Building a Virtual Cyber Security Lab Part 1 – SANS SIFT

In this post we will start creating a virtualized cyber security training environment by installing the SANS SiFT forensics workstation virtual appliance. In order to get the necessary skills to become a cyber security analyst one must practice in an environment with all the tools and a few sacrificial lambs. As you might expect most businesses will not let you use their production environments for this. So what are aspiring cyber security analyst to do? Build a test lab of course. A good lab environment will provide the analyst with all of the tools necessary to launch attacks, detect the attacks, and respond to the attacks.

Preparation – VM Host

The tools we need to attack, detect and respond are contained in three VM’s:

  • Kali Linux (attack)
  • Security Onion (detect)
  • SAN’s SiFT (respond)

We will also need some targets, both Windows and Linux to attack. Ideally you would want individual machines to represent each component all on an isolated network, but this can become costly. A good alternative is to virtualize everything on a single system with a tool such as VMWare, VirtualBox or Xen. To get this rolling we will need to make sure the machine you are going to use has adequate hardware to run it all. At a minimum make sure it has the following:

  • Multicore processor with virtualization capability
  • 8 GB of RAM (more is better!)
  • Hard drive with lots of space (SSD’s are better!)

My system has 6 cores, 32 GB RAM and a 2TB SSD for the VM’s and works great. We will use VMWare’s Player as the virtualization software. Make sure you enable virtualization in the bios of the system. VMWare Workstation Player can be downloaded from VMWare’s site for free, all you need to do is register.

Once installed create a folder called SecOps-VM, in this folder create three more folders called sift, kali and sec-onion. Download SIFT from SAN’s at:

Screenshot of SANS SIFT download site.

You may need to create an account, SAN’s is a fantastic resource with the best cyber security training anywhere. Also the Internet Storm Center is a daily must read for any analyst!

Screenshot of the Internet Storm Center  website

Importing the SIFT ova

Copy the virtual appliance (.ova) to the SecOps-VM/sift folder. Open VMWare Player and select the option for “open a virtual machine” and browse to SecOps-VM/sift/<name of appliance>.ova. Here you can give it a custom name if wanted but most importantly you want the storage path to be SecOps-VM/sift. The import process will start and should not take too long, after it is finished it will open the VMWare Player home.

Select the virtual machine and edit the virtual machines settings, make sure they are correct (especially the network, it should be set to NAT), I would also recommend you increase the amount of RAM available to the VM from 2GB to 4GB if you can. Click OK.

Now you are ready to start the appliance, to do this just click play.

Once it boots up enter the password “forensics” and you will be presented with the Ubuntu Gnome desktop of SiFT.

The default credentials for SiFT are:

  • Username =       sansforensics
  • Password  =       forensics

There are various reference documents from SAN’s included on the desktop, make sure you check them out, the information here is invaluable.

You will be using this VM for incident response (IR) and forensics as an alternative to commercially available tools. Do not think for a minute that these tools are a lesser product, in most cases they are equal or superior to their commercial counterparts.

Future videos in the lab setup series will include Kali linux and Security Onion. Together these three VM’s will provide you the tools to attack, detect and respond in your lab environment. If these posts and videos are helpful, please subscribe to my channel and click the notification bell to be notified when new videos are added.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.