Hands-on experience is perhaps one of the most important assets a cybersecurity professional can have. An employer will not care if you understand cybersecurity concepts if you don’t have the skills to do the actual work to keep the company protected. Home labs and testing environments give the opportunity to practice skills, build things, and play around without the risk of breaking something in an enterprise environment.
With SANS right now running the best special offers of the year for OnDemand and Live Online courses, many students will soon find themselves proud new owners of some of the hottest computing devices on the market. Now through December 16, students who register for a SANS OnDemand or Live Online 5- or 6-Day course will have their choice of a 11" iPad Pro w/ Apple Pencil, Microsoft Surface Go 2 (128GB SSD), or $350 off the course price. (Learn more about these special offers here).
While it may be tempting to use these bonus devices exclusively for binge-streaming your favorite shows, why not challenge yourself to use them to their fullest potential by setting them up as a home lab or testing environment?
Not sure where or how to start? Take a cue from a few of our top SANS Instructors, who share some of their insight and helpful resources below.
Why a Home Lab/ Testing Environment?
One of the biggest challenges that cyber defenders have in building out home labs is replicating the devices and infrastructure they’ll find in the workplace, says SANS Blue Team Ops Instructor Mark Orlando.
“We can do a lot with virtualization and commodity equipment, but what about the things we don’t expect our users to bring into our environment, especially now that so many of us are remote?” he says. “Adding mobile devices to your security testing loadout can give you valuable insights into how your users’ mobile devices – many of them personal and unmanaged – may impact your corporate security posture, and what you can do to help manage that risk.”
“Working on things in a home lab lets me replicate how enterprise environments function, but at home, without the cost or risk to the business,” says SANS Certified Instructor Justin Henderson in a recent blog post. “It’s ultimately what helped me land multiple jobs, even though my experience wasn’t product based.”
“Testing and forensics go hand in hand. You cannot be sure about a certain artifact [or] what it contains or what certain pieces mean without testing (and not just once, but over and over and on multiple devices and operating systems!),” says SANS Principal Instructor Sarah Edwards in a blog post about dynamic iOS testing. “I probably do this more than most forensic investigators, but it is something I obsess about. If I’m not absolutely sure, I test – always. Even then I will caveat it to very specific instances of my testing platform.”
Getting the Most Value from Your Testing Device
“Tablets and lightweight laptops may have started out as more of a personal computing novelty, but today’s devices pack a lot more punch in terms of specs, software, and overall capabilities,” says Mark Orlando. “Despite these advances, much of the operating system and application functionality relies heavily on web infrastructure and technology. As a learning exercise, treat these devices as you would any untrusted, internet-enabled device being added to your network: Monitor network traffic to and from them. Scan them and see what shows up in your results. Try to remove or disable unnecessary functionality and see how those network and host profiles change. If you’re feeling very brave (or have a LOT of free time), the US Department of Defense maintains Security Technical Implementation Guides (STIG) for all kinds of information technology, including Apple iOS; these hardening checklists are free to download."
“This is a great opportunity to understand how your new device works and communicates with the outside world. It’s also a useful exercise to learn what is normal (and potentially abnormal) behavior you could see in an enterprise environment, and how you can harden these devices without sacrificing functionality for users.”
“Both the Surface Go 2 and iPad Pro can be utilized to test out mobile device management (MDM),” says Justin Henderson. “Often, you can sign up for a free trial license or purchase low cost dev licenses (Microsoft cloud licenses is one example) that will provide enterprise MDM services. With work-from-home being so prevalent and trending as the new normal these days, this is more important than ever to master.”
Both devices can also be used to try to implement wireless scanning of things like 802.11 and Bluetooth, Justin says, and you could also use the Surface Go 2 as a Windows Docker host for spinning off Kubernetes or Docker containers.
“For smart home enthusiasts, both devices can be used with Home Assistant to control all sorts of smart home devices. This also allows you to get your feet wet with IoT devices (Zigbee, Z-Wave, Bluetooth, 802.11). For the Surface Go 2, you also could install both the server and a client for Home Assistant.”
“iPad Pros can be used to test the forensic impact of iOS and various scenarios through testing - either through doing an iOS backup or going all in and performing a jailbreak on the device,” says Sarah Edwards.
Apple vs. Microsoft Devices
If you’re taking advantage of the best deals of the year with SANS Online Training and registering by December 16, you’ll have your pick between an 11" iPad Pro w/ Apple Pencil, or a Microsoft Surface Go 2 (128GB SSD). So which one is right for you? Here’s some things you might not have considered:
“If you’re going to use these devices for testing or simulation, think about your use cases and what you’re likely to see in the field,” says Mark. “Are you looking to assess applications? Operating system security? Simulating mobile device traffic? Consider that Apple’s security model is fairly mature and their ecosystem is well established (meaning less flexibility), but their market share is also larger and their devices may be more common.”
