Full-Stack Incident Response (1 day)
Level: Beginner to Intermediate
Learn the entire process of attacks and defenses, from attacker tools, techniques and procedures from the MITRE ATT&CK knowledge base through networking monitoring, forensics, malware analysis, and Windows internals.
We will cover these topics:
MITRE ATT&CK
We will begin with a high-level view of attacks: Groups, Tactics and Techniques in the ATT&CK matrix, and attribution. We will use Caldera or a similar product to simulate the stages of an attack and test defenses.
Network Security Monitoring
We will cover centralized security monitoring in detail, using Splunk and Suricata to find and analyze attacks.
We will use a pre-installed Splunk server with archived attack data to find and analyze attacks including vulnerability scans, brute force attacks, ransomware, Web site defacement.
Then we will analyze network traffic with Wireshark, Virus Total, and Packet Total to find suspicious traffic, reconstruct the attacker's actions, and recover downloaded files. We will generate attack traffic with Scapy and monitor traffic with simple Python scripts.
We will practice using Zeek, the powerful network security monitor formerly called Bro. We'll practice writing simple code to customize Zeek, using it to analyze captured traffic, and then install it on a cloud server and use it to detect live attacks.
Defending Windows
We will use many techniques to defend Windows systems, including detecting ransomware with Sysmon and Splunk, RAM analysis, detecting known malware with yara, and prefetch forensics.
We will use Velociraptor extensively for threat hunting on Windows systems, finding malware and persistence mechanisms, scanning for indicators of compromise, and capturing traffic remotely.
Windows Internals and Malware Analysis
We'll use many techniques to analyze the behavior of malware to find indicators of compromise and understand the harm it does. We'll use simple static analysis with strings, PE file analysis tools, and packers. Then we'll perform dynamic analysis with debuggers, disassembly with IDA Pro, and decompiling with Ghidra.
We will explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. We will explore the import table, perform DLL injection and DLL proxying, and examine Windows API calls in userland and the kernel in detail.
Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, debugging a driver, and writing custom shellcode. Tools used include pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, WinDbg, and the Keystone Engine.
We will examine the MBR and a simple bootkit.
Prior Knowledge and Equipment Requirements
Previous experience with C and assembly language is helpful but not required. Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who don't want to run the machines locally.
Key Takeaways
- Understanding of threat actors and the ATT&CK matrix
- Experience with network monitoring tools and Splunk
- Thorough understanding of Windows internals and malware analysis
Who Should Take This Course
Analysts and executives responsible for protecting enterprises who wish to understand threat groups, defenses in overview, and the granular details of Windows exploits and defenses.
|