Cyber Defense Lab - Complete Project Guide

🎯 PROJECT LAB RESPONSIBILITIES COVERAGE

This lab demonstrates complete implementation of SOC Analyst responsibilities through hands-on deployment of enterprise security tools and workflows.

🔍 SIEM Implementation

Elastic Stack deployment on Kubernetes with full configuration

Elasticsearch Kibana K8s

⚡ Detection Rules Development

MITRE ATT&CK mapped detection rules with real-world scenarios

MITRE ATT&CK 3 Rules JSON

🔌 Event Source Integration

Log collection, parsing, and normalization pipelines

Elastic Agent Fleet

🛡️ Vulnerability Management

Automated container scanning and vulnerability assessment

Trivy Automated

💻 Endpoint Detection & Response

EDR agent deployment and real-time threat monitoring

Elastic Agent Real-time

🌐 Threat Intelligence

IOC collection from URLhaus with automated ingestion

52,460 IOCs URLhaus

🚨 Incident Response

Automated workflows and scheduled security operations

CronJobs Automation

🔬 Analysis & Testing

Attack simulation and detection validation framework

Python Testing

📁 PROJECT STRUCTURE

Cyber-Defense-Lab/ ├── 📄 README.md ├── 📄 deploy.sh ├── 📄 deployment-summary.sh │ ├── 📂 attack-simulations/ │ └── scenario-1-recon.py │ ├── 📂 dashboards/ │ ├── architecture-dashboard.json │ └── live-soc-dashboard.html │ ├── 📂 detection-rules/ │ ├── brute-force-detection.json │ ├── data-exfiltration-detection.json │ └── suspicious-process-execution.json │ ├── 📂 kubernetes/ │ ├── namespace.yaml │ ├── 📂 elastic-stack/ │ │ ├── elastic-agent.yaml │ │ ├── elasticsearch-config.yaml │ │ ├── elasticsearch.yaml │ │ └── kibana.yaml │ ├── 📂 detection-engine/ │ └── 📂 incident-response/ │ └── trivy-cronjob.yaml │ ├── 📂 threat-intelligence/ │ ├── threat_intel_iocs_20251026_183852.json │ ├── trivy-kibana-scan.json │ ├── urlhaus-integration.py │ └── vulnerability-scan.sh │ └── 📂 vercel-deployment/ ├── live-soc-dashboard.html ├── package.json ├── project-guide.html └── vercel.json

🔧 PHASE 1: Environment Setup & Prerequisites

Step 1: Tool Installation

Install required security and scanning tools on your system:

brew install aquasecurity/trivy/trivy brew install falco pip3 install requests

Step 2: Project Structure Creation

Create the complete directory structure for the lab:

cd ~/Desktop mkdir "Cyber-Defense-Lab" cd "Cyber-Defense-Lab" mkdir kubernetes kubernetes/elastic-stack kubernetes/detection-engine kubernetes/incident-response detection-rules threat-intelligence attack-simulations dashboards

Step 3: Kubernetes Configuration

Configure local Kubernetes environment:

kubectl config use-context docker-desktop kubectl apply -f kubernetes/namespace.yaml kubectl get namespaces

🏗️ PHASE 2: SIEM Platform Deployment

Step 4: Elasticsearch Deployment

Deploy the core search and analytics engine:

kubectl apply -f kubernetes/elastic-stack/elasticsearch.yaml kubectl get pods -n security-lab -w # Wait for elasticsearch pod to be Running

Step 5: Kibana Deployment

Deploy the visualization and management interface:

kubectl apply -f kubernetes/elastic-stack/kibana.yaml kubectl port-forward -n security-lab service/kibana 5601:5601 # Access Kibana at: http://localhost:5601

Step 6: EDR Implementation

Deploy Elastic Agent for endpoint monitoring:

kubectl apply -f kubernetes/elastic-stack/elastic-agent.yaml kubectl get pods -n security-lab | grep elastic-agent

🔐 PHASE 3: Security Operations Implementation

Step 7: Detection Rule Development

Created 3 MITRE ATT&CK mapped detection rules covering:

