Linux Forensics Inspection and Incident Response at Scale (Ams)

$3,299.00

Duration

3 days

Delivery Method

virtual

Level

intermediate

Seats Available

20

Duration

3 days

Delivery Method

virtual

Level

intermediate

REGISTRATION CLOSED

DATE: 17-19 April 2023

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
17 Apr Monday 0900-17:00 CEST/GMT+2 8 Hours
18 Apr Tuesday 0900-17:00 CEST/GMT+2 8 Hours
19 Apr Wednesday 0900-17:00 CEST/GMT+2 8 Hours

 


Full access to the PurpleLabs environment for 30 days post-training!


Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux/Network internals and investigation steps needed to get the full picture of post-exploitation activities and artifacts left behind. At scale.

Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieve that goal. For DFIR needs we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use-cases and teach critical aspects of how to handle Linux incidents properly.

For a comprehensive mindmap of this training, click here

 

Topics Covered
  • Introduction to PurpleLabs Hunting and Detection tools including Velociraptor, Wazuh, HELK+Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Graylog, theHive, Sandfly and more
  • Linux profile baselining
  • How to run DFIR tasks at scale across many Linux endpoints
  • Recent Linux APT analysis
  • RE&CT Enterprise Matrix
  • The importance of timeline analysis and NTP synchronization
  • Triage / collecting artifacts
  • Privileged user and group enumeration
  • Identification of logged accounts
  • Searching for files at scale
  • Establishing a baseline for different OS components (cron, at, rc.local, ACLs, hosts, resolv.conf, SELinux, filesystem hashing, packages and checksums)
  • Process call chains / pstree / process arguments
  • Collecting and analyzing important process data (/proc)
  • Finding hidden processes, network connections and kernel modules
  • Detecting capabilities in ELF, shellcode files
  • Detecting loaded shared libraries per process
  • Dropping web shells vs File Integrity Monitoring
  • Hunting for packers, extracting binary versions and exports
  • Searching for exploitation attempts in logs
  • Hunting for Linux rootkits (user space / kernel space)
  • Hunting for artifacts of process injection techniques
  • Sysmon Events + Linux Sigma detection rules
  • Runtime Security Analysis (Falco, Tracee) for host and docker containers
  • Syscall filtering
  • Open source ways for memory acquisition and memory forensics
  • Creating Volatility profiles
  • Filesystem and Linux process memory yara scans
  • Linux Endpoint data correlation and hunting for suspicious network events
  • Network visibility with / without signature rules
  • Searching for different persistence methods in use
  • Data correlation and hunting for suspicious network events + RITA
  • Direct interaction with endpoint: command execution on demand, system modification and active quarantine examples
  • Hunts enrichment
  • Using theHive for incident management

Agenda

  • Overall

    ● Introduction to PurpleLabs Hunting and Detection tools including Velociraptor, Wazuh, HELK+Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Graylog, theHive, Sandfly and more ● Linux profile baselining ● How to run DFIR tasks at scale across many Linux endpoints ● Recent Linux APT analysis ● RE&CT Enterprise Matrix ● The importance of timeline analysis and NTP synchronization ● Triage / collecting artifacts ● Privileged user and group enumeration ● Identification of logged accounts ● Searching for files at scale ● Establishing a baseline for different OS components (cron, at, rc.local, ACLs, hosts, resolv.conf, SELinux, filesystem hashing, packages and checksums) ● Process call chains / pstree / process arguments ● Collecting and analyzing important process data (/proc) ● Finding hidden processes, network connections and kernel modules ● Detecting capabilities in ELF, shellcode files ● Detecting loaded shared libraries per process ● Dropping web shells vs File Integrity Monitoring ● Hunting for packers, extracting binary versions and exports ● Searching for exploitation attempts in logs ● Hunting for Linux rootkits (user space / kernel space) ● Hunting for artifacts of process injection techniques ● Sysmon Events + Linux Sigma detection rules ● Runtime Security Analysis (Falco, Tracee) for host and docker containers ● Syscall filtering ● Open source ways for memory acquisition and memory forensics ● Creating Volatility profiles ● Filesystem and Linux process memory yara scans ● Linux Endpoint data correlation and hunting for suspicious network events ● Network visibility with / without signature rules ● Searching for different persistence methods in use ● Data correlation and hunting for suspicious network events + RITA ● Direct interaction with endpoint: command execution on demand, system modification and active quarantine examples ● Hunts enrichment ● Using theHive for incident management

Why You Should Take This Course

This course takes on an “attack vs detection” approach in a condensed format. This class is intended for students who have basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT players who aim to dig deeper into understanding of Linux internals and corresponding network attack analysis techniques, detection and response.

Who Should Attend

  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

Key Learning Objectives

  • Get to know the newest Linux attack paths and hiding techniques vs proactive detection

  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux machines ← Linux Matrix ATT&Ck Framework

  • Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources

  • Get to know visibility/detection methods and capabilities of well recognized Hunting and Detection tools including Velociraptor, HELK+Linux Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Wazuh, Graylog, theHive, Sandfly

  • Find the malicious Linux activities and identify threat details on the network

  • Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling

  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure

  • Understand values of proactive linux forensics scans vs manual and automated approach to simulate attackers and generate anomalies

  • Identify Linux blind spots in your network security posture
  • Prerequisite Knowledge

    • An intermediate level of command-line syntax experience using Linux.
    • Fundament knowledge of TCP/IP network protocols.
    • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required.
    • Basic programming skills are a plus, but not essential.

    Hardware / Software Requirements

    • This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days after the training.
    • VPN client installed according to VPN Setup instructions or just a browser
    • Slack account as an invite to dedicated training channel will be sent
    • Stable internet connection

    Your Instructor

    Leszek Miś is a highly experienced Security Researcher with over 20 years of experience in the industry. He is the Founder of Defensive Security (https://www.defensive-security.com/), a company that provides Open Source Security Services including Red Team adversary emulations, Blue Team detection coverage testing, DFIR/Live Forensics, and high-quality knowledge transfer and training.

    He has worked in various positions within the infosec field, including as a Linux Administrator, System Developer, DevOps Engineer, Penetration Tester, Security Consultant and VP Of Cyber Security as well.

    He has extensive knowledge of Linux internals and got deep experience in Linux malware hands-on analysis from the perspective of red and blue team. Leszek is a recognized speaker and trainer, having spoken at various industry events such as Black Hat USA, Hack In The Box, and OWASP Appsec US.

    Leszek holds many certifications, including OSCP, RHCA, RHCSS, and Splunk Certified Architect. His areas of interest include development of multi-stage attack paths with mappings to MITRE ATT&CK Framework, multi-layer defensive paths with mappings to MITRE D3FEND Framework, Linux/network ML feature extraction, Linux OS internals including eBPF, detection engineering, log behavior analysis, memory forensics, andexploration of new Linux offensive ttps vs DFIR/detection/protection techniques.