Dedicated
On-site, closed training dedicated only for your team.
Register now
Agenda
Open Source Defensive Security Training is an advanced laboratory dedicated for professionals who need to close the gaps in Linux, Web Application & Open Source Security knowledge. Very detailed and up to date course content with a focus especially on defensive approach gives you the best opportunity to make stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering real-world scenarios in our Open Source Defensive Security hands-on labs provides (removed a) very practical knowledge that is needed for expanding your Linux Security skills.
Thanks to this training you will:
- Learn techniques to protect your Linux systems against attacks used by modern attackers
- Find out how you can protect Linux servers and web applications against real attacks
- Learn how to use dozens of solutions and security tools for offensive and defensive scope
- Configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability
This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and those details bring the differences - from the offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula 'Protection vs Attack'. This means that most of the security issues we are talking about will be effectively protected by using suitable approaches, sophisticated software, and dedicated secure configuration. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster."
Target audience:
- Linux administrators & IT Architects
- IT Security professionals
- Penetration testers
- IT Security consultants and Open Source specialists
- Blue, Red and Purple Teams
Day 1
Web applications are often the attacked target of today's infrastructure. Therefore, they require special care and commitment of maintenance teams. Various vulnerabilities such as Command Execution, SQL Injection and Cross Site Scripting are just three of the most commonly used bugs. Types of susceptibility are dozens. The most dangerous, however, are the so-called Hybrid attacks which are a mix of attacks consisting of using misconfiguration errors and vulnerabilities in many different layers, both the application itself and the infrastructure based like: database misconfiguration, application servers, wrong permissions, etc. Within the labs, after the right dose of theory, we will examine the opportunities that lie in the open design of ModSecurity project. In addition to getting familiar with the engine architecture and how to use Core Rule Set rules, we will build our own dedicated rules and create virtual patches to eliminate bugs in vulnerable applications - all that without modifying the source code. To protect yourself, you should know how to attack, so most of the vulnerabilities listed in the agenda will be exploited by us. We will also learn how to leverage a proactive approach by dynamically injecting web-based honeypots using the Reverse Proxy architecture. There will be also labs from other areas of application security: secure HTTP headers, sensor approach, Content Security Policy, HMAC, or the correct HTTPS configuration which guarantee a high level of module content. The whole web application security material is preserved in a convention of protection vs. attack.
- Threats are everywhere - introduction to technical Open Source Defensive Security program.
- Web application security -> hardened Reverse Proxy -> ModSecurity vs HTTP security issues:
- Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPNuke, Joomla, Drupal, PHPMyAdmin, Oscommerce, Magento, Wordpress, dotProject, and others
- Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
- HTTPS – how to achieve status A+?:
- Attacks:
- Heartbleed
- Breach
- Drown
- Beast
- Poodle
- MiTM: sslstrip
- Mutual SSL
- Attacks:
- Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
- Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
- HTTP header anomalies
- Virtual Patching
- Full HTTP auditing
- LUA/OpenResty support
- Sensor approach - OWASP Appsensor
- Web application security using ModSecurity - creating dedicated WAF rules against:
- *Injections
- Null bytes
- Path/directory traversal
- LFI/RFI->Command Execution
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- HTTP Parameter Pollution (HPP)
- Open Redirect
- Insecure Direct Object Reference vs HMAC
- Forceful Browsing
- CSWSH - Cross Site WebSocket Hijacking
- Session Security
- Brute force
- Slow DOS
- GEO restrictions
- Error handling
- Leakage detection
- Secure file upload
- Secure logout / forgot password form
- Web honeypots
- Bot/scan protection
- AV protection
- PHP Security
- Tomcat Security
- Tools:
- Sqlmap, SQLninja
- Xsser
- Dominator
- Skipfish
- ZAP / Burp
- Wafdetect
- Joomscan, WPScan
- Dirbuster, dirb
- Nikto
- JSDetox
- Brakeman
- And others
Day 2
A day dedicated to detailed analysis of how we can protect (and attack) Linux OS. MAC access control mechanisms, sandboxing, root user limitation and accountability, ACL, service isolation on different layers: seccomp, capabilities are just the beginning of fun. Compiling the kernel with grsecurity, learning about kernel exploit techniques and analyzing exploits from recent years, configuring PAX memory protection mechanisms, and finally presenting the difference in safe compiled binaries vs. different types of overflows is a good day's guarantee. Within the labs, we will meet a whole host of different tools, scripts, and techniques to keep in mind when designing secure systems, applications or commercial appliances. There will also be exercises related to memory acquisition, analyzing Linux RAM mainly against rootkits - which we will also install, analyze and test.
- Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
- Grsecurity / PAX
- SELinux / Multi Category Security / sVirt
- AppArmor, Tomoyo, Smack, RSBAC
- GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
- Linux Containers - Docker/LXC/nspawn
- LKM-off / YAMA / enforcing
- Linux capabilities vs SUID and others
- System call restriction - seccomp
- Integrity checking - IMA/EVM
- Package Mgmt security
- Debuggers and profilers - gdb/strace/ldd/Valgrind/Yara
- Chroot/jail/pivot_root
- Behavioral analysis - systemtap / LTTng / sysdig
- Memory forensics - Volatility vs malware
- PAM / 2FA
- System update vs reboot
- *privchecks
Day 3
Network Security is a huge area made up of various service combination and configuration. The essence of this part of the workshop is to present the problems and risks that are caused by incorrectly configured or insufficiently hardened services most commonly encountered in corporate networks. Each of the following points will be discussed in terms of best practices for deployment, security, and maintenance. The labs will show you the most common attack techniques in direct confrontation with hardening and secure configuration. There will be no such shortcomings as the launch of a Linux domain controller, the use of honeypot traps as well as low-level analysis of network traffic, including the signature and behavioral detection approach. The entire knowledge transfer will be based on the experience gained over the last 12 years during many implementations, consultations, and pieces of training.
- Vulnerability scanning:
- Nmap NSE
- Seccubus
- OpenVAS
- Metasploit
- Linux Domain Controller - IdM/HBAC/SUDO
- SFTP/SCP - Secure SSH Relay
- Restricted shells/commands
- SSH tips and tricks
- Public Key Infrastructure – SSL/TLS
- NFS Security
- Database Security
- DNS Security
- Mail Security
- DOS / scanning / brute-force protection techniques
- Advanced network firewall: iptables/nftables/ebtables
- System honeypots
- Network traffic analysis - Wireshark, scapy / tcpdump / tcpreplay
- Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
- Auditd
- OSSEC / Samhain / aide
- Splunk/ELK/OSSIM
- Security by obscurity
Plans
Public
Open, public training in Cracow and Warsaw dedicated for students from different companies.
Register now
Online
Work in progress. Soon available.
Our clients include
I know Leszek from the previous company where he was the Lead Security Architect as well as Trainer. I've had a pleasure to attend Leszek's several courses as well as exams. Suits best to non-standard tasks that require wide technical knowledge, skills of combining elements from different areas. I don't mention about security, Leszek is a well known person in Linux / Security community.