring system's response in real-time, in the first terminal.
- Check if the automated response script (
response.sh) successfully mitigated the threat - Verify the contents of
./security_ops/alerts/blocked_ips.txtto see the automated response:cat ./security_ops/alerts/blocked_ips.txt
Observe detection and response (in the monitoring terminal): You would see real-time alerts as the monitoring system detects the simulated attack.
- Generate a security report:
python3 generate_report.py
- YOUR TASK: Open the report file in the
./security_ops/reports/directory:ls -la ./security_ops/reports/ cat ./security_ops/reports/security_report_*.txt - Answer these questions in your notes:
- How many alerts were detected?
- What was the highest severity alert?
- What automatic response actions were taken?
- YOUR TASK: Edit the
threat_intel.jsonfile to modify the "Data Exfiltration" pattern:nano threat_intel.json
- Change the severity of the "Data Exfiltration" pattern from 9 to 10
- Run another attack simulation, this time choosing option #3 (Data Exfiltration)
- Generate a new report and observe how your change affected the results.
- Review the findings - Identify any gaps in detection or response
- Modify the monitor.py script to improve detection capabilities
- Update the response.sh script to implement more effective countermeasures
README.md- Main instructions and scenariosetup.sh- Main setup script for the environmentmonitor.py- Python script for monitoring suspicious activitiesresponse.sh- Bash script to automatically respond to detected threatssimulate_attack.py- Script to simulate Dark Kittens attacksthreat_intel.json- Data file containing known Dark Kittens attack signaturescleanup.sh- Script to reset the lab environmentcheck_status.sh- Script to check the security monitoring statusconfig.json- Configuration file for monitoring parametersgenerate_report.py- Script to generate security reports
You've successfully completed this lab when:
- The monitoring system correctly identifies all simulated attack patterns
- The automated response system effectively contains the threats
- The security report accurately reflects all detected activities
To reset the lab environment to its initial state:
bash cleanup.sh- Understand security monitoring and automation concepts
- Learn to detect common attack patterns in logs
- Practice implementing automated security responses
- Experience the full security operations workflow
- Analyze security reports and metrics
- All Python scripts should be executed with python3 explicitly (not just python which might point to Python 2.x on some systems).
- The Bash scripts need to be executed with bash (e.g., bash setup.sh), not with sh which might use a different shell interpreter.
- All files must be in the same directory for the relative paths to work correctly.
- Make sure all scripts have executable permissions:
chmod +x *.sh *.py