Blue Team Pack

Blue Team Pack

مدت دوره: 120 ساعت

شرح دوره :

تیم آبی (Blue Teaming ) چیست؟

مانند یک تیم قرمز، تیم‌های آبی شامل گروهی از افراد هستند که یک شبکه را ارزیابی می‌کنند تا هر گونه آسیب‌پذیری بالقوه‌ای را که بر دستگاه‌ها یا سیستم‌های حیاتی مالکیت یک کسب‌وکار تأثیر می‌گذارد، شناسایی کنند. برخلاف تیم قرمزی که از آسیب‌پذیری‌های شناسایی‌شده سوء استفاده می‌کند، تیم آبی به دنبال ابزارهای مناسب برای بهبود توانایی اجتناب، بازدارندگی، مقاومت و پاسخ به تهدیدات احتمالی است که احتمالاً به رویدادهای زیان‌ده تبدیل می‌شوند. نقش تیم آبی این است که به عنوان مدافع برای تمام دارایی های الکترونیکی متعلق به یک سازمان، اعم از میزبانی داخلی یا خارجی، خدمت کند.

بسیاری از تولیدکنندگان و تولیدکنندگان از ابزارهای امنیتی خودکار برای کمک به شناسایی و اصلاح آسیب‌پذیری‌ها برای محافظت در برابر حملات سایبری استفاده می‌کنند. با این حال، اگر یک کسب‌وکار از سیاست‌ها، کنترل‌ها، نظارت، ثبت‌نام، وصله‌سازی، مدیریت حوادث استفاده نکند، مجبور خواهید شد کورکورانه به حوادث واکنش نشان دهید.

تیم های آبی مسئول نظارت، شناسایی و واکنش به تهدیدات امنیتی هستند. ما متوجه شدیم که بسیاری از تولیدکنندگان برخی از این الزامات را تکمیل می‌کنند، به همین دلیل است که مجرمان سایبری همچنان بر تولیدکنندگان تمرکز می‌کنند. هیچ کس مسئول ایفای این نقش های اساسی نیست. در هنگام رخنه، تیم های آبی نقش مهمی دارند. آنها از سیاست‌ها و پروتکل‌ها برای جداسازی سیستم‌های در معرض خطر پیروی می‌کنند تا از گسترش حملاتی مانند باج‌افزار در سراسر شبکه تجاری جلوگیری کنند

در طول فعالیت‌های تست امنیت سایبری، تیم‌های آبی محیط‌های امنیتی سازمانی را ارزیابی می‌کنند و از این محیط‌ها در برابر تیم‌های قرمز دفاع می‌کنند. این تیم‌های قرمز با شناسایی آسیب‌پذیری‌های امنیتی و انجام حملات در یک محیط کنترل‌شده، نقش مهاجمان را بازی می‌کنند. هر دو تیم برای کمک به روشن کردن وضعیت واقعی امنیت یک سازمان ترکیب می شوند.

این ایده که شما می توانید دفاع خود را با حمله به آنها در یک محیط کنترل شده بهتر درک کنید، یک اصل نظامی قدیمی است. این ایده معمولاً در تمرین “تیم قرمز” بیان می شود، جایی که یک گروه خارجی از بازیگران مستقل سیستم ها یا دفاعیات یک سازمان هدف را برای شناسایی هر گونه آسیب پذیری موجود آزمایش می کنند.

در دنیای امنیت اطلاعات، تمرین تیم قرمز اکنون به خوبی جا افتاده است. تیم‌های قرمز که به‌عنوان «هکرهای اخلاقی» عمل می‌کنند، به‌طور روشمند ساختار و دفاعی سازمان را مطالعه می‌کنند و سپس حملاتی را برای سوءاستفاده از هرگونه ضعف انجام می‌دهند.

با این حال تیم های قرمز تنها بخشی از معادله هستند. در طرف دیگر «تیم‌های آبی» قرار دارند – متخصصان امنیتی که وظیفه دارند از سیستم‌ها و دارایی‌های سازمان در برابر حملات واقعی و شبیه‌سازی شده دفاع کنند.

