The possibilities for further development of the created laboratory environment are virtually unlimited, and the direction of growth can be adapted to specific needs.
The current infrastructure provides a solid foundation for further experiments, tests, and research — both in the context of new detection techniques, incident response components, and penetration testing capabilities.
One of the key development directions is the implementation of SOAR-class components such as TheHive and Cortex, integrated with the Elastic Stack.
This would enable realistic simulation of incident response (IR) procedures, including:
- case management,
- assigning tasks to analysts,
- documenting actions,
- and building automated operational playbooks.
By integrating with the MISP threat intelligence platform, it would also be possible to automatically generate alerts from collected IoCs, and handle incidents correlated from multiple data sources.
Another valuable addition would be deploying a Cowrie honeypot exposed to the external network.
This would allow observing attack attempts, scanning activity, brute-force attacks, and analyzing the behavior of bots and real threat actors.
It would also be beneficial to add machines running vulnerable operating systems (e.g., older versions of Windows or Linux) to enable:
- realistic penetration testing of known exploits,
- and analyzing their traces in logs.
Additional attack scenarios could include:
- lateral movement techniques,
- attacks on IIS servers,
- attacks on Active Directory infrastructure,
- and testing various techniques from the MITRE ATT&CK model.
These could then be followed by detection exercises.
Because the VMware virtualization platform supports snapshots, penetration tests could be much more destructive without risking damage to the entire infrastructure.
Another area worth exploring is redesigning the environment to include a DMZ zone, which would make it more similar to a real organizational network architecture.
It would also be valuable to:
- test Suricata in IPS mode, placing it inline on the pfSense firewall, allowing real-time blocking of malicious traffic
- enable real-time protection in Elastic Defend (EDR)
- create and test custom detection rules in Sigma, based on past attacks and detections
- convert created triggers into Sigma format
- or download public Sigma rules, adapt them to the environment, and test their effectiveness
Other possible extensions include:
- Testing and tuning firewalls
- Extending logging to include memory forensics using tools like Volatility
- Using the already implemented Wazuh platform to gain more advanced HIDS rules, file integrity monitoring, and anomaly alerting compared to the base Elastic Stack
- Testing additional offensive tools from Kali Linux (e.g., Metasploit)
- Using tools such as Velociraptor to collect and analyze forensic artifacts from endpoints
Finally, a natural continuation of this work would be developing new attack scenarios based on real APT campaigns, analyzing their progression within the lab, and testing the effectiveness of detection using custom correlation rules and alerts.
Such activities would further improve understanding of how SIEM components react and how to build effective detection and incident response systems.