CYBERSECURITY JOB HUNTING GUIDE
Short review PurpleLabs
Author: Stefan Waldvogel
What is PurpleLabs
PurpleLabs is a virtual training environment for Cybersecurity professionals. It is a combination between red and blue labs. First, you start as an attacker and then you switch the sides to analyze your attack.
PurpleLabs is a virtual training environment for Cybersecurity professionals. It is a combination between red and blue labs. First, you start as an attacker and then you switch the sides to analyze your attack.
The labs are broken up into smaller pieces and cover all MITRE Enterprise tactics.
What is the required level?
PurpleLabs is not for beginners, it targets Security Engineers. The reason is, the lab simulates a real company with patched machines. You use Windows 10, Server 2016, CentOS, Kali 2020.4 and a lot of other machines. In a modern and dynamic environment, things will change, so the lab is changing, too. Each lab has a goal and a guide, but because it is a dynamic environment, you need solid knowledge in troubleshooting Windows and Linux (Kali).
What do you get?
The next picture shows ElastiFlow:
What is the required level?
PurpleLabs is not for beginners, it targets Security Engineers. The reason is, the lab simulates a real company with patched machines. You use Windows 10, Server 2016, CentOS, Kali 2020.4 and a lot of other machines. In a modern and dynamic environment, things will change, so the lab is changing, too. Each lab has a goal and a guide, but because it is a dynamic environment, you need solid knowledge in troubleshooting Windows and Linux (Kali).
What do you get?
The next picture shows ElastiFlow:
This map is dynamic, alive and shows one aspect. Here, you see 363 clients and 111 servers (you work with a much smaller number). This is one tool, but the lab covers a lot more.
On the blue side: OSQuery, Kolide Fleet, Graylog, Elastiflow, Wazuh / OSSEC, ELK, HELK, Splunk, Sigma, Sysmon, BRO/Zeek IDS, Suricata IDS, DetectionLab, eBPF, auditd / go-audit, Sysdig, Wireshark, tcpdump, syslogd, Filebeat, Winlogbeat, Rita, MISP, theHive, Cortex, iptables, ngrep, LMD, rkhunter, Volatility Framework, GRR Rapid Response, nsjail, mod_security, LKRG, Yara, Squid Proxy, Wireguard and many more.
On the red side: PowerSploit, Bloodhound, goDoH, dnscat2, nmap, Empire Framework, Metasploit Framework, WMImplant, Invoke-PipeShell, Sharpshooter, PIngCastle, RTA, Atomic Red Team, kerbrute, CME, Salsa tools, Octopus, mimikatz, PSAttack, Weasel, impacket, pyexfil, scapy, Shellter, proxychains, Singularity, poshC2, dns2tcp, Pupy, sg1, DET, xfltreat, fruityC2, tuna, RATTE, nishang, corkscrew, Egress-assess, pivoter, hydra, wondjina, Trevor C2, C3, Koadic, Apfell, sharpSocks, Silent Trinity, WSC2, google_socks, sqlmap, BeeF Framework, twittor, torify, TheFatRat, cloakify, WMIsploit, certreq, Faction C2, Merlin, ThunderShell, udp2raw, PowerLessShell, reGeorg, rpivot, WSC2, thc-flood, yersinia, DNSexfiltrator, SMBmap, testssl, firebolt, Sliver, dumpster fire, APT simulator, icmptunnel, ChunkyTuna, Invoke-DOSfuscation and more.
A lot of blue tools are pre-configured, or you configure it during the course. Overall, the lab has 64 training modules.
How much time do you need to do all?
I have between 6 and 8 hours a day and I can do up to 4 labs per day. I hope I can do all 64 labs in 30 days, but this is only possible because I do not work. People with more experience are faster. Many times, I see a program the first time and I play with it or I need to troubleshoot smaller and bigger problems.
This is not a disadvantage, because if you work in Cybersecurity, you need troubleshooting skills.
What can you learn?
You learn the red and the blue side at the same time. You see and use DFIR tools like Splunk, Hunting ELK, ElastAlert, OSQuery, ElastiFlow, Wazuh, and Graylog. All of these tools are pre-configured and accessible via your browser. Here: Elasicsearch with some machines.
On the blue side: OSQuery, Kolide Fleet, Graylog, Elastiflow, Wazuh / OSSEC, ELK, HELK, Splunk, Sigma, Sysmon, BRO/Zeek IDS, Suricata IDS, DetectionLab, eBPF, auditd / go-audit, Sysdig, Wireshark, tcpdump, syslogd, Filebeat, Winlogbeat, Rita, MISP, theHive, Cortex, iptables, ngrep, LMD, rkhunter, Volatility Framework, GRR Rapid Response, nsjail, mod_security, LKRG, Yara, Squid Proxy, Wireguard and many more.