 

سرفصل دوره

 

SEC450,SEC503,SEC511,SEC530, SEC555

SEC450: Blue Team Fundamentals: Security Operations and Analysis

SEC450.1 : Blue Team Tools and Operations

• Introduction to the Blue Team Mission
• What is a SOC? What is the mission?
• Why are we being attacked?
• Modern defense mindset
• The challenges of SOC work

 

• SOC Overview
• The people, process, and technology of a SOC
• Aligning the SOC with your organization
• SOC functional component overview
• Tiered vs. tierless SOCs
• Important operational documents

 

• Defensible Network Concepts
• Understanding what it takes to be defensible
• Network security monitoring (NSM) concepts
• NSM event collection
• NSM by network layer
• Continuous security monitoring (CSM) concepts
• CSM event collection
• Monitoring sources overview
• Data centralization

 

• Events, Alerts, Anomalies, and Incidents
• o Event collection
• o Event log flow
• o Alert collection
• o Alert triage and log flow
• o Signatures vs. anomalies
• o Alert triage workflow and incident creation

 

• Incident Management Systems
• SOC data organization tools
• Incident management systems options and features
• Data flow in incident management systems
• Case creation, alerts, observables, playbooks, and workflow
• Case and alert naming convention
• Incident categorization framework

 

• Threat Intelligence Platforms
• What is cyber threat intelligence?o Threat data vs. information vs. intelligence
• Threat intel platform options, features, and workflow
• Event creation, attributes, correlation, and sharing

 

• SIEM
• Benefits of data centralization
• SIEM options and features
• SIEM searching, visualizations, and dashboards
• Use cases and use case databases
• Automation and Orchestration
• How SOAR works and benefits the SOC
• Options and features
• SOAR value-adds and API interaction
• Data flow between SOAR and the SIEM, incident management system, and threat
• intelligence platform

 

• Who Are Your Enemies?
• Who’s attacking us and what do they want?
• Opportunistic vs. targeted attackers
• Hacktivists, insiders, organized crime, governments
• Motivation by attacker group
• Case studies of different attack groups
• Attacker group naming conventions

 

SEC450.2 : Understanding Your Network

• Corporate Network Architecture
• Routers and security
• Zones and traffic flow
• Switches and security
• VLANs
• Home firewall vs. corporate next-gen firewall capabilities
• The logical vs. physical network
• Points of visibility
• Traffic capture
• Network architecture design ideals
• Zero-trust architecture and least-privilege ideals

 

• Traffic Capture and Analysis
• Network traffic capture formats
• NetFlow
• Layer 7 metadata collection
• PCAP collection
• Wireshark and Moloch

 

• Understanding DNS
• Name to IP mapping structure
• DNS server and client types (stub resolvers, forwarding, caching, and

authoritative servers(

• Walkthrough of a recursive DNS resolutiono Request types
• Setting records via registrars and on your own server
• A and AAAA records
• PTR records and when they might fail
• TXT records and their uses
• CNAME records and their uses
• MX records for mail
• SRV records
• NS records and glue records

 

• DNS analysis and attacks
• Detecting requests for malicious sites
• Checking domain reputation, age, randomness, length, subdomains
• Whois
• Reverse DNS lookups and passive DNS
• Shared hosting
• Detecting DNS recon
• Unauthorized DNS server use
• Domain shadowing
• DNS tunneling
• DNS traffic flow and analysis
• IDNs, punycode, and lookalike domains
• New DNS standards (DNS over TLS, DNS over HTTPS, DNSSEC)

 

• Understanding HTTP and HTTPS
• Decoding URLs
• HTTP communication between client and server
• Browser interpretation of HTTP and REST APIs
• GET, POST, and other methods
• Request header analysis
• Response header analysis
• Response codes
• The path to the Internet
• REST APIs
• WebSockets
• HTTP/2 & HTTP/3

 

• Analyzing HTTP for Suspicious Activity
• HTTP attack and analysis approaches
• Credential phishing
• Reputation checking
• Sandboxing
• URL and domain OSINT
• Header and content analysis
• User-agent deconstruction
• Cookies
• Base64 encoding works and conversion
• File extraction and analysis
• High frequency GET/POST activityo Host headers and naked IP addresses
• Exploit kits and malicious redirection
• HTTPS and certificate inspection
• SSL decryption – what you can do with/without it
• TLS 1.3

 

• How SMTP and Email Attacks Work
• o Email delivery infrastructure
• o SMTP Protocol
• o Reading email headers and source
• o Identifying spoofed email
• o Decoding attachments
• o How email spoofing works
• o How SPF works
• o How DKIM works
• o How DMARC works

 

• Additional Important Protocols
• o SMB – versions and typical attacks
• o DHCP for defenders
• o ICMP and how it is abused
• o FTP and attacks
• o SSH and attacks
• o PowerShell remoting
• 3 : Understanding Endpoints , Logs ,and Files
• Endpoint Attack Tactics
• o Endpoint attack centricity
• o Initial exploitation
• o Service-side vs client-side exploits
• o Post-exploitation tactics, tools, and explanations – execution, persistence,

discovery, privilege escalation, credential access, lateral movement, collection,

exfiltration

 

• Endpoint Defense In-Depth
• o Network scanning and software inventory
• o Vulnerability scanning and patching
• o Anti-exploitation
• o Whitelisting
• o Host intrusion prevention and detection systems
• o Host firewalls
• o File integrity monitoring
• o Privileged access workstations
• o Windows privileges and permissions
• o Endpoint detection and response tools (EDR)
• o File and drive encryption
• o Data loss prevention
• o User and entity behavior analytics (UEBA)• How Windows Logging Works
• o Channels, event IDs, and sources
• o XML format and event templates
• o Log collection path
• o Channels of interest for tactical data collection

