textbook

Network Security Monitoring

Winter Working Connections 2017

Sam Bowne

Schedule · Slides · Projects · Links · Home Page

Description

Firewalls and antivirus are not enough to protect modern computer networks--abuses and attacks are common and cannot be completely prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand.

Hands-on projects will include basic configuration and use of Splunk, ELK, and Security Onion--popular network security monitoring solutions.

Prerequisite knowledge: Basic networking and security concepts at the Network+ and Security+ level.

Hardware requirements: Students need a host computer with VMware Player, Fusion, or Workstation installed, at least 30 GB of drive space, and an Internet connection fast enough to download 5 GB of data in a reasonable time.

Class Objectives

Upon successful completion of this course, the student will be able to:
  • Explain the importance of network security monitoring and compare it to other types of defenses, such as firewalls
  • Implement and configure Splunk, ELK, and Security Onion servers
  • Efficiently search network traffic to detect abuses and attacks

Textbook

"The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34 Buy from Amazon

Live Streaming

The class will be livestreamed using Zoom.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/4108472927
Meeting ID: 410-847-2927

Kahoots

To keep participants awake during lectures, there will be Kahoot live contests to review terms and concepts.

Quizzes

Chapter quizzes are available in plaintext and Canvas exports for participants who want them.

They will also be available online for those who wish to take them during the class.

To take quizzes, log in to Canvas here:

https://canvas.instructure.com/courses/1253858

Download quizzes as a Canvas export file

Schedule

Date Topic

Mon 12-11

8:30 - 12:00
1:00 - 5:00 (CST)

1. Network Security Monitoring Rationale
2. Collecting Network Traffic: Access, Storage, and Management
3. Standalone NSM Deployment and Installation
6. Command Line Packet Analysis Tools

Projects 1-3, 1x, 2x

Quizzes: Ch 1, Ch 2-3

   

Tue 12-12

8:30 - 12:00
1:00 - 5:00 (CST)

7. Graphical Packet Analysis Tools
8. NSM Console
9. NSM Operations

Projects 4-6, 3x, 4x

Quizzes: Ch 6, Ch 7-8


Wed 12-13

8:30 - 12:00 (CST)

Project 7

Quiz: Ch 9


Slides

Part 1: Getting Started

1. Network Security Monitoring Rationale · PDF · Keynote
2. Collecting Network Traffic &
3. Standalone NSM Deployment
· PDF · Keynote

Part 2: Security Onion Deployment

We'll skip chapters 4 and 5

4. Distributed Deployment
5. SO Platform Housekeeping

Tools

6. Command Line Packet Analysis Tools · PDF · Keynote
7. Graphical Packet Analysis Tools
8. NSM Console ·
PDF · Keynote

NSM in Action

9. NSM Operations · PDF · Keynote

Projects

Download VMware Player (64-bit)

Do Either One of These Projects

Project 1: Setting Up Security Onion on a Mac (15 pts)
Project 1: Setting Up Security Onion on a PC (15 pts)

Record Project 1 Completion · Project 1 Completion Page

Project 2: Wireshark (15 pts. + 20 pts. extra credit)
Record Project 2 Completion · Project 2 Completion Page

Project 3: Splunk (20 points)
Record Project 3 Completion · Project 3 Completion Page

Project 4: Detecting Ransomware with Splunk and Sysmon (20 pts.)
Record Project 4 Completion · Project 4 Completion Page

Project 5: Command-Line Tools (15 pts.)
Record Project 5 Completion · Project 5 Completion Page

Project 6: Graphical Tools (15 pts.)
Record Project 6 Completion · Project 6 Completion Page

Project 7: NSM Consoles (15 pts.)
Record Project 7 Completion · Project 7 Completion Page

Extra Credit Projects

Project 1x: Setting Up ELK (15 pts. extra credit)
Record Project 1x Completion · Project 1x Completion Page

Project 2x: CanaryTokens (5 pts. extra credit)
Record Project 2x Completion · Project 2x Completion Page

Project 3x: Splunk Searching (10 pts. extra credit)
Record Project 3x Completion · Project 3x Completion Page

Project 4x: Splunk Enterprise Security (10 pts. extra credit)
Record Project 4x Completion · Project 4x Completion Page

Record Project 6x Completion · Project 6x Completion Page

Other Projects

Proj 2x: DNSCrypt on Linux (15 pts.) (Updated 10-24-17)
Proj 8x: DNS Over HTTPS (10 pts. extra credit)

Firewall Hero

Links

Links for Lectures

Ch 1a: Working with Bro Logs: Queries By Example
Ch 1b: Monitoring HTTP Traffic with Bro -- Bro 2.5.1 documentation
Ch 1c: testmyids.com - Robtex
Ch 1d: Sguil - Open Source Network Security Monitoring
Ch 1e: Security Onion 14.04 Release Notes -- Snorby is Gone
Ch 1f: How can I install Snorby on Security Onion 14.04?

Ch 6a: Best Practices -- Security-Onion-Solutions/security-onion Wiki

Ch 7a: splunk pricing - splunk licensing model

Ch 9a: Mandiant APT1 Report
Ch 9b: VERIS Incident tracking

Other Links

SELKS 2.0 vs. Security Onion
How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 16.04
Monitoring Windows Logons with Winlogbeat | Elastic
Using ELK for Logging on Windows: Configuration
Public PCAP files for download
SecRepo - Security Data Samples Repository
Xplico Graph not working properly
How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions
Splunk Dashboard Examples | Splunkbase
Tracking Hackers on Your Network with Sysinternals Sysmon
I've lost my splunk admin password, can it be recovered? - Question | Splunk Answers
Digital Corpora
NetworkMiner - The NSM and Network Forensics Analysis Tool
NetworkMiner packet analyzer - Browse /networkminer at SourceForge.net
How to Install Cacti 1.1.10 on Ubuntu 16.04
QRadar Rule creation: Baseline of trusted users - YouTube
Manage common offenses detected by QRadar SIEM
IBM Knowledge Center - Installing Sysinternals Sysmon

New Unsorted Links

Using Wazuh to monitor Sysmon events - WAZUH's blog

Last Updated: 12-11-17 12:45 pm