“Microsoft Windows is more ubiquitous in corporate environments, but the user experience and app options might not be what you’re looking for,” Mark continues. “Finally, consider that some kinds of testing – particularly testing that requires you to break apart these ecosystems or reload unauthorized software – may void your warranty (woo!) or preclude you from getting support in the future. All of these platforms are quite mature at this point, so the best choice is the one that works best for you.”
“With the iPad Pro students can play with things like Apple Business Manager, which allows central deployment and management of Apple devices,” Justin says. “Also, there are built-in security features that are good to be familiar with. How does Apple control authentication, MFA, auto-data purging, etc.
“With the Surface Go 2, students would be able to play with things like modern authentication controls like Microsoft Hello. This project is designed to slowly eliminate usernames and passwords while still having enterprise authentication. Also, the Surface Go includes a TPM chip. This means students can test BitLocker with TPM capabilities and as well as special integrity checks for protecting against Bootkits.”
“I do all my testing for FOR518, my blog, my presentations, my everything using Apple devices,” says Sarah Edwards. “Apple ALL THE WAY - but I’m biased!”
Bringing It All Home
“In 2008, I accepted an offer to build a 24/7 security operations center at the Executive Office of the President, starting about a month and a half before President Obama took office. The previous administration was extremely conservative in terms of personal computing (no tablets, few laptops) and social media use (they didn’t use it)."
"When the new administration came in, our user base changed almost 100% overnight - literally. iPhones and iPads were everywhere. Facebook and Twitter were official channels used to engage the public. After a few short lived attempts to explain to the President of the United States that we didn’t really allow tablets and Facebook and Twitter (Spoiler: Turns out we did allow all those things if we wanted to keep our jobs, and probably shouldn’t ever try to say ‘no’ again), we made changes. We became quick experts on Apple’s Xserve server products, devised secure provisioning and management protocols for Apple devices, and replaced all of our SOC machines with Mac Pros to better understand and serve our new users. We also spent hours picking apart Facebook’s various sub-applications so we could build new access policies around them. Ultimately, we learned how to manage and secure Apple devices and various social media without introducing unnecessary risk."
"This experience taught me a few things: First, security’s job is to enable the user to do their job securely, not dictate what they can and cannot do. Second, you can’t rest on a policy of ‘we don’t allow that.’ If it’s something consumers have and use, it’s already in your environment or will soon be there. This is why I always tell my security analysts to learn and use multiple operating systems and device types, regardless of their personal preference. These free devices can be great opportunities to expand your horizons and learn something that might come in handy sooner than you expect.”
“I think everyone is capable of learning something new every day… or at least every week. Having access to a free device that one can set aside as a lab device can amplify this process."
"The problem is, it is too easy to get the free device and use it to stream Netflix/Hulu/Spotify/etc. If someone could get an iPad or a Surface and challenge themselves to use it to the max for security training over a 30- to 90-day period, I feel they would be mind-blown (and have one of the coolest blogs ever!). You could stretch the value of those devices by trying to use them for our suggestions above, plus anything else you can come up with.”
Additional Resources to Help You on Your Journey
- Blog: Do it Live! Dynamic iOS Forensic Testing by SANS Principal Instructor Sarah Edwards
- GitHub Presentation: Poking the Bear – Dynamic Forensic Testing and Analysis by SANS Principal Instructor Sarah Edwards
- Great List of Resources to Build an Enterprise Grade Home Lab by SANS Certified Instructors Ismael Valenzuela and Justin Henderson
- Webcast: Building an Enterprise Grade Home Lab with SANS Certified Instructors Ismael Valenzuela and Justin Henderson
- Webcast: Extending Your Home Lab to Include Cloud with SANS Certified Instructors Ismael Valenzuela and Justin Henderson
- Security Technical Implementation Guides (STIG) from the US Department of Defense
Take Advantage of the Best Special Offers of the Year for SANS Online Training
More than 65 SANS Courses are offered via SANS Online Training, bringing the world’s most respected cybersecurity instruction straight to you, with the flexibility to train anytime, anywhere. With four months of extended access to course content, you get the opportunity to practice hands-on skills and new tools so they can be applied effectively to best defend your organization.
Start exploring and find your next SANS Online Training course today.
Act soon, because the best special offers of the year for SANS Online Training are going on right now! Register for your course by December 16 to get your choice of a 11" iPad Pro w/ Apple Pencil, Microsoft Surface Go 2 (128GB SSD), or $350 off the course price.
*Post originally published on July 23, updated on December 10.