All the software used is freely available, and all the projects are copyright-free and available freely on the Web, ready to be used in your classes in any way you wish.
Full-Stack Incident Response (1 day)Level: Beginner to Intermediate
Learn the entire process of attacks and defenses, from attacker tools, techniques and procedures from the MITRE ATT&CK knowledge base through networking monitoring, forensics, malware analysis, and Windows internals.
We will cover these topics:
MITRE ATT&CKWe will begin with a high-level view of attacks: Groups, Tactics and Techniques in the ATT&CK matrix, and attribution. We will use Caldera or a similar product to simulate the stages of an attack and test defenses.
Network Security MonitoringWe will cover centralized security monitoring in detail, using Splunk and Suricata to find and analyze attacks.
We will use a pre-installed Splunk server with archived attack data to find and analyze attacks including vulnerability scans, brute force attacks, ransomware, Web site defacement.
Then we will analyze network traffic with Wireshark, Virus Total, and Packet Total to find suspicious traffic, reconstruct the attacker's actions, and recover downloaded files. We will generate attack traffic with Scapy and monitor traffic with simple Python scripts.
We will practice using Zeek, the powerful network security monitor formerly called Bro. We'll practice writing simple code to customize Zeek, using it to analyze captured traffic, and then install it on a cloud server and use it to detect live attacks.
Defending WindowsWe will use many techniques to defend Windows systems, including detecting ransomware with Sysmon and Splunk, RAM analysis, detecting known malware with yara, and prefetch forensics.
We will use Velociraptor extensively for threat hunting on Windows systems, finding malware and persistence mechanisms, scanning for indicators of compromise, and capturing traffic remotely.
Windows Internals and Malware AnalysisWe'll use many techniques to analyze the behavior of malware to find indicators of compromise and understand the harm it does. We'll use simple static analysis with strings, PE file analysis tools, and packers. Then we'll perform dynamic analysis with debuggers, disassembly with IDA Pro, and decompiling with Ghidra.
We will explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. We will explore the import table, perform DLL injection and DLL proxying, and examine Windows API calls in userland and the kernel in detail.
Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, debugging a driver, and writing custom shellcode. Tools used include pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, WinDbg, and the Keystone Engine.
We will examine the MBR and a simple bootkit.
Prior Knowledge and Equipment RequirementsPrevious experience with C and assembly language is helpful but not required. Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who don't want to run the machines locally.
Who Should Take This CourseAnalysts and executives responsible for protecting enterprises who wish to understand threat groups, defenses in overview, and the granular details of Windows exploits and defenses.
Cryptography and Blockchain Security (4 hours)Level: Beginner
Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.
We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.
No previous experience with coding or blockchains is required.
The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.
Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.
The challenges include:1. Basic blockchain concepts a. Simple conceptual blockchain on Github b. Hashes, collisions, and Pollard's Rho method 2. Wallets a. MetaMask and Ethereum b. Prepraring an Android emulator c. MetaMask mobile wallet 3. Smart Contracts a. Making a Solidity Contract b. Making a Coin with Solidity c. Exploiting a contract with a reentrancy attack d. Winning an auction by exploiting a logic flaw e. Hacking PoWHCoin with an underflow f. Performing a double-spend (51%) attack on Bitcoin 4. Servers a. Preparing a Linux cloud machine b. Making a private Ethereum blockchain c. Making a Node on the Kovan Proof-of-Authority Testnet d. MetaMask with Local Testnet e. Hyperledger IROHA (from IBM) f. Using Multichain 5. Essential Cryptography a. Symmetric encryption i. Substitution ciphers ii. One-time pad and Two-time pad iii. AES in ECB and CBC modes iv. AES-GCM with Libsodium b. Asymmetric encryption i. RSA b. Elliptic-curve cryptography with Libsodium 6. Cryptographic attacks a. Padding oracle attack b. Existential forgery c. Finding large primes d. Factoring large numbers e. Baby-step, giant-step attack on the Discrete Logarithm Problem (DLP) f. Pollard-Rho attack on the DLP 7. Madness a. Quantum computing b. Homomorphic encryption with Microsoft's SEAL c. IBM's homomorphic encryption
Introduction to Exploit Development (4 hours)Level: Intermediate
Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.
After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.
We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and how to defeat them, including ASLR, DEP, stack cookies, and SEHOP. We will also design custom shellcode with the Keystone Engine.
Previous experience with C and assembly language is helpful but not required.