Hello Forensic Focus,
I am currently setting up a forensic network lab where I can test and simulate attacks. I am thinking about setting up a virtual environment similar to small or medium businesses. My challenge is, I want to make it as real as possible, because I'll be deploying sensors in my setup such as IDS/IPS as well as EDR solutions for the endpoints.
So the scenario that I want to do is I'll be sending a socially engineered email with a malicious attachment (from external IP) to an internal machine in virtual lab network. So IDS should log that the email came from an external source going to an internal machine.
In the future, I want to simulate attacks that completes the "Cyber kill chain". So it covers, point of entry up to data exfiltration. So I plan to launched exploit attacks using an external IP directed to my virtual lab.
Any ideas, comments or suggestions are welcome.
Thank you for all of your help!
Regards,
BB
I would add a Splunk for logs and alerts. To see how it treats the input against known CVEs.