--Built and maintained by the ”Nato as Code“ community--
Inner-Athena Quick Start Guide
Overview of the Inner-Athena Threat Intelligence Architecture
As the creator of the Olympiad, Nato, I am on a mission of building cybersecurity into the heart of every home. Between my open source communities and myself – if we can accomplish this, we can all live a little easier and worry a little less about previously unseen threats that target us and our loved ones. By focusing on individuals and bringing cybersecurity awareness into the home, we can create an inherently safer – yet more connected – internet.
Products (both existing and in development) created by myself and my colleagues at the Cloud Underground work toward this goal. My primary platform is called the Olympiad. The Olympiad can be deployed for either offensive or defensive applications and, thus, has myriad applications for both home and professional use.
The Olympiad consists of two independent components, a threat intelligence engine called the “Inner-Athena” and a security operation center (SOC) builder engine called the “Gorgon-Gaze.” The Inner-Athena Threat Intelligence Engine is like the brain of the Olympiad, while the Gorgon-Gaze component is the user access console for the platform.
Goal of the Olympiad Platform
In the age of the Smart Home and IoT, individuals rely on an ever increasing number of technologies without thinking about how these systems and devices affect their network security. Because of this, securing the home is more important than ever.
Nato creates open source developer tools that empowers homeowners to hack back. This platform teaches users cybersecurity through DIY and gamification, allowing them to better defend their homes and/or businesses. Essentially, we’re bringing purple team security information and event management (SIEM) to the masses!
While cybersecurity professionals have had the benefits that come with building home labs for years, standard consumers and those trying to learn cybersecurity do not have many standardized ways to learn how to protect their homes from threats. For that matter, employers and businesses are now very frequently targeted through their remote and home workers because the average home is incredibly vulnerable to cyber attacks.
Home-based cyber attacks are a problem not just for consumers but also for businesses. A compromised employee can result in a company-wide breach. It is not uncommon that cyberattacks result in mass layoffs -- or worse if an employer goes out of business.
Enter the Olympiad.
The Inner-Athena is designed to be capable of intelligently securing a home or small office by providing security information event management (SIEM) technology to smaller spaces with the modularity and standardization of the Raspberry Pi 4 platform for maximized accessibility. Users who fully construct and deploy this engine not only build real-world cybersecurity skills, they also end up with a powerful home defense security operation center (SOC) to protect their space!
Technology can be automated and standardized to become more consumer friendly over time. Since the Raspberry Pi 4B model with 4gb of ram is now powerful enough to be used for enterprise-level computing for applications, standardized open-source solutions can be built for the Raspberry Pi 4B to make it more accessible for anyone and everyone interested in learning cybersecurity skills.
Businesses who deploy this system with their remote workers receive the added benefit of having more accessible cybersecurity resources as well as creating a secure network ecosystem for each worker.
The Olympiad provides network-wide monitoring solutions that make the cloud visible.
The technical guide for how to build the Inner-Athena Threat Intelligence engine begins here.
Firstly, this guide is documentation on how to construct an Inner-Athena Threat Intelligence architecture on a Raspberry Pi 4 (4GB model recommended).
The Inner-Athena architecture is a single part of Nato’s open-source platform, the Olympiad. This architecture is designed to automate red team pentesting practices and payload transactions while also leveraging the active deployment of blue team monitoring and system defense measures.
The entire Olympiad platform is heavily dependent on the Inner-Athena; this architecture is the foundation for everything and anything added to the platform.
By default, the Inner-Athena architecture runs on a dedicated sub-network built in a Docker environment. This network comes with two nodes built in containers - one is a unique Pi Hole architecture and the other is an Athena0 node that pairs and connects to the Pi Hole by default.
The entire Inner-Athena architecture is poised for clustering and automation with the use of Docker Swarm and k3s Kubernetes (both must be optionally configured after setting up all of the components in this QuickStart guide).
The Olympiad platform is a micro SIEM technology that runs on Red Team and Blue Team tools and resources - built to support various big data stacks such as Promtail/Loki/Grafana stack, ELK stack, TICK stack and other data frame structures that are used for automation. This is meant for engineering environmental Purple Team orchestration.
