and Threat Hunting

The main goal of this training is to show by hands-on the “Feel the network” approach to better understand what is a normal activity, what is malicious, and thus how to do incident response faster and more precisely. During this training, you will analyze different types of PCAPs and live network communication streams between endpoints. 

We will start by analyzing and creating a current-state behavior profile for a small network segment consisting of Linux and Windows stations. Then, we will execute various types of network attacks including lateral movement, pivoting, and C2 communication channels in order to generate suspicious events. During the next step, you will identify systems that have been compromised and run a drill-down analysis.

On top of that, you will spend most of your time analyzing and pivoting through available network telemetry including Netflow, Moloch as a Full Packet Capture engine, signature-based Suricata IDS, and signature-less Zeek event logs like: conn.log, dns.log, dhcp.log, ssh.log. x509.log, ssl.log, ntlm.log, kerberos.log, ntp.log, weird.log, notice.log, http.log, smb.log, smb_files.log, dce_rpc.log, rdp.log, known_hosts.log, dpd.log, known_services.log, known_certs. The rest of the analyzed examples will be based on the use of the great Velociraptor DFIR to pivot to the forensic phase. 

We will also cover how to extend the visibility of the Zeek engine, how to create and load additional scripts, how to write your own Suricata rule, and how to pivot across different data sources. This training will guide you through threat hunting methodologies, different network attack-detection-inspection-response use-cases and NIDS architectures to teach critical aspects of how to handle network detection and Threat hunting properly at scale. Expect to build a simple Threat Hunting Playbook at the end of the training.

Agenda

• Introduction to Threat Hunting:
• