Selling your Information Security Team Part 6

We are on to building the Victim VM.  This VM will be built with Window 7 SP1 32-bit.  Be aware that when SP1 was released, these vulnerabilities were either not known or were later zero day discoveries.  More on the vulnerabilities in SP1 later during the post on the attacker VM.

Build the VirtualBox VM & Install OS

snag-0039

We start off as usual defining the VM in VirtualBox.  Click the New VM button in VirtualBox and fill in the name, select the OS Type & Version, and set the VM Memory size to 2048 Mb.  Click Create and in the Drive File Size put 25.00 Gb.  Taking all other defaults click Create.

snag-0041

Getting an ISO image of Windows 7 is more complicated than other ISO images we have downloaded, so I’m not going to go into details here.  I got mine from a MSDN subscription.  Just make sure you get the 32-bit version at Service Pack 1 (SP1).  I chose the Windows 7 Ultimate version.  Mount the image to your VM’s CD Drive by selecting Settings, Storage then mounting it as we have before; boot your VM and start the installation process.

snag-0055

The build process takes all the defaults until you get to the question of updates.  Because we don’t want ANY updates to be added to this system, make sure you choose “Ask Me Later”.  The install process continues, again take all the defaults, or set values as appropriate to you.

Change Network Settings

snag-0065

Eventually the install will complete and you will boot into the OS for the first time.  We are now going to change the network settings to place the VM into our demo network behind the firewall.  Open up the Network Connections by right clicking on the network icon in the systray and selecting “Open Network and Sharing Center”.  On the Network and Sharing Center, located on the left panel area, click on “Change Adapter Setting”.  You should see one Network Adapter called “Local Area Network”, right click on it and select “Properties”.  Highlight “Internet Protocol Version 4” and click on properties.  Set the values to static values as appropriate to your network.  If you are following my network values, remember from the firewall and network build post we chose an internal network of 10.10.10.x & and external network of 192.168.10.x, and from the Utility VM build post we created a Snort rule to detect traffic between 10.10.10.128 (Victim) to 192.168.10.128 (attacker).  So that makes this victim system 10.10.10.128.  The subnet mask is 255.255.255.0 and the gateway & DNS server addresses are the internal firewall address of 10.10.10.254.

Staging the Victim VM

snag-0000

The final part of the Victim setup is staging the device and creating a snapshot.  While the VM is running set the display exactly how you want your victim to see it when they first encounter the screen.  I had the browser already set to the webmail client and logged in.  That way when you reset the environment for the demo, the victim VM always come to the same known starting point.

Next Time

The last system to be built is the attack VM.  We will cover not only installing the OS, but creating the attack scripts to exploit our victim VM through the firewall.   What exploit delivery vector are we going to use?  Well of course: an email phishing vector.

The Victim setup was fairly straightforward, did I miss any points?  Do I need to focus on something?  Once we finish building the attack VM, I’ll wrap up then entire series with a how to use and run it post.  All will become clear soon.  In the meanwhile, if you have questions or comments, leave them as a reply.

Philip is an esteemed Information Security Manager with a robust track record spanning over 25 years in Fortune 500 corporate IT environments. His extensive experience encompasses managing a broad array of resources, teams, and high-impact projects. Philip specializes in Information Security Management and Security Operations, and he is particularly adept in Intrusion Detection & Handling, Computer Forensics & Investigation. He is well-versed in critical standards and practices, including the Statement on Auditing Standards No. 70 (SAS-70) and the Payment Card Industry (PCI) Data Security Standard. Philip's expertise also covers Security Architecture Design, Information Disaster Recovery, Network Security, Cryptography, and Secure Application & System Development, making him a comprehensive authority in the cybersecurity field.