What distro you use/recommend as a daily driver for a Cybersecurity job (pentesting and Red Teaming)? Would QubeOS be a good fit?
Hello!
I'm working as a pentester/RT Operator in a cybersecurity company, which for some reason is a Windows shop, so we are mostly forced to work within VMWare VMs, WSL and similar. However, I've recently found out that we can in fact dualboot or reinstall our laptops, so I'm now looking for a good setup or recommended distros to use.
When I last tried switching to Fedora, my main issue was that since we are deeply integrated into O365, and our Exchange server isn't configured to allow 3rd party apps (and we can't create app passwords), accessing Teams, Mail or just writing reports in Office was a struggle. And another issue was the fact that our PT VPN is Checkpoint, which I did not manage to get working on Linux.
I'm of course familiar with Kali/Parrot/BlackArch, but I would not consider those fitting for a daily driver - each engagement can get pretty messy, and I think it's better to start with a fresh VM for every customer, just to avoid any potential issues.
I've recently discovered QubeOS, which in theory sounds like it should be perfect for this usecase - you can easily separate data for different customers, keep them safe in a storage qube, deal with per-customer networking/different VPNs in their respective Kali VM qubes, and spin up a Windows qube for report writing and backoffice/administration/communication. And if I really understand it correctly, it should also be possible to easily test out malware in a separate disposable qube without much risk.
But I didn't try working with QubeOS yet, so all of this is just a theory based on my understanding of it's features and usecases.
So, my question would be - what kind of setup do you use for engagements and backoffice/administrative work? What distro would you recommend, that works well with running different VMs without it being too much of a hassle? And most importantly, is there anyone who uses QubeOS in this field of work, or will it only slow me down and make everything a lot harder than it should be?
I used to use Qubes for pentesting for quite a while and it worked rather well. As you wrote, one set of netVM-firewallVM-appVM stack per customer to ensure nothing nasty can cross, separate netVMs for separate network zones back at the company, separate color-coded VMs for random web browsing, general office stuff and accessing sensitive data.
The cons: no hardware video acceleration (video conferences or youtube will spin the CPU like it's 2005), Windows (you can run Windows VMs and they are usable but not nearly as polished as the Linux ones) and hypervisors (there is no nested virtualization so if you want to e.g. hack KVM, you're out of luck).
Also regarding hardware compatibility: if Qubes runs on something that doesn't mean it runs securely because it will try to partition the PCI devices across VMs and what can be partitioned where depends on the exact architecture of the mainboard. Expect some deep-dive into the wonderful world of VT-d domains and PCI BARs.
Thank you! Is the lack of nested virtualization a problem? I mean, if I wanted a Kali VM, I can just run a Kali Qube directly, or not? Or is there some kind of use-case that would require nested virtualisation I'm missing?