BLUE EDITION In & Out: Network Data Exfiltration Techniques | 24 & 25 September 2020

This training is an advanced lab-based training created to familiarize students with the Open Source detection and alerting components ready to use within your Security Operation Center.

Original price was: $3,299.00.Current price is: $2,299.00.

Duration

2 days

Delivery Method

Level

intermediate

Seats Available

20

Duration

2 days

Delivery Method

Level

intermediate

Class mode: VIRTUAL LIVE STREAM  


DATE: 24 to 25 September 2020

TIME: 09:00 to 17:00 CET

Detection does not have to be boring and tedious! This training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Agenda

  • 1. Introduction to the Open Source Virtual Detection stack.

    ● Hunting ELK (HELK) ● Wazuh ● Graylog ● Elastiflow ● Zeek IDS ● Suricata IDS ● Moloch FPC ● OSquery ● Velociraptor ● Volatility Framework ● mod_security ● MISP ● theHive ● OpenVswitch / ipt_netflow

  • 2. In-depth endpoint monitoring, low level security tracing and profiling for critical systems:

    ● Sysmon ● Windows Event Forwarding ● auditd ● eBPF ● sysdig

  • 3. Playing with Zeek IDS / Suricata IDS / Netflow for anomaly detection → finding malicious artifacts at the network level:

    ● The importance of hardening and network baselining for high-risk environments: ○ HTTP profiling ○ DNS profiling ○ TLS profiling ○ and more ● ET / PT Suricata rules ● Zeek Script Index ● Security feature extraction per many different network protocols: ○ Beaconing ○ JA3 & HASSH Client / server Fingerprinting

  • 4. Alerting on anomalies → The power of Elastalert + Sigma rules against real use-cases:

    Low-level analysis of chained Sigma rules for better understanding a lateral movement detection: ○ AD Reconnaissance / AD Snapshot ○ Bloodhound artifacts ○ Golden Ticket ○ Silver Ticket ○ Kerberoasting ○ RPC over TCP/IP ○ DCsync / DCShadow ○ Mimikatz agent/server ○ Pass The Hash ○ SMBexec ○ Invoke-WMI ○ WinRM ○ Brute forcing ○ Invoke-PSexec ○ PSRemoting ○ RDP wrapping ○ WMI multiple sessions ○ Remote network relaying ○ Copy VSS ○ Keylogging ○ LSA secrets extraction ○ Sandbox / virtual environment detection ○ UAC bypassing ○ Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS ○ SMB ransomware detection. ○ Browser pivoting ○ SSH Tunneling and pivoting ○ RDP Tunneling and pivoting / RDP Inception ○ Persistence ● Combining alerts into periodic reports ● Creating custom Sigma rules against C2 Frameworks

  • 6. Summary

    The importance of infrastructure hardening and network visibility.

Why You Should Take This Course

If you wish to learn:
  • About the architecture and power of many popular Open Source tools and analytical solutions that help you detect and fight against chained adversary moves
  • How to build detections and alerting around adversarial techniques
  • How to learn more about attacks using Sigma rules and Mordor datasets
  • The significance of the smallest security events correlation including context to reduce the number of false positives and better detection of adversary activities
  • The flow and understanding the tactics and behaviors of the adversary after gaining initial access to the network
  • Detection methods of C2 traffic, tunneling, hiding, pivoting and custom, simulated malicious network events
Then this is the training for you!
 

Who Should Attend

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

Who Should Attend

TBA

Key Learning Objectives

  • Architecture and capabilities of many popular Open Source tools and analytical solutions that help you detect and fight against chained adversary moves

  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure

  • Endpoint monitoring, low level security tracing and profiling for critical systems

  • Learn ways to improve your detection and event correlations skills across many different data sources

  • Find the malicious activities and identify threats details on the network

  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling

  • Profile your critical OS and network segments in terms of ‘normal vs exotic’ behaviour

  • Learn current trends, techniques, and tools for network exfiltration and lateral movements

  • Identify blind spots in your network security posture
  • Prerequisite Knowledge

    • An intermediate level of command-line syntax experience using Linux and Windows
    • Fundament knowledge of TCP/IP network protocols
    • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
    • Basic programming skills are a plus, but not essential

    Hardware / Software Requirements

    • VPN client installed according to VPN Setup instructions
    • Slack account as an invite to dedicated training channel will be sent
    • Stable internet connection
    • Recommended:
      • Zoom client installed
      • HD Camera to have 1:1 access to an instructor and the rest of the participants. Even virtually, let’s feel each other like we were in the class:)
    This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!

    Your Instructor

    No data was found