Suspicious Process Execution - suspicious-process-execution.json (MITRE TA0002 - Execution)
Brute Force Detection - brute-force-detection.json (MITRE T1110 - Credential Access)
Data Exfiltration Detection - data-exfiltration-detection.json (MITRE T1041 - Exfiltration)

Import these rules into Kibana Security App → Rules → Import

Step 8: Threat Intelligence Integration

Collect and ingest threat intelligence from URLhaus:

cd threat-intelligence python3 urlhaus-integration.py # Successfully collected 52,460 IOCs # Output: threat_intel_iocs_*.json

Step 9: Vulnerability Management

Perform container vulnerability scanning:

chmod +x vulnerability-scan.sh ./vulnerability-scan.sh # Generated: trivy-kibana-scan.json cat trivy-kibana-scan.json | jq .

Step 10: Incident Response Automation

Deploy automated vulnerability scanning CronJob:

kubectl apply -f kubernetes/incident-response/trivy-cronjob.yaml kubectl get cronjobs -n security-lab # Runs daily at midnight for continuous monitoring

Step 11: Attack Simulation & Testing

Execute reconnaissance attack simulation:

cd attack-simulations python3 scenario-1-recon.py # Simulates network reconnaissance activity # Check Kibana for triggered alerts

📊 PHASE 4: Visualization & Professional Documentation

Step 12: Dashboard Development

Interactive dashboards for SOC operations:

Live SOC Dashboard - live-soc-dashboard.html (Real-time operations view)
Architecture Dashboard - architecture-dashboard.json (System topology)

# Open dashboards locally: open dashboards/live-soc-dashboard.html # Or import JSON into Kibana

Step 13: Security Configuration Enhancement

Apply advanced Elasticsearch security settings:

kubectl apply -f kubernetes/elastic-stack/elasticsearch-config.yaml kubectl rollout restart deployment/elasticsearch -n security-lab kubectl rollout status deployment/elasticsearch -n security-lab

Step 14: Deployment Automation

Automated deployment and status scripts:

One-Click Deploy - deploy.sh (Complete stack deployment)
Status Summary - deployment-summary.sh (Project verification)

chmod +x deploy.sh deployment-summary.sh ./deploy.sh ./deployment-summary.sh

✅ FINAL VERIFICATION & VALIDATION

Step 15: System Verification

Verify all components are running correctly:

kubectl get all -n security-lab kubectl get pods -n security-lab kubectl get services -n security-lab ./deployment-summary.sh

Step 16: Component Testing

Test each component individually:

# Kibana Access Test open http://localhost:5601 # Elasticsearch Health Check curl -X GET "localhost:9200/_cluster/health?pretty" # Verify Detection Rules # Navigate to Kibana → Security → Rules # Test Attack Simulation python3 attack-simulations/scenario-1-recon.py

🔧 TROUBLESHOOTING & VERIFICATION COMMANDS

Kubernetes Issues

# Check cluster status kubectl get nodes kubectl cluster-info # Verify context kubectl config get-contexts kubectl config use-context docker-desktop # Check namespace kubectl get namespaces | grep security-lab

Elastic Stack Issues

# Check pod status kubectl get pods -n security-lab # View logs kubectl logs -n security-lab deployment/elasticsearch kubectl logs -n security-lab deployment/kibana # Restart if needed kubectl rollout restart deployment/elasticsearch -n security-lab kubectl rollout restart deployment/kibana -n security-lab # Port forwarding kubectl port-forward -n security-lab service/kibana 5601:5601

Common Issues & Solutions

Pod not starting: Check logs with kubectl logs
Port already in use: Kill existing process or use different port
Connection refused: Ensure port-forwarding is active
Out of memory: Increase Docker Desktop resources

🚀 VERCEL DEPLOYMENT FILES

Files for hosting dashboards on Vercel:

live-soc-dashboard.html - Production dashboard
project-guide.html - This guide
package.json - Node.js configuration
vercel.json - Vercel settings

🛡️ CYBER DEFENSE LAB

Complete Project Implementation Guide

23

52,460

3

8