 

• How Linux Logging Works
• o Syslog log format
• o Syslog daemons
• o Syslog network protocol
• o Log collection path
• o Systemd journal
• o Additional command line auditing options
• o Application logging
• o Service vs. system logs

 

 

• Interpreting Important Events
• o Windows and Linux login events
• o Process creation logs for Windows and Linux
• o Additional activity monitoring
• o Firewall events
• o Object and file auditing
• o Service creation and operation logging
• o New scheduled tasks
• o USB events
• o User creation and modification
• o Windows Defender events
• o PowerShell logging
• o Kerberos and Active Directory Events
• o Authentication and the ticket-granting service
• o Kerberos authentication steps
• o Kerberos log events in detail

 

• Log Collection, Parsing, and Normalization
• o Logging pipeline and collection methods
• o Windows vs. Linux log agent collection options
• o Parsing unstructured vs. structured logs
• o SIEM-centric formats
• o Efficient searching in your SIEM
• o The role of parsing and log enrichment
• o Log normalization and categorization
• o Log storage and retention lifecycle

 

• Files Contents and Identification
• o File contents at the byte level
• o How to identify a file by the bytes
• o Magic bytes
• o Nested files
• o Strings – uses, encoding options, and viewing

 

• Identifying and Handling Suspicious Fileso Safely handling suspicious files
• o Dangerous files types
• o Exploits vs. program “features”
• o Exploits vs. Payloads
• o Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits
• o Hashing and signature verification
• o Signature inspection and safety of verified files
• o Inspection methods, detecting malicious scripts and other files

 

SEC450.4 : Triage and Analysis

• Alert Triage and Prioritization
• o Priority for triage
• o Spotting late-stage attacks
• o Attack lifecycle models
• o Spotting exfiltration and destruction attempts
• o Attempts to access sensitive users, hosts, and data
• o Targeted attack identification
• o Lower-priority alerts
• o Alert validation

 

• Perception, Memory, and Investigation
• o The role of perception and memory in observation and analysis
• o Working within the limitations of short-term memory
• o Efficiently committing info to long-term memory
• o Decomposition and externalization techniques
• o The effects of experience on speed and creativity

 

• Mental Models for Information Security
• o Network and file encapsulation
• o Cyber kill chain
• o Defense-in-depth
• o NIST cybersecurity framework
• o Incident response cycle
• o Threat intelligence levels, models, and uses
• o F3EAD
• o Diamond model
• o The OODA loop
• o Attack modeling, graph/list thinking, attack trees
• o Pyramid of pain
• o MITRE ATT&CK

 

• Structured Analysis Techniques
• o Compensating for memory and perception issues via structured analysis
• o System 1 vs. System 2 thinking and battling tacit knowledge
• o Data-driven vs. concept-driven analysis
• o Structured analytic techniques
• o Idea generation and creativity, hypothesis development
• o Confirmation bias avoidanceo Analysis of competing hypotheses
• o Diagnostic reasoning
• o Link analysis, event matrices

 

• Analysis Questions and Tactics
• o Where to start – breaking down an investigation
• o Alert validation techniques
• o Sources of network and host information
• o Data extraction
• o OSINT sources
• o Data interpretation
• o Assessing strings, files, malware artifacts, email, links

 

• Analysis OPSEC
• o OPSEC vs. your threat model
• o Traffic light protocol and intel sharing
• o Permissible action protocol
• o Common OPSEC failures and how to avoid them

 

• Intrusion Discovery
• o Dwell time and intrusion type
• o Determining attacker motivation
• o Assessing business risk
• o Choosing an appropriate response
• o Reacting to opportunistic/targeted attacks
• o Common missteps in incident response

 

• Incident Closing and Quality Review
• o Steps for closing incidents
• o Quality review and peer feedback
• o Analytical completeness checks
• o Closed case classification
• o Attribution
• o Maintaining quality over time
• o Premortem and challenge analysis
• o Peer review, red team, team A/B analysis, and structured self-critique
• 5 : Continious Improvements , Analytics , and Automation

 

• Improving Life in the SOC
• o Expectations vs. common reality
• o Burnout and stress avoidance
• o Improvement through SOC human capital theory
• o The role of automation, operational efficiency, and metrics in burnout
• o Other common SOC issues

 

• Analytic Features and Enrichment
• o Goals of analytic creation
• o Log features and parsing
• o High-feature vs. low-feature logs
• o Improvement through SIEM enrichmento External tools and other enrichment sources

 

