Full Report
| Niccolo Arboleda | Guest Author Niccolo Arboleda is a cybersecurity enthusiast and student at the University of Toronto. He is usually found in his home lab studying different cybersecurity […] The post At Home Detection Engineering Lab for Beginners appeared first on Black Hills Information Security, Inc..
Analysis Summary
This summary extracts the actionable steps for setting up a Simulation/Detection Lab using a SIEM (Wazuh) and attack simulation tools (Invoke-Atomic Red Team, MITRE ATT&CK).
# Best Practices: Building a Detection Engineering Lab using SIEM and Attack Simulation
## Overview
These practices focus on establishing a functional Security Information and Event Management (SIEM) environment (using Wazuh) combined with an endpoint running attack simulation frameworks (Invoke-Atomic Red Team) mapped to the MITRE ATT&CK knowledge base. The goal is to proactively understand adversary techniques, test existing detection capabilities, and identify security gaps.
## Key Recommendations
### Immediate Actions (Setup Phase)
1. **Select Hypervisor:** Install a free, accessible hypervisor such as VMware Workstation or VirtualBox on your host machine.
2. **Deploy Manager Server (Wazuh):** Import the pre-configured Wazuh OVA image (based on Amazon Linux 2) into the selected hypervisor.
3. **Configure VM Display:** Before first boot, adjust the VirtualBox settings for the Wazuh manager VM display to **VMSVGA** to prevent crashes.
4. **Obtain Manager IP:** Determine the IP address of the running Wazuh manager using the `ipconfig` command for subsequent agent configuration.
5. **Deploy Endpoint OS:** Import a Windows Developer Environment/Evaluation virtual machine image into the hypervisor. (No license required for initial functionality testing).
### Short-term Improvements (Agent & Simulation Setup - 1-3 months)
1. **Install & Configure Agent:** Install the Wazuh Agent on the Windows endpoint VM. Configure the agent to communicate with the Wazuh manager using the manager's recorded IP address.
2. **Verify Connectivity:** Access the Wazuh dashboard via a web browser (using `https://[Manager IP]`) from the host machine and confirm the endpoint agent is successfully registered under "agents."
3. **Install Attack Framework:** On the Windows endpoint, install necessary tools by first executing an Administrator PowerShell command to bypass execution policies, allowing installation of Invoke-Atomic Red Team and its required dependencies.
### Long-term Strategy (3+ months)
1. **Execute & Validate Detections:** Run attack simulations using Invoke-Atomic tests referencing specific MITRE ATT&CK techniques against the endpoint.
2. **Audit SIEM Alerts:** Review the Wazuh dashboard for corresponding security alerts (e.g., monitoring for integrity checks or specific event IDs like Rule 750 or 594).
3. **Detection Engineering:** Analyze instances where attacks did *not* generate alerts to formally identify detection gaps. Use successful alerts and non-alerts to tune existing detection rules or engineer new custom detections within the SIEM.
## Implementation Guidance
### For Small Organizations
* Utilize the provided OVA image for Wazuh to minimize initial setup complexity and infrastructure requirements.
* Focus initial testing on low-impact, high-visibility attack simulations derived from the MITRE ATT&CK framework (e.g., basic file modifications, process execution).
* Use the documentation resources extensively, as dedicated resources for troubleshooting may be limited.
### For Medium Organizations
* Document the specific configuration parameters used when connecting the agent to the manager for standardization.
* Begin mapping the executed Atomic tests back to established internal compliance requirements or known threat intelligence profiles.
* If running multiple endpoints, use the manager's capabilities to group and manage agents effectively.
### For Large Enterprises
* Establish formal change management procedures before bypassing PowerShell execution policies for tool installation.
* Integrate the results of these simulations into formal security testing cycles (e.g., Purple Teaming exercises).
* Leverage the Wazuh documentation to explore advanced deployment alternatives or scale the manager server beyond simple virtual machine deployment if required for production monitoring.
## Configuration Examples
| Component | Configuration Action | Command/Setting |
| :--- | :--- | :--- |
| **Wazuh Manager VM (VirtualBox)** | Set required display adapter type. | Settings -> Display -> **VMSVGA** |
| **Endpoint PowerShell Execution** | Disable local execution policy temporarily for module installation. | Run Administrator PowerShell command to replace the Authorization Manager. |
| **Invoke-Atomic Installation** | Install the required PowerShell module. | `IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1') install-atomicredteam` (Conceptual command based on context) |
| **Wazuh Agent Configuration** | Configure the agent post-installation. | Input the **IP Address of the Manager Server** when prompted. |
## Compliance Alignment
* **MITRE ATT&CK Framework:** Used as the primary knowledge base for structuring the types of adversary techniques simulated and tested against detection rules.
* **Detection Rule Analysis:** References to specific Wazuh rules (750: Registry Value Integrity Checksum Changed, 594: Registry Key Integrity Changed) indicate validation against host monitoring standards.
## Common Pitfalls to Avoid
1. **Ignoring Display Settings:** Failing to set the hypervisor display adapter (VMSVGA) for the Wazuh manager VM, which can lead to immediate crashes upon startup.
2. **Host Machine Testing:** Installing the Wazuh Agent or Invoke-Atomic on the host machine instead of the dedicated endpoint VM, which contaminates the testing environment.
3. **Lack of Alert Interpretation:** Assuming a lack of alerts means the system is perfectly tuned; unrecognized events must be investigated as potential detection gaps.
## Resources
* **Hypervisor:** VirtualBox (link in documentation)
* **SIEM/Manager:** Wazuh Documentation (Specifically Virtual Machine OVA deployment)
* **Endpoint OS:** Windows Developer Environment Download Page
* **Attack Framework:** MITRE ATT&CK (link in documentation)
* **Simulation Tool:** Invoke-Atomic Red Team (hosted on Red Canary GitHub)