On the red side: PowerSploit, Bloodhound, goDoH, dnscat2, nmap, Empire Framework, Metasploit Framework, WMImplant, Invoke-PipeShell, Sharpshooter, PIngCastle, RTA, Atomic Red Team, kerbrute, CME, Salsa tools, Octopus, mimikatz, PSAttack, Weasel, impacket, pyexfil, scapy, Shellter, proxychains, Singularity, poshC2, dns2tcp, Pupy, sg1, DET, xfltreat, fruityC2, tuna, RATTE, nishang, corkscrew, Egress-assess, pivoter, hydra, wondjina, Trevor C2, C3, Koadic, Apfell, sharpSocks, Silent Trinity, WSC2, google_socks, sqlmap, BeeF Framework, twittor, torify, TheFatRat, cloakify, WMIsploit, certreq, Faction C2, Merlin, ThunderShell, udp2raw, PowerLessShell, reGeorg, rpivot, WSC2, thc-flood, yersinia, DNSexfiltrator, SMBmap, testssl, firebolt, Sliver, dumpster fire, APT simulator, icmptunnel, ChunkyTuna, Invoke-DOSfuscation and more.
A lot of blue tools are pre-configured, or you configure it during the course. Overall, the lab has 64 training modules.
How much time do you need to do all?
I have between 6 and 8 hours a day and I can do up to 4 labs per day. I hope I can do all 64 labs in 30 days, but this is only possible because I do not work. People with more experience are faster. Many times, I see a program the first time and I play with it or I need to troubleshoot smaller and bigger problems.
This is not a disadvantage, because if you work in Cybersecurity, you need troubleshooting skills.
What can you learn?
You learn the red and the blue side at the same time. You see and use DFIR tools like Splunk, Hunting ELK, ElastAlert, OSQuery, ElastiFlow, Wazuh, and Graylog. All of these tools are pre-configured and accessible via your browser. Here: Elasicsearch with some machines.
30 days lab access is not enough to feel confident in all tools, but it will give you a tremendous boost in knowledge. One day you are going into a SOC interview to get your first job in Cybersecurity, if you did this lab thoroughly (8 hours a day a 30 days) you will stand out.
They structured purple Labs like MITRE. Each group has some matching labs. Unter C&C, there are many tools beyond eCPPT or OSCP level and I learned a lot. The next picture shows some labs:
They structured purple Labs like MITRE. Each group has some matching labs. Unter C&C, there are many tools beyond eCPPT or OSCP level and I learned a lot. The next picture shows some labs:
Is this lab something for you?
As mentioned before, you should not go into this lab with zero knowledge in IT. You need solid knowledge in Linux and Windows. Ideally, you should have knowledge in Cybersecurity, too. Attend John Strands SOC training (pay as you can) to get the basics and a matching training VM, RangeForce offers a free Community Edition or take their paths SOC 1, SOC 2 and Threat Hunter, or go for TryHackme and do their Defender path ($10 a month). I am sure there are more options like Project Ares (circadence).
The reason for this approach is: If you do not have knowledge in blue and/or red tools, you waste a lot of time. PurpleLabs is pretty expensive and you do not want to pay for “easy” things. The lab is not in the cloud, therefore you need a lot of troubleshooting skills. Offensive Security chances Kali constantly and therefore you have to adjust the tools (or you use an older Kali).
- If you are a SOC 1 Analyst and you want to see a different world with new tools and an employer offers you a training budget. This might be something for you.
- One other path is: You are a penetration tester and you want to see the other side to get a better understanding what tools can detect and how. Two small examples: As a pen-tester, you know how to do dll injection or you use the simple command “whoami” if you got system, here you see the things in DFIR tools and why you never should use the command “whoami” after you got system. This course gives you a completely new view.
The pricing
As mentioned, this lab is expensive. At the moment, 30 days are $499.
Conclusion
I really like this lab a lot, because it gives me a very wide view about hands-on in Cybersecurity. The lab feels very advanced and after these 30 days and really ready for my first job as SOC Analyst. I will still have a lot of gaps, but the lab will build a big and wide “safety-net”. The course does not teach how to configure all tools, but I used the tools and if I get a job, I can quickly learn my tasks.
I never worked in a SOC, but I guess this lab goes far, far beyond what a typical SOC 1 Analyst does.
Disclaimer
I got the labs for free and I was a 30-day beta tester for this lab.
© 2021. This work is licensed under a CC BY-SA 4.0 license