• New Analytic Design, Testing, and Sharing
• o Tolerance to false positives/negatives
• o The false positive paradox
• o Types of analytics
• o Feature selection for analytics
• o Matching with threat intel
• o Regular expressions
• o Common matching and rule logic options
• o Analytic generalization and sharing with Sigma

 

• Tuning and False Positive Reduction
• o Dealing with alerts and runaway alert queues
• o How many analysts should you have?
• o Types of poor alerts
• o Tuning strategy for poor alert types
• o Tuning via log field analysis
• o Using policy to raise fidelity
• o Sensitivity vs. specificity
• o Automation and fast lanes
• Automation and Orchestration
• The definition of automation vs. orchestration
• What is SOAR?
• SOAR product considerations
• Common SOAR use cases
• Enumeration and enrichment
• Response actions
• Alert and case management
• The paradox of automation
• DIY scripting

 

• Improving Operational Efficiency and Workflow
• Micro-automation
• Form filling
• Text expanders
• Email templates
• Smart keywords
• Browser plugins
• Text caching
• JavaScript page modification
• OS Scripting

 

• Containing Identified Intrusions
• Containment and analyst empowerment
• Isolation options across network layers – physical, link, network, transport,

application

• DNS firewalls, HTTP blocking and containment, SMTP, Web Application
• Firewalls
• Host-based containment tools• Skill and Career Development
• Learning through conferences, capture-the-flag challenges, and podcasts
• Home labs
• Writing and public speaking
• Techniques for mastery and continual progress

 

 

 

SEC503: Intrusion Detection In-Depth

SEC503.1 : Fundamentals of Traffic Analysis : Part I

• Concepts of TCP/IP
• Why is it necessary to understand packet headers and data?
• TCP/IP communications model
• Data encapsulation/de-encapsulation
• Discussion of bits, bytes, binary, and hex
• Introduction to Wireshark
• Navigating around Wireshark
• Examination of Wireshark statistics
• Stream reassembly
• Finding content in packets
• Network Access/Link Layer: Layer 2
• Introduction to 802.x link layer
• Address resolution protocol
• ARP spoofing
• IP Layer: Layer 3
• IPv4
• Examination of fields in theory and practice
• Checksums and their importance, especially for an IDS/IPS
• Fragmentation: IP header fields involved in fragmentation, composition of the
• fragments, fragmentation attacks

 

• IPv6
• Comparison with IPv4
• IPv6 addresses
• Neighbor discovery protocol
• Extension headers
• IPv6 in transition

SEC503.2 : Fundamentals of Traffic Analysis : Part II

• Wireshark Display Filters
• Examination of some of the many ways that Wireshark facilitates creating display filters
• Composition of display filters
• Writing BPF Filters
• The ubiquity of BPF and utility of filters• Format of BPF filters
• Use of bit masking
• TCP
• Examination of fields in theory and practice
• Packet dissection
• Checksums
• Normal and abnormal TCP stimulus and response
• Importance of TCP reassembly for IDS/IPS
• UDP
• Examination of fields in theory and practice
• UDP stimulus and response
• ICMP
• Examination of fields in theory and practice
• When ICMP messages should not be sent
• Use in mapping and reconnaissance
• Normal ICMP
• Malicious ICMP
• Real-World Analysis — Command Line Tools
• Regular Expressions fundamentals
• Rapid processing using command line tools
• Rapid identification of events of interest

SEC503.3 : Signature Base Detection

• Scapy
• Packet crafting and analysis using Scapy
• Writing a packet(s) to the network or a pcap file
• Reading a packet(s) from the network or from a pcap file
• Practical Scapy uses for network analysis and network defenders
• Advanced Wireshark
• Exporting web objects
• Extracting arbitrary application content
• Wireshark investigation of an incident
• Practical Wireshark uses for analyzing SMB protocol activity
• Tshark
• Detection Methods for Application Protocols
• Pattern matching, protocol decode, and anomaly detection challenges
• DNS
• DNS architecture and function
• Caching
• DNSSEC
• Malicious DNS, including cache poisoning
• Microsoft Protocols
• SMB/CIFS• MSRPC
• Detection challenges
• Practical Wireshark application
• Modern HTTP and TLS
• Protocol format
• Why and how this protocol is evolving
• Detection challenges
• SMTP
• Protocol format
• STARTTLS
• Sample of attacks
• Detection challenges
• IDS/IPS Evasion Theory
• Theory and implications of evasions at different protocol layers
• Sampling of evasions
• Necessity for target-based detection
• Identifying Traffic of Interest
• Finding anomalous application data within large packet repositories
• Extraction of relevant records
• Application research and analysis
• Hands-on exercises after each major topic that offer students the opportunity to reinforce

what they just learned.

