This project is a cost effective solution for launching a Security Operations Center (SOC) in AWS using Kali Linux and Purple Team tools.
It consists of two files:
- KaliPurple-VPC.yml - This file will configure the Virtual Private Cloud (VPC) with the necessary subnets and security groups.
- KaliPurple-NAT-EC2.yml - This file will configure the instances. You can select the ones that you need to lauch.
This is the diagram of the VPC. I reduced the number of subnets for simplicity by grouping all the VLANs into one. This reduced the number of required interfaces in the firewall from 5 to 3 and this allowed me to choose an instance type that was more cost effective. I know that the solution is not the ideal but it was a compromise that I had to make. Also, I didn't use the kali.purple domain name so all the references to the machines are done through their respective private ip addresses.
To install this project, you need to have an AWS account and access to CloudFormation service. You first have to launch the VPC stack using the KaliPurple-VPC.yml file. Write "vpc" in the stack name for simplicity. It will create all the necessary subnets and security groups.
Once this stack is created, you need to create the instances using the KaliPurple-NAT-EC2.yml file. For simplicity use "ec2" as a name. You need to input the name of the VPC stack that was created previously.
The EC2 stack gives you the possibility of choosing the instances that you want to launch. This way you don't have to pay for services that you don't need. I used the Guacamole Bastion initially but there is no need for it once the firewall and its OpenVPN is configured unless there is a problem with one of the instances.
I left the option of launching it if needed but it is not necessary for most cases. I also left the possibility of using an internet gateway for the instances in the SOC and LAN subnets to have access to the internet. Again, this option should not be necessary once the firewall is configured.
The instance types defaults are the minimum required for each to work. You can choose a bigger type if desired.
There are no Kali Purple images in AWS at this moment, so I used a regular Kali Linux image and installed only the required packages manually. When I was creating these instances, the elastic stack was not available in kali. Therefore, I used the www.elastic.co documentation.
All the other packages were readily available on kali. My initial intent was to make the final AMIs images publicly available to simplify and speed up the set up process. However, the log collection of the firewall makes it risky at this time. If I'm able to clean up the logs I'll reconsider this in the future.
The cost of this setup is around $7/day. I use it for 5 hrs each day and stop the instances when not using them.
At this point the SOC is practically complete. The only missing piece is the installation of Greenbone due to an error in synchronizing with its server. Apart from that, everything is working as expected.
The setup process is long and tedious with many nuances. Lots of trial and error. At this point the cloud configuration and the firewall is wide open and accepting packets from all overthe internet. This is not advisable for a production situation but it is acceptable for a proof of concept.Now I will be hardening the AWS security groups, routing tables, NACs and Firewall rules to make it as close as it could be to a production situation.
I'll be posting a tutorial that would help replicate this setup. I will concentrate on the firewall setup as a first step since it is needed for the rest of the instances unless an internet gateway is used.
I haven't tried an attack on the vulnerable kali-pearly machine yet. As soon as I do I will publish some screen shots of the SOC.
To use this project, you need to connect to the firewall instance using its public IP address and configure its OpenVPN service. You can then download and install the OpenVPN client on your machine and connect to the firewall using its private IP address.
You can then access all the other instances in the SOC and LAN subnets using their private IP addresses through SSH or RDP protocols.
You can use Kali Linux as your attack platform on the kali-pearly instance and run various tools such as Nmap, Metasploit, Burp Suite, etc. You can also upload other vulnerable machine AMIs to perform attacks. Once the simulated attack is complete, you can delete the stack and pay only for the time used.
Please note that this repository is still work in progress.
Reference: https://gitlab.com/kalilinux/kali-purple/documentation/-/wikis/home
