lahirufernando580-debug/Mini_SOC_Lab

GitHub: lahirufernando580-debug/Mini_SOC_Lab

Stars: 0 | Forks: 0

# Mini SOC Monitoring Lab ## Overview This project simulates a beginner Security Operations Center (SOC) environment using Splunk, Kali Linux, and Ubuntu Server. The lab demonstrates attack simulation, log ingestion, monitoring, alert generation, incident investigation, and basic incident response workflows. The objective of this project was to gain hands-on experience with SOC operations while also understanding the governance, risk, and compliance (GRC) aspects of cybersecurity such as risk mitigation, security controls, and incident documentation. # Lab Architecture Architecture Flow: Kali Linux → Ubuntu Server → Splunk SIEM # Technologies & Tools Used | Tool | Purpose | | --------------- | ---------------------------- | | Splunk | SIEM monitoring and alerting | | Kali Linux | Attacker machine | | Ubuntu Server | Target system | | Hydra | SSH brute-force simulation | | Nmap | Network reconnaissance | | Nikto | Web reconnaissance scanning | | Linux Auth Logs | Authentication monitoring | | Apache Logs | Web activity monitoring | # Attacks Simulated ## 1. SSH Brute Force Attack Hydra was used to simulate repeated failed SSH login attempts against the Ubuntu server. ### Prevention & GRC Perspective To reduce the risk of brute force attacks, organizations should enforce strong password policies, implement multi-factor authentication (MFA), and configure account lockout mechanisms. Under ISO 27001 security controls and GRC best practices, access control management and continuous monitoring are essential for protecting authentication systems. ## 2. Network Reconnaissance Nmap scans were conducted to identify open ports and running services on the target system. ### Prevention & GRC Perspective Unused ports and unnecessary services should be disabled to minimize the attack surface. Firewall rules, network segmentation, and regular vulnerability assessments align with ISO 27001 risk management and asset protection controls. ## 3. Web Reconnaissance Nikto was used to enumerate the Apache web server and identify potential security misconfigurations. ### Prevention & GRC Perspective Web servers should be regularly patched, securely configured, and continuously monitored for vulnerabilities. Following GRC principles and ISO security standards helps ensure proper configuration management, compliance, and secure service operations. # Splunk Monitoring & Detection The following monitoring and detection capabilities were configured in Splunk: * SSH failed login monitoring * Web reconnaissance monitoring * Attack investigation queries * Alert generation for suspicious activity * Dashboard visualization of attack activity # Example Splunk Queries ## SSH Failed Login Detection "Failed password" | stats count by source ## SSH Brute Force Alert "Failed password" | stats count | where count > 10 ## Web Reconnaissance Detection source="/var/log/apache2/access.log" "Nikto" index=* apache # Incident Response Workflow The SOC workflow followed during this project included: 1. Attack simulation 2. Log ingestion into Splunk 3. Detection and alert generation 4. Investigation of suspicious activity 5. Identification of attacker IP address 6. Incident documentation 7. Mitigation recommendations # MITRE ATT&CK Mapping | Activity | MITRE Technique | | ------------------ | --------------- | | SSH Brute Force | T1110 | | Network Scanning | T1046 | | Web Reconnaissance | T1595 | # Security & GRC Considerations This project also focused on security governance and risk management concepts by identifying risks and recommending mitigation controls. ## Risks Identified * Weak password exposure * Excessive SSH exposure * Web server reconnaissance * Unauthorized authentication attempts # Screenshots ## Splunk Dashboard ![Dashboard](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/53ddb0eeb3165928.png) ## Triggered Alerts ![Alerts](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/250e290217165934.png) ## SSH Attack Logs ![ssh_logs](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/f8f3109528165939.png) ## Web Reconnaissance Logs ![web_attacks](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/5d5cd75ae4165944.png) # Key Learning Outcomes Through this project, I gained hands-on experience with: * SIEM monitoring and alerting * Linux authentication logging * Attack detection and investigation * Basic incident response workflows * SOC operational concepts * MITRE ATT&CK mapping * Security risk analysis and mitigation * GRC-focused security thinking # Future Improvements Potential future enhancements for this lab include: * Windows endpoint monitoring using Sysmon * Advanced detection engineering * Cloud log monitoring * Threat intelligence integration * SOAR workflow simulation