SEC503.4 : Anomalies and Behaviors

• Network Architecture
• Instrumenting the network for traffic collection
• IDS/IPS deployment strategies
• Hardware to capture traffic
• Introduction to IDS/IPS Analysis
• Function of an IDS
• The analyst’s role in detection
• Flow process for Snort and Bro
• Zeek
• Introduction to Zeek
• Zeek Operational modes
• Zeek output logs and how to use them
• Practical threat analysis
• Zeek scripting• Using Zeek to monitor and correlate related behaviors
• Hands-on exercises, one after each major topic, offer students the opportunity to reinforce

what they just learned.

SEC503.5 : Modern and Future Monitoring : Forensics , Analytics , and Machine Learning

• Introduction to Network Forensics Analysis
• Theory of network forensics analysis
• Phases of exploitation
• Data-driven analysis vs. Alert-driven analysis
• Hypothesis-driven visualization
• Using Network Flow Records
• NetFlow and IPFIX metadata analysis
• Using SiLK to find events of interest
• Identification of lateral movement via NetFlow data
• Examining Command and Control Traffic
• Introduction to command and control traffic
• TLS interception and analysis
• TLS profiling
• Covert DNS C2 channels: dnscat2 and Ionic
• Other covert tunneling, including The Onion Router (TOR)
• Analysis of Large pcaps
• The challenge of analyzing large pcaps
• Students analyze three separate incident scenarios.

 

SEC511: Continuous Monitoring and Security Operations

SEC511.1 : Current State Assessment , Security Operations Center ,and Security

• Traditional Security Architecture
• Perimeter-focused
• Addressed Layer 3/4
• Centralized Information Systems
• Prevention-Oriented
• Device-driven
• Traditional Attack Techniques

 

• Modern Security Architecture Principles
• Detection-oriented
• Post-Exploitation-focused
• Decentralized Information Systems/Data
• Risk-informed
• Layer 7 Aware
• Security Operations Centers
• Network Security Monitoring
• Continuous Security Monitoring
• Modern Attack Techniques
• Adversarial Dominance

 

• Frameworks and Enterprise Security Architecture
• Enterprise Security Architecture
• Security Frameworks

 

• Security Architecture – Key Techniques/Practices
• Threat Vector Analysis
• Data Exfiltration Analysis
• Detection Dominant Design
• Intrusion Kill Chain
• Visibility Analysis
• Data Visualization
• Lateral Movement Analysiso Data Ingress/Egress Mapping
• Internal Segmentation
• Network Security Monitoring
• Continuous Security Monitoring
• Security Operations Center (SOC)
• Purpose of a SOC
• Key SOC roles
• Relationship to Defensible Security Architecture

 

SEC511.2 : Network Security Architecture

• SOCs/Security Architecture – Key Infrastructure Devices
• Traditional and Next- Generation Firewalls, and NIPS
• Web Application Firewall
• Malware Detonation Devices
• HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption
• SIEMs, NIDS, Packet Captures, and DLP
• Honeypots/Honeynets
• Network Infrastructure – Routers, Switches, DHCP, DNS
• Mobile Devices and Wireless Access Points
• Threat Intelligence

 

• Segmented Internal Networks
• Routers
• Internal SI Firewalls
• VLANs
• Detecting the Pivot
• DNS architecture
• Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)

 

• Defensible Network Security Architecture Principles Applied
• Internal Segmentation
• Threat Vector Analysis
• Data Exfiltration Analysis
• Detection Dominant Design
• Zero Trust Model (Kindervag)
• Intrusion Kill Chain
• Visibility Analysis
• Data Visualization
• Lateral Movement Analysis
• Data Ingress/Egress Mapping

 

 

SEC511.3 : Network Security Monitoring

• Continuous Monitoring Overview
• Defined
• Network Security Monitoring (NSM)
• Continuous Security Monitoring (CSM)o Continuous Monitoring and the 20 Critical Security Controls

 

• Network Security Monitoring (NSM)
• Evolution of NSM
• The NSM Toolbox
• NIDS Design
• Analysis Methodology
• Understanding Data Sources

 

• Full Packet Capture
• Extracted Data
• String Data
• Flow Data
• Transaction Data
• Statistical Data
• Alert Data
• Tagged Data
• Correlated Data
• Cloud NSM
• Practical NSM Issues
• Cornerstone NSM
• Service-Side and Client-Side Exploits
• Identifying High-Entropy Strings
• Tracking EXE Transfers
• Identifying Command and Control (C2) Traffic
• Tracking User Agents
• C2 via HTTPS
• Tracking Encryption Certificates

 

 

 

 

SEC511.4 : Endpoint Security Architecture

• Security Architecture – Endpoint Protection
• Anti-Malware
• Host-based Firewall, Host-based IDS/IPS
• Application Control, Application Virtualization
• Privileged Accounts, Authentication, Monitoring, and UAC
• Virtual Desktop Infrastructure
• Browser Security
• EMET and Defender Exploit Guard