—Review Inner-Athena’s “Athena0” Docker Hub Resources—
*Note that this link contains guidance on how to learn and practice pentesting basics with brute force attacks using our hacking toolkit container, called “Athena0”.*
(*RECOMMENDED*)—Download Raspberry Pi OS—
(OR - more advanced) —Download HypriotOS—
*HypriotOS works with the same commands as Raspbian*
—For HypriotOS, use a tool like balenaEtcher to flash to SD—
*connect Raspberry Pi to ethernet internet connection if using HypriotOS or WiFi cannot be accessed*
(First time booting Raspberry Pi OS from SD - change default passwords)
(First time booting HypriotOS from SD - change default passwords)
—sudo apt-get update
—sudo apt-get full-upgrade
—sudo apt install raspi-config
—sudo raspi-config (this will bring up a menu, select update - can also be used to change hostname from black-pearl if preferred, among other things)
—sudo raspi-config (select advanced and navigate to memory split - set memory split to 16)
—sudo apt install network-manager (may need to try again later after setting static IP with 188.8.131.52 as the DNS nameserver)
(only use this if you want to connect WIFI)
—sudo nmtui (this will bring up a menu to set up WIFI)
*nmtui makes it easier to set up DNS and static IP addresses*
(RECOMMENDED TO SET A STATIC IP - AND SET DNS TO 184.108.40.206 UNTIL PI HOLE IS CONFIGURED)
*for static IP on ethernet*
—sudo nano /etc/dhcpcd.conf
(hitting enter should take you to text, if it’s a blank screen type “ctrl” + “x” to get out - if you see text, make changes and want to save, type “ctrl” + “x” then “y” then “enter/return”)
(you can add this exact format to the very bottom of dhcpcd.conf)
static ip_address=<The IP You Want for Your Pi>
static routers=<Your Router’s IP/The Gateway on You Network>
—(An IP address of 192.168.2.200 can be configured as seen below)—
*IF network-manager installed correctly and you want to set static IP with WIFI*
(select “activate a connection” to connect to a wifi connection, then once activated navigate back to the main nmtui screen and select “edit a connection” next where you will want to use the arrow keys to change “IPv4” from <Automatic> to <Manual>)
(update and upgrade again after setting static IP)
—sudo apt-get update
—sudo apt-get upgrade
*REBOOT AFTER SETTING STATIC IP*
*CRITICAL on Raspberry Pi OS - Install Docker (HypriotOS comes with Docker prebuilt)*
(Please use the official Docker guide to install Docker) —Use this official Docker guide to ensure you are using the most up to date install package, select the arm64 install option - armhf works for 32 bit operating systems—
(Inspect this URL before running or live on the EDGE, and try straight away at your own risk - this Docker install alternative is fastest way to install Docker on systems it works for) —Use the “sudo su” command before running this to run as root without trouble—
—curl -sSL https://get.docker.com | sh
(Update the Pi again)
—sudo apt update
—sudo apt upgrade
—sudo systemctl start docker.service
(verify Docker is running)
—sudo systemctl status docker (should bring up something that says ACTIVE in all green)
*ONLY IF DOCKER IS NOT RUNNING*
—sudo systemctl enable docker
—sudo systemctl start docker
(verify you get a ping response from both of these before continuing - if either fails you will need to research how to configure DNS to point to 220.127.116.11 before trying to pull containers)
—sudo ping 18.104.22.168
—sudo ping google.com
(Install portainer before other containers, please use official guide) —Use this official Portainer guide to select the proper install method for your Docker build and infrastructure—
*IF YOU RUN INTO ANY ISSUES ATTEMPTING TO INSTALL PORTAINER, DO NOT CONTINUE UNTIL TROUBLESHOOTING THE PORTAINER INSTALL*
As long as Portainer gets installed, any issues with installing the other containers will be much easier to troubleshoot.
(To access Portainer, go to a separate computer or mobile device and type, “https://<Your Pi’s IP Address>:9443”, in a web browser’s URL bar from that separate computer)
(Create the Inner-Athena docker network for Inner-Athena architecture)
—sudo docker network create -d bridge --subnet=172.20.0.0/24 Inner-Athena
*IMPORTANT Run this on the Docker host before installing Pi Hole*
sudo systemctl disable systemd-resolved.service
(If the command above was successful, install Pi Hole to manage inner DNS control from inside the Pi from a container)
—sudo docker run -itd -p 53:53/tcp -p 53:53/udp -p 67:67 -p 80:80 -p 443:443 -h Inner-DNS-Control --name=Inner-DNS-Control --net=Inner-Athena --ip=172.20.0.20 --restart=always -v /home:/home pihole/pihole
(Install Inner-Athena’s Athena0 master node)
—sudo docker run -itd -p 2222:22 -h Athena0 --name=Athena0 --net=Inner-Athena --dns=172.20.0.20 --restart=always -v /home:/home -v /var/log:/var/log natoascode/athena0
***(ALTERNATIVE PI HOLE COMMAND THAT SAVES PI HOLE CONTAINER CONFIGS TO HOST *ADVANCED USE ONLY*:
This advanced Pi Hole configuration is for longterm use. This is a “Phoenix Server'' configuration for Pi hole use.
