🛡️ Cyber Defense Lab - Live SOC Operations

Professional Security Operations Center demonstrating 8 core cybersecurity responsibilities through hands-on implementation of enterprise-grade security tools and workflows

8/8

Responsibilities Covered

Complete

52,460

IOCs Collected

Live Feed

3

Detection Rules

MITRE ATT&CK

4

K8s Deployments

Active

🏗️ Infrastructure Status - Deployment Evidence

🎯 Kubernetes Cluster
Container Orchestration Platform
ACTIVE
RUNNING Docker Desktop
Show Deployment Proof
📋 Verification Command: kubectl get nodes ✅ Expected Output: NAME STATUS ROLES AGE VERSION docker-desktop Ready control-plane 1d v1.28.x 🔧 Troubleshooting: • Ensure Docker Desktop Kubernetes is enabled • Settings → Kubernetes → Enable Kubernetes 🚀 Deployment Command: kubectl apply -f kubernetes/namespace.yaml kubectl get namespaces | grep security-lab
🔍 Elastic Stack (SIEM)
Security Information & Event Management
OPERATIONAL
RUNNING Elasticsearch Kibana
Show Deployment Proof
📋 Verification Commands: kubectl get pods -n security-lab | grep elastic kubectl get pods -n security-lab | grep kibana 🔧 Components Deployed: • Elasticsearch: Data storage & search engine • Kibana: Visualization & management interface • Elastic Agent: EDR monitoring 🌐 Access Kibana: kubectl port-forward service/kibana 5601:5601 -n security-lab # Open browser: http://localhost:5601 🚀 Deployment: kubectl apply -f kubernetes/elastic-stack/elasticsearch.yaml kubectl apply -f kubernetes/elastic-stack/kibana.yaml
💻 EDR Monitoring
Endpoint Detection & Response
ACTIVE
RUNNING Elastic Agent
Show Deployment Proof
📋 Verification: kubectl get daemonset -n security-lab kubectl get pods -n security-lab | grep elastic-agent 🎯 Purpose: • Real-time endpoint security monitoring • System and application log collection • Security event detection and alerting 📊 Agent Status: # Check agent health in Kibana Fleet → Agents → View agent status 🚀 Deployment: kubectl apply -f kubernetes/elastic-stack/elastic-agent.yaml

🔐 Security Operations - Implementation Evidence

⚡ Detection Rules
Threat Detection Logic (MITRE ATT&CK Mapped)
3 RULES
MITRE MAPPED TA0002 T1110 T1041
Show Implementation Proof
📁 Location: detection-rules/ directory 📋 Rules Created: 1️⃣ Suspicious Process Execution • File: suspicious-process-execution.json • MITRE: TA0002 (Execution) • Detects: Malicious process activity 2️⃣ Brute Force Detection • File: brute-force-detection.json • MITRE: T1110 (Credential Access) • Detects: Multiple failed login attempts 3️⃣ Data Exfiltration Detection • File: data-exfiltration-detection.json • MITRE: T1041 (Exfiltration) • Detects: Unusual outbound data transfers 💾 Format: Elastic Detection Rule JSON (EQL/KQL queries) 📥 Import to Kibana: Security → Rules → Import → Select JSON files
🌐 Threat Intelligence
Indicators of Compromise (IOCs)
52,460
LIVE FEED URLhaus
Show Collection Proof
🔗 Source: URLhaus (abuse.ch) - Malicious URL threat feed 🤖 Collection Method: • Python automation script • Scheduled updates • JSON export format 📊 IOC Statistics: • Total IOCs: 52,460 • Update Frequency: Daily • Format: JSON structured data 📁 Evidence Files: threat-intelligence/threat_intel_iocs_*.json 🚀 Execution: cd threat-intelligence python3 urlhaus-integration.py 📥 Integration: Import IOCs into Elasticsearch for enrichment
🛡️ Vulnerability Management
Container Security Scanning
COMPLETED
TRIVY SCANS Automated
Show Scanning Proof
🔧 Tool: Trivy (Aqua Security) - Container vulnerability scanner 🎯 Scanned Components: • Elasticsearch container images • Kibana container images • All deployed containers 📊 Scan Results: File: trivy-kibana-scan.json • CVE identification • Severity classification • Remediation recommendations 🤖 Automation: • Shell script: vulnerability-scan.sh • K8s CronJob: Daily scheduled scans 🚀 Manual Execution: cd threat-intelligence chmod +x vulnerability-scan.sh ./vulnerability-scan.sh 📅 Automated Scanning: kubectl apply -f kubernetes/incident-response/trivy-cronjob.yaml

🔬 Attack Simulation & Testing

🎯 Reconnaissance Attack Simulation
EXECUTED Python Script
Show Simulation Details
📁 Script Location: attack-simulations/scenario-1-recon.py 🎭 Scenario: Network reconnaissance activity simulation 🎯 Objectives: • Test detection rule effectiveness • Validate alert generation • Verify SIEM logging • Confirm EDR monitoring 🚀 Execution: cd attack-simulations python3 scenario-1-recon.py ✅ Validation: • Check Kibana Security App for alerts • Review Elastic Agent logs • Verify detection rule triggers

🎯 Cybersecurity Job Responsibilities Demonstrated

Complete coverage of SOC Analyst responsibilities through hands-on implementation:

1️⃣ SIEM Implementation Deployed Elastic Stack on Kubernetes with full configuration and optimization
2️⃣ Detection Rules Development Created 3 MITRE ATT&CK mapped detection rules covering multiple threat scenarios
3️⃣ Event Source Integration Connected Kubernetes, system, and application logs via Elastic Agent
4️⃣ Vulnerability Management Implemented Trivy container scanning with automated pipeline
5️⃣ Endpoint Detection & Response Deployed Elastic Agent for real-time endpoint monitoring
6️⃣ Threat Intelligence Integrated URLhaus IOC feeds with 52,460 indicators and automation
7️⃣ Incident Response Built automated scanning and response pipeline with K8s CronJobs
8️⃣ Attack Analysis & Assessment Simulated reconnaissance attacks and validated detection capabilities

📅 Implementation Timeline

Phase 1: Infrastructure Setup
Kubernetes cluster configuration and namespace creation
Phase 2: SIEM Deployment
Elastic Stack (Elasticsearch + Kibana) deployment
Phase 3: Security Operations
Detection rules, threat intelligence, and vulnerability scanning
Phase 4: Testing & Validation
Attack simulation and detection verification