TRAINING 4 – Defending Against Modern Targeted Attacks

DURATION: 2 DAYS

CAPACITY: 25 pax

USD2299 (early bird)

USD3299 (normal)

Early bird registration rate ends on the 30th of September

Overview

Get ready for a 2-day knowledge intensive and hands-on training that teaches you how to defend against the modern offensive techniques that red teams and targeted attackers use.

We’re not going to bother you with tools such as nmap and Nessus, and you should forget about the out-of-the-box rules in your SIEM that trigger endless false positives on brute force attacks. We are going to feed you with the latest knowledge, tools and techniques that help you become a better defender.

Based on many years of Red Teaming and hands-on SOC/incident response experience, we share with the you the essential concepts and techniques to better understand and defend against modern attacks. We have also prepared a massive online lab that represents true corporate IT environments, in which you will spend about half of your time diving into hands-on assignments on offensive and defensive actions.

This is a 2-day version of the full 3-day training. The most important items are discussed during these 2 days. However, attendees will receive the content, tools and slides of the full 3-day training to take home and optimize learning.

Who Should Attend

The training is optimally suited for:

  • Defenders who want to strengthen their skillset and get hands on experience with offensive and defensive tools in order to better defend against modern offensive methodologies, tools, and techniques.
  • Penetration testers and ethical hackers wanting to provide better recommendations to their clients on defensive measures.
  • Security professionals interested in expanding their knowledge of modern attack techniques, Red Teaming and defend against it.
  • Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
  • Technical auditors wanting to increase their hands-on experience and technical skills.

Key Learning Objectives

The training is focussed on several key elements:

  • Learn how modern attacks work and how you can better defend against such attacks.
  • Key theoretical concepts, e.g. kill chain, course of action matrix and pyramid of pain.
  • Hands-on learning in a large lab environment, combined with theory.
  • Latest and greatest hacking and detecting techniques.
  • Hands-on experience with various offensive tools combined with detection and investigation tools.
  • Lab manual that helps the participants and makes it easy to follow.
  • Knowledge packed training material for you to take home and revisit.

During the training, the participants have access to a personal lab environment that acts as a playground area. Having a personal lab is a key differentiator compared to many other labs. This environment is comparable to common enterprise networks as it contains Windows and Linux servers, an Active Directory domain, Windows desktops, multiple services, user accounts and service accounts. Furthermore, various detection and investigation measures are in place, e.g. central monitoring environments using open source and commercial tools (e.g. IDS, Splunk/ELK stack, GRR).

As part of the lab assignments you will attack this environment get a better understanding of offensive tools and techniques, and how learn defensive measures affect an attacker. In the defensive labs, you will investigate alerts in this lab to get a better understanding of security monitoring and investigation.

Prerequisite Knowledge

We do require participants to have a technical IT background and a basic level of security knowledge. Also, a large part of the training concerns Windows and Active Directory security. You do not want to subscribe to this training if you are afraid of the command line, only encounter Linux in your daily operations, or never heard of Golden Ticket and Command and Control traffic. But the training is setup in such a way that it can welcome both novices and veterans.

Hardware / Software Requirements

A laptop that has the ability to run a Remote Desktop Connection.

Agenda

The following provides a rough outline, as the attack and defence landscape is constantly evolving topics are subject to change.

  • 50% hands-on lab, 50% theory
  • Core theoretical concepts, e.g. SIEM, SOC, Pyramid of Pain, TTPs, MITRE ATT&CK, Intruder’s dilemma, attacker’s playground, assume compromise, Kill Chain, lateral movement.
  • Theory of Infection vectors, e.g. watering hole, phishing, the Microsoft Office attack vectors, drive-by downloads, HTA, Java and Jscript and various persistency
  • Theory of the attacker’s network infrastructure, e.g. C2, redirectors, low and slow principle, beacon traffic, Domain fronting, Cobalt Strike/Empire.
  • Theory of host based malware prevention and investigation, e.g. anti-virus, anti-spam evasion, C2 basics, application whitelisting, End-Point Detection & Response.
  • Hands-on exercises with creation, protection and investigation of phishing documents
  • Theory of Network Privilege escalation & Lateral movement – Windows and Active Directory internals from the attacker’s and defender’s point of view. Key topics like Wdigest, NETNTLM vs NTLM hashing, Sharphound, WMI, Psexec, Remote PowerShell, Golden and Silver Tickets, SPNs, etc.
  • Hands-on exercise for attacking a large Windows domain environment using various lateral movement techniques.
  • Theory of Security mitigations, Detection & Incident Response, e.g. Microsoft Tiered model, log collection using Windows Event Forwarding, SIEM, use cases for detection
  • Hands-on experience with security mitigations, SIEM / IDS.

Location: Date: November 25, 2018 Time: 9:00 am - 6:00 pm Stan Hegt Pieter Ceelen Marc Smeets