--create DNS volume--
—sudo docker volume create pihole_DNS_data
—sudo docker run -itd -p 53:53/tcp -p 53:53/udp -p 67:67 -p 80:80 -p 443:443 -h Inner-DNS-Control --name=Inner-DNS-Control --net=Inner-Athena --ip=172.20.0.20 --restart=always -v /home:/home -v /var/log/pihole.log:/var/log/pihole.log -v /etc/pihole:/etc/pihole -v pihole_DNS_data:/etc/dnsmasq.d/ pihole/pihole:latest)***
Use this Pi Hole configuration if configuring the “Ingress-Athena” network, listed below under the “second pi hole command” section below.
***(SECOND PI HOLE COMMAND TO ADD SWARM MONITORING ON AN INGRESS NETWORK *ADVANCED USE ONLY*:
NOTE: This command is to allow Pi hole to monitor Swarm containers and ingress systems associated with a Swarm or Kubernetes ingress network. If you are using a single Pi, this is only valuable if you build an internal ingress network that lives inside of a single Pi Swarm or Kubernetes manager - with Docker, this installation will fail without initializing “Swarm.”
IF INSTALLING ON A SINGLE PI (OR OTHER SYSTEM) - initialize Swarm even if you do not plan on adding a second node:
—sudo docker swarm init
This secondary Pi Hole is for use with containers living inside of a cluster (Swarm, Kubernetes, etc). If you do not know what an “ingress” network is, research this topic (ingress and egress networking) and return to this later once an overlay ingress network is necessary.
The single Pi hole configuration is designed for managing and monitoring DNS within a single node (like a single Raspberry Pi or Jetson Nano) or for managing DNS traffic coming from outside of a cluster.
--create “Ingress-Athena” network--
—sudo docker network create -d overlay --attachable --subnet=10.20.0.0/24 Ingress-Athena
—sudo docker run -itd -h Ingress-DNS-Control --name=Ingress-DNS-Control --net=Ingress-Athena --ip=10.20.0.20 --restart=always -v /home:/home -v /var/log/pihole.log:/var/log/pihole.log -v /etc/pihole:/etc/pihole -v pihole_DNS_data_ingress:/etc/dnsmasq.d/ pihole/pihole:latest
—sudo docker network connect Ingress-Athena Athena0
This Pi hole is to be installed on the same node as the Inner-DNS-Control Pi hole - both will show up on the same dashboard this way.)***
To get devices added to the Pi Hole container, use the Raspberry Pi’s static IP in Raspberry Pi OS/Hypriot as the Pi Hole’s DNS IP. Pointing any device at the Raspberry Pi will cause the Pi Hole in the container to work the same as if you installed the Pi Hole locally to the Raspberry Pi.
To access the Pi hole instead of Portainer from a web browser - instead of <Your Pi’s IP Address>:9000, type <Your Pi’s IP Address>:80, in the URL bar. This will bring you to the standard Pi Hole admin console and dashboard.
Once everything is running, you can forever more access the Pi from Portainer as the primary way of using this Raspberry Pi setup.
If you want to access the Raspberry Pi OS/Hypriot side of the Raspberry Pi from portainer, Athena0 is preconfigured to access the Pi server via “ssh.” If you go to Portainer and access Athena0’s command prompt, you can type the following to get full access to the Pi’s Raspberry Pi OS/HypriotOS.
*Raspberry Pi OS* (do this from the Athena0 container shell)
--ssh pi@<Your Pi’s IP Address>
(pi’s password prompt will appear for you to log into pirate - be aware you can access any user set up in Raspberry Pi OS this way, including root if you enable root for whatever reason)
*HypriotOS* (do this from the Athena0 container shell)
--ssh pirate@<Your Pi’s IP Address>
(pirate’s password prompt will appear for you to log into pirate - be aware you can access any user set up in Hypriot this way, including root if you enable root for whatever reason)
Consider building a VPN for your entire network. Otherwise, at least build a VPN for the Inner-Athena systems.
