2-Day Training | 24-25 Sep

BLUE EDITION In & Out: Network Data Exfiltration Techniques | 24 & 25 September 2020

Duration 2 days
Capacity 15 pax
Difficulty intermediate

$3,299.00 $2,299.00

Register Now

Overview

Class mode: VIRTUAL LIVE STREAM  


DATE: 24 to 25 September 2020

TIME: 09:00 to 17:00 CET

Detection does not have to be boring and tedious! This training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Through hands-on labs only, this training will deliver you a bigger picture of what you really need to care about when thinking initially or improving lately your Security Operation Center environment, Red and Blue team skills, your SIEM / data analytics deployments, your DLP / IDS / IPS installations or anomaly detection network security solutions.

Why should you take this course?

If you wish to learn:
  • About the architecture and power of many popular Open Source tools and analytical solutions that help you detect and fight against chained adversary moves
  • How to build detections and alerting around adversarial techniques
  • How to learn more about attacks using Sigma rules and Mordor datasets
  • The significance of the smallest security events correlation including context to reduce the number of false positives and better detection of adversary activities
  • The flow and understanding the tactics and behaviors of the adversary after gaining initial access to the network
  • Detection methods of C2 traffic, tunneling, hiding, pivoting and custom, simulated malicious network events
Then this is the training for you!

 

Who Should Attend

  • Red and Blue team members
  • Security / Data Analytics
  • CIRT / Incident Response Specialists
  • Network Security Engineers
  • SOC members and SIEM Engineers
  • AI / Machine Learning Developers
  • Chief Security Officers and IT Security Directors

Key Learning Objectives

  • Architecture and capabilities of many popular Open Source tools and analytical solutions that help you detect and fight against chained adversary moves
  • Find out how DFIR / IR Open Source Software can support your SIEM infrastructure
  • Endpoint monitoring, low level security tracing and profiling for critical systems
  • Learn ways to improve your detection and event correlations skills across many different data sources
  • Find the malicious activities and identify threats details on the network
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling
  • Profile your critical OS and network segments in terms of ‘normal vs exotic’ behaviour
  • Learn current trends, techniques, and tools for network exfiltration and lateral movements
  • Identify blind spots in your network security posture

Prerequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux and Windows
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

Hardware / Software Requirements

  • VPN client installed according to VPN Setup instructions
  • Slack account as an invite to dedicated training channel will be sent
  • Stable internet connection
  • Recommended:
    • Zoom client installed
    • HD Camera to have 1:1 access to an instructor and the rest of the participants. Even virtually, let’s feel each other like we were in the class:)

This training is based on dedicated PurpleLABS cloud infrastructure, so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience!

Agenda

Expand All

1. Introduction to the Open Source Virtual Detection stack.

● Hunting ELK (HELK)
● Wazuh
● Graylog
● Elastiflow
● Zeek IDS
● Suricata IDS
● Moloch FPC
● OSquery
● Velociraptor
● Volatility Framework
● mod_security
● MISP
● theHive
● OpenVswitch / ipt_netflow

2. In-depth endpoint monitoring, low level security tracing and profiling for critical systems:

● Sysmon
● Windows Event Forwarding
● auditd
● eBPF
● sysdig

3. Playing with Zeek IDS / Suricata IDS / Netflow for anomaly detection → finding malicious artifacts at the network level:

● The importance of hardening and network baselining for high-risk environments:
○ HTTP profiling
○ DNS profiling
○ TLS profiling
○ and more
● ET / PT Suricata rules
● Zeek Script Index
● Security feature extraction per many different network protocols:
○ Beaconing
○ JA3 & HASSH Client / server Fingerprinting

4. Alerting on anomalies → The power of Elastalert + Sigma rules against real use-cases:

Low-level analysis of chained Sigma rules for better understanding a lateral movement detection:
○ AD Reconnaissance / AD Snapshot
○ Bloodhound artifacts
○ Golden Ticket
○ Silver Ticket

○ Kerberoasting
○ RPC over TCP/IP
○ DCsync / DCShadow
○ Mimikatz agent/server
○ Pass The Hash
○ SMBexec
○ Invoke-WMI
○ WinRM
○ Brute forcing
○ Invoke-PSexec
○ PSRemoting
○ RDP wrapping
○ WMI multiple sessions
○ Remote network relaying
○ Copy VSS
○ Keylogging
○ LSA secrets extraction
○ Sandbox / virtual environment detection
○ UAC bypassing
○ Poisoning LLMNR, NBT-NS, MDNS, WPAD and WSUS
○ SMB ransomware detection.
○ Browser pivoting
○ SSH Tunneling and pivoting
○ RDP Tunneling and pivoting / RDP Inception
○ Persistence
● Combining alerts into periodic reports
● Creating custom Sigma rules against C2 Frameworks

6. Summary

The importance of infrastructure hardening and network visibility.

Sign Up For an Account

to track your favorites

Sign Up

Want a Training Not Seen Here?

Write to Us

Contact Us