 

• Patching
• Process
• To Test or Not to Test
• Microsoft
• Third-Party

 

SEC511.5 : Automation and Continuous Security Monitoring

• Overviewo Continuous Security Monitoring (CSM) vs. Continuous Diagnostics and

Mitigation (CDM) vs. Information Security Continuous Monitoring (ISCM)

• Cyberscope and SCAP

 

• Industry Best Practices
• Continuous Monitoring and the 20 CIS Critical Security Controls
• Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber

Intrusions

• Winning CSM Techniques
• Maintaining Situational Awareness
• Host, Port, and Service Discovery
• Vulnerability Scanning
• Monitoring Patching
• Monitoring Applications
• Monitoring Service Logs
• Detecting Malware via DNS logs

 

• Monitoring Change to Devices and Appliances
• Leveraging Proxy and Firewall Data
• Configuring Centralized Windows Event Log Collection
• Monitoring Critical Windows Events
• Hands-on: Detecting Malware via Windows Event Logs

 

• Scripting and Automation
• Importance of Automation
• PowerShell
• DeepBlueCLI
• Hands-on: Detecting Malicious Registry Run Keys with PowerShell

 

SEC530: Defensible Security Architecture and Engineering

SEC530.1 : Defensible Security Architecture and Engineering

• Traditional Security Architecture Deficiencies
• Emphasis on Perimeter/Exploitation
• Lack of a True Perimeter (“De-perimeterization” as a Result of Cloud/Mobile)
• The Internet of Things
• Predominantly Network-centric

 

• Defensible Security Architecture
• Mindset
• Presumption of Compromise
• De-perimeterization
• Predominantly Network-centric
• Models
• Zero-Trust Model (Kindervag – Forrester)
• Intrusion Kill Chain
• Diamond Model of Intrusion Analysis
• Software-defined Networking and Virtual Networking
• Micro-Segmentation
• Threat, Vulnerability, and Data Flow Analysis
• Threat Vector Analysis
• Data Ingress Mapping
• Data Exfiltration Analysis
• Data Egress Mapping
• Detection Dominant Design
• Attack Surface Analysis
• Visibility Analysis

 

• Layer 1 Best Practices
• Network Closets
• Penetration Testing Dropboxes
• USB Keyboard Attacks (Rubber Ducky)

 

• Layer 2 Best Practices
• VLANs
• Hardening
• Private VLANs
• Layer 2 Attacks and Mitigation
• NetFlow
• Layer 2 and 3 NetFlow
• NetFlow, Sflow, Jflow, VPC Flow, Suricata and Endpoint Flow

 

SEC530.2 : Network Security Architecture and Engineering

Layer 3: Router Best Practices

• CIDR and Subnetting

 

• Layer 3 Attacks and Mitigation
• IP Source Routing
• ICMP Attacks
• Unauthorized Routing Updates
• Securing Routing Protocols
• Unauthorized Tunneling (Wormhole Attack)

 

• Layer 2 and 3 Benchmarks and Auditing Tools
• Baselines
• CISecurity
• Cisco’s Best Practices
• Cisco Autosecure
• DISA STIGs
• Nipper-ng
• Securing SNMP
• SNMP Community String Guessing
• Downloading the Cisco IOS Config via SNMP
• Hardening SNMP
• SNMPv3
• Securing NTP
• NTP Authentication
• NTP Amplification Attacks
• Bogon Filtering, Blackholes, and Darknets
• Bogon Filtering
• Monitoring Darknet Traffic
• Building an IP Blackhole Packet Vacuum
• IPv6
• Dual-Stack Systems and Happy Eyeballs
• IPv6 Extension Headers
• IPv6 Addressing and Address Assignment
• Securing IPv6
• IPv6 Firewall Support
• Scanning IPv6
• IPv6 Tunneling
• IPv6 Router Advertisement Attacks and Mitigation
• VPN
• Path MTU Issues
• Fragmentation Issues Commonly Caused by VPN
• Layer 3/4 Stateful Firewalls
• Router ACLs
• Linux and BSD Firewalls
• pfSense
• Stateful
• Proxy
• Web Proxy
• SMTP Proxy
• Augmenting with Phishing Protection and Detection Mechanisms
• Explicit vs. Transparent
• Forward vs. Reverse

SEC530.3 : Network-Centric Security

• NGFW
• Application Filtering
• Implementation Strategies
• NIDS/NIPS
• IDS/IPS Rule Writing
• Snort
• Suricata
• Bro
• Network Security Monitoring
• Power of Network Metadata
• Know Thy Network
• Sandboxing
• Beyond Inline
• Integration with Endpointo Feeding the Sandbox Potential Specimens
• Malware Detonation Devices
• Encryption
• The “Encrypt Everything” Mindset