*HIGHLY RECOMMENDED TO CREATE A VPN DOCKER CONTAINER AND CONNECT EVERY INNER-ATHENA HOST AND CONTAINER TO IT*
Install VPN in a Docker Container:
VPN Container in 5-Minutes:
*ALTERNATIVELY VPN CAN BE CONFIGURED ON A PI ZERO W THAT THE INNER-ATHENA CAN TUNNEL THROUGH*
Install VPN on a Separate Pi:
The Threat Intelligence Engine will receive its own dedicated whitepaper. Until that documentation is available, the following guidance will allow you to begin planning out how to build a Pi Hole into a threat intelligence engine on your own.
The Inner-DNS-Control Pi Hole can be configured in the settings to use various threat lists, in conjunction with its default ad blocking lists. There are various open source threat lists around the internet, and various guides like this one below list a few considerations that can be used to construct the Pi Hole into a Threat List management resource.
Open Source Threat Intelligence Feeds:
The Pwnagotchi AI can be installed in a Docker container, check out the Pwnagotchi team’s documentation to learn more about this AI tool.
Host Pwnagotchi Everywhere (can run from Docker):
Pwnagotchi is just fun.
For those wanting to increase computing resources and performance and establish something called High Availability, a specific cluster model can be followed to create things like self-repairing applications and failover functionality that will keep your Threat Intelligence Engine running even if one or multiple Pi systems crash or fail.
The following cluster architecture will automatically try to fix itself whenever anything goes wrong with your Pi ecosystem (e.g. crashes, application failures, unexpected shutdowns, power anomalies, unexpected data corruption, etc.).
The Inner-Athena architecture is designed to allow for simplified clustering with existing scripts from Kubernetes and Docker. The recommendation for this architecture is to use k3s, from Rancher, to build a lightweight Kubernetes cluster with one or more Raspberry Pi 4 systems. At least 5,000 Raspberry Pi 4s can be clustered together with k3s without loss of performance.
Before clustering you need to configure HypriotOS’s, “cloud-init,” which will force the Raspberry Pi system to maintain configurations held by cloud-init. This resource leverages open source resources such as Puppet, Chef and Salt-Minion.
Hypriot cloud-init Guidance (ONLY for those wanting to engineer custom Hypriot images):
The cloud-init team also has great documentation resources on their website for the configuration of their tool as well. System configurations will change on reboot automatically if changed without modifying cloud.cfg (for example, changing the hostname without modifying cloud.cfg will result in the hostname forcibly changing back to “black-pearl” on reboot until changed).
Documentation and Guidance for Using cloud-init:
Documentation and Guidance for Using k3s:
(HypriotOS works with the same commands as Raspbian)
*Configure iptables before installing k3s from the documentation*
—sudo iptables -F
—sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
—sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
First configure a single Raspberry Pi 4 system running the Inner-Athena architecture to be the Kubernetes master, with k3s. Follow the documentation to then configure the Athena0 container to operate as a Kubernetes agent that talks to the master (which happens to be the Pi running the Athena0 container).
If multiple physical Raspberry Pi 4 systems are added to the Pi cluster, HypriotOS can be configured for Swarm mode on every Pi. Also configure each Pi with k3s as well, which will also have the Athena0 node clustered into the k3s Swarm.
Documentation and Guidance for Using Docker Swarm:
Hypriot’s Guidance for Swarm With HypriotOS:
The end result should show a single Athena0 node running from a Docker Swarm, which each Pi and Athena0 all clustered together using k3s. Install applications to the cluster using tools such as Helm and Arkade to automate and manage software installed to the cluster.
Install Arkade (built for Pi - recommended option):
Install Helm (can be installed with Arkade for added automation):
The Inner-Athena Threat Intelligence Engine architecture is designed to simplify high-end clustering for use with more compact hardware using the Raspberry Pi 4B. Since the 4 model of the Raspberry Pi is so powerful, this now brings enterprise-grade security to the home and small offices at a fraction of the cost to build and maintain.
Open-source software allows long-term management for home security to be virtually free, with power costs being the greatest long-term expense. Fortunately, Raspberry Pis don’t use nearly as much power as full-sized systems!
Any DIY’er who builds this architecture for their own home will inevitably develop advanced technical cybersecurity skills by the end of the build, whether the builder is a cybersecurity enthusiast or a professional.
Better yet, you don’t have to worry about home threats nearly as much when you know how to hack back!