Building the Virarium 2.0 - or "You know, normal people just have aquariums." - Part 1

For those that regularly read XKCD, this one may be familiar for you:

Let me start from the beginning. My previous employer OGD has a yearly event called "Technival", which was all about a wild variety of geeky things organised and built by their employees, and the Virarium was the brainchild of me and Robbert Erents. You can see us handling the environment with extreme caution in this charming press photo:

Back then, we were just trying things and the project wasn't a great success due to a variety of factors: The anti-malware software we used was working too well (it blocked execution of malware even though we told it to just detect.), the project was built on a heap of PowerCLI scripts to deploy and destroy VMs, and ultimately: there isn't a lot of malware left these days that actually spreads peer to peer. But in the end, we had a ton of fun building and designing the environment.

And now with SHA2017 around the corner, the time is ready for Virarium 2.0, new and improved. I've had a lot of time to think how to actually design and implement this properly, and 4 years of experience with automation helps a lot in this.

So the way the Virarium 2.0 is planned is as follows:

  • Virtual machines are managed by VMware vSphere with NSX. This allows us to use hypervisor based IDS tools which do not interfere with the VM, and it allows us to tag Virtual machines based on the operating system, the applications running, the security posture, you name it. We're looking at Palo Alto's PANOS since it has out of the box dashboards for vRealize Log Insight.
  • Virtual machines will run operating systems and applications in a wide variety, from purpose-built vulnerable machines such as Metasploitable to Windows 2016 and Honeypots and will be classified based on NSX security tags.
  • All data generated by NSX and IDS tools log to vRealize Log Insight which provides a structured format for unstructured data.
  • vRealize Orchestrator regularly pulls the log data in a structured format from Log Insight through the API and will use this data to "score" VMs based on information such as threat scores, counts of IDS events, you name it.
  • vRealize Orchestrator will in turn use this information to decide the health state of the virtual machines and will - on a scheduled cycle - kill off VMs and provision healthy new ones. This can be as simple or as complex as we want to make it, since we have all the security information on the VM and can apply any kind of weighing mechanism to the provisioning decisions.
  • vRealize Orchestator can push events back to vRealize Log Insight through the ingestion API which allows us to store even more information on the VMs in a structured format.
  • vRealize Log Insight will turn this into pretty graphs, counters, gauges, and scoreboards to give people something pretty to look at.

Our basic vRO workflows currently consist of the following:

Some mockups of what this would look like:

Currently the main work is in the vRO workflows, getting the provisioning done correctly, and getting the correct threat events from Palo Alto Panorama as soon as i can get my hands on a NFR license. After that, the main work will be in creating fancy dashboards, and obviously to get some friendly hackers at the SHA2017 conference to purposely infect and try to exploit our malware ant farm.

While this may not have been a very indepth blogpost, we're currently working on getting all the tooling correctly configured and building workflows, and i'll post an update as soon as i have more information to share.