 

• Internal and External
• Free SSL/TLS Certificate Providers
• SSL/SSH Inspection
• SSL/SSH Decrypt Dumps
• SSL Decrypt Mirroring
• Certificate Pinning
• Malware Pins
• HSTS
• Crypto Suite Support
• Qualys SSL Labs
• Secure Remote Access
• Access into Organization
• Dual Factor for All Remote Access (and More)
• Google Authenticator/TOTP: Open Authentication
• IPSec VPNs
• SSH VPNs
• SSL/TLS VPN
• Jump Boxes
• Distributed Denial-of-Service
• Impact of Internet of Things
• Types of Attacks
• Mitigation Techniques

 

SEC530.4 : Data-Centric Security

• Application (Reverse) Proxies
• Full Stack Security Design
• Web Server
• App Server
• DB Server
• Web Application Firewalls
• Whitelisting and Blacklisting
• WAF Bypass
• Normalization
• Dynamic Content Routing
• Database Firewalls/Database Activity Monitoring
• Data Masking
• Advanced Access Controls
• Exfiltration Monitoring
• File Classification
• Data Discovery
• Scripts vs. Software Solutions▪ Find Sensitive Data in Databases or Files/Folders
• Advanced Discovery Techniques such as Optical Character Recognition

Scanning of Pictures and Saved Scan Files

• Methods of Classification
• Dynamic Access Control
• Data Loss Prevention (DLP)
• Network-based
• Endpoint-based
• Cloud Application Implementations
• Data Governance
• Policy Implementation and Enforcement
• Access Controls vs. Application Enforcement and Encryption
• Auditing and Restrictions
• Mobile Device Management (MDM) and Mobile Application Management (MAM)
• Security Policies
• Methods for Enforcement
• End-user Experience and Impact
• Private Cloud Security
• Securing On-premises Hypervisors (vSphere, Xen, Hyper-V)
• Network Segmentation (Logical and Physical)
• VM Escape
• Surface Reduction
• Visibility Advantages
• Public Cloud Security
• SaaS vs. PaaS vs. IaaS
• Shared Responsibility Implications
• Cloud Strengths and Weaknesses
• Data Remanence and Lack of Network Visibility
• Container Security
• Impact of Containers on On-premises or Cloud Architectures
• Security Concerns
• Protecting against Container Escape

 

SEC530.5 : Zero-Trust Architecture : Addressing the Adversaries Already in our Networks

• Zero Trust Architecture
• Why Perimeter Security Is Insufficient
• What Zero Trust Architecture Means
• “Trust but Verify” vs. “Verify then Trust”
• Implementing Variable Access
• Logging and Inspection
• Network Agent-based Identity Controls
• Credential Rotation
• Certificates
• Passwords and Impact of Rotation
• Endpoints• Compromised Internal Assets
• Pivoting Adversaries
• Insider Threat
• Securing the Network
• Authenticating and Encrypting Endpoint Traffic
• Domain Isolation (Making Endpoint Invisible to Unauthorized Parties)
• Mutual TLS
• Single Packet Authorization
• Tripwire and Red Herring Defenses
• Honeynets, Honeypots, and Honeytokens
• Single Access Detection Techniques
• Proactive Defenses to Change Attacker Tool Behaviors
• Increasing Prevention Capabilities while Adding Solid Detection
• Patching
• Automation via Scripts
• Deputizing Endpoints as Hardened Security Sensors
• End-user Privilege Reduction
• Application Whitelisting
• Host Hardening
• EMET
• Host-based IDS/IPS
• As Tripwires
• Endpoint Firewalls
• Pivot Detection
• Scaling Endpoint Log Collection/Storage/Analysis
• How to Enable Logs that Matter
• Designing for Analysis Rather than Log Collection

 

 

SEC555: SIEM with Tactical Analytics

SEC555.1 : SIEM Architecture

• State of the SOC/SIEM
• Industry statistics
• Industry problems
• Log Monitoring
• Assets
• Windows/Linux
• Network devices
• Security devices
• Data gathering strategies
• Pre-planning
• Logging architecture
• Log inconsistencieso Log collection and normalization
• Log retention strategies
• Correlation and gaining context
• Reporting and analytics
• Alerting
• SIEM platforms
• Commercial solutions
• Home-grown solutions
• Planning a SIEM
• Ingestion control
• What to collect
• Mission
• SIEM Architecture
• Ingestion techniques and nodes
• Acceptance and manipulation for value
• Augmentation of logs for detection
• Data queuing and resiliency
• Storage and speed
• Analytical reporting
• Visualizations
• Detection Dashboards

 

SEC555.2 : Service Profiling with SIEM

• Detection methods and relevance to log analysis
• Attacker patterns
• Attacker behaviors
• Abnormalities
• Analyzing common application logs that generate tremendous amounts of data
• DNS
• Finding new domains being accessed
• Pulling in addition information such as domain age
• Finding randomly named domains
• Discover domain shadowing techniques
• Identifying recon
• Find DNS C2 channels
• HTTP
• Use large datasets to find attacks
• Identify bot traffic hiding in the clear
• Discover requests that users do not make
• Find ways to filter out legitimate noise
• Use attacker randomness against them
• Identify automated activity vs user activity
• Filter approved web clients vs unauthorized
• Find HTTP C2 channels
• HTTPS
• Alter information for large scale analysis
• Analyze certificate fields to identify attack vectors
• Track certificate validity
• Apply techniques that overlap with standard HTTP
• Find HTTPS C2 channels
• SMTP
• Identify where unauthorized email is coming from
• Find compromised mail services
• Fuzzy matching likely phishing domains
• Data exfiltration detection
• Apply threat intelligence to generic network logs
• Active Dashboards and Visualizations
• Correlate network datasets
• Build frequency analysis tables
• Establish network baseline activity

 

SEC555.3 : Advanced Endpoint Analytics

• Endpoint logs
• Understanding value
• Methods of collection
• Agents
• Agentless
• Scripting
• Adding additional logging
• EMET
• Sysmon
• Group Policy

Windows filtering and tuning

Analyze critical events based on attacker patterns

• Finding signs of exploitation
• Find signs of internal reconnaissance
• Finding persistence
• Privilege escalation
• Establishing a foothold
• Cleaning up tracks
• Host-based firewall logs
• Discover internal pivoting
• Identify unauthorized listening executables
• See scan activity
• Credential theft and reuse
• Multiple failed logons
• Unauthorized account use
• Monitor PowerShell
• Configure PowerShell logging
• Identify obfuscation▪ Identify modern attacks
• Containers
• Logging methods
• Monitoring

 

SEC555.4 : Baselining and User Behavior Monitoring

• Identify authorized and unauthorized assets
• Active asset discovery
• Scanners
• Network Access Control
• Passive asset discovery
• DHCP
• Network listeners such as p0f, bro, and prads
• NetFlow
• Switch CAM tables
• Combining asset inventory into a master list
• Adding contextual information
• Vulnerability data
• Authenticated device vs unauthenticated device
• Identify authorized and unauthorized software
• Source collection
• Asset inventory systems
• Patching management
• Whitelisting solutions
• Process monitoring
• Discovering unauthorized software
• Baseline data
• Network data (from netflow, firewalls, etc)
• Use outbound flows to discover unauthorized use or assets
• Compare expected inbound/outbound protocol
• Find persistence and beaconing
• Utilize geolocation and reverse dns lookups
• Establish device-to-device relationships
• Identify lateral movement
• Configure outbound communication thresholds
• Monitor logons based on patterns
• Time-based
• Concurrency of logons
• # logons by user
• # logons by source device
• Multiple geo locations
• Endpoint baseline monitoring
• Configure enterprise wide baseline collection
• Large scale persistence monitoring
• Finding abnormal local user accounts▪ Discover dual-homed devices
• Cloud baselining (Example in class uses Amazon AWS)

 

SEC555.5 : Tactical SIEM Detection and Post-Mortem Analysis

• Centralize NIDS and HIDS alerts
• Analyze endpoint security logs
• Provide alternative analysis methods
• Configure tagging to facilitate better reporting
• Augment intrusion detection alerts
• Extract CVE, OSVDB, etc for further context
• Pull in rule info and other info such as geo
• Analyze vulnerability information
• Setup vulnerability reports
• Correlate CVE, OSVDB, and other unique IDs with IDS alerts
• Prioritize IDS alerts based on vulnerability context
• Correlate malware sandbox logs with other systems to identify victims across enterprise
• Monitor Firewall Activity
• Identify scanning activity on inbound denies
• Apply auto response based on alerts
• Find unexpected outbound traffic
• Baseline allow/denies to identify unexpected changes
• Apply techniques to filter out noise in denied traffic
• SIEM tripwires
• Configure systems to generate early log alerts after compromise
• Identify file and folder scan activity
• Identify user token stealing
• Operationalize virtual honeypots with central logging
• Allow phone home tracking
• Post mortem analysis
• Re-analyze network traffic
• Identify malicious domains and IPs
• Look for beaconing activity
• Identify unusual time-based activity
• Use threat intel to reassess previous data fields such as user-agents
• Utilize hashes in log to constantly re-evaluate for known bad files

 

 

 

 

 

 

 

 

 

با تشکر از توجه شما

لطفا جهت دريافت اطلاعات تکميلي با ما تماس بگيريد

 

گروه دوران

DOURAN

GROUP

 

 

 

Web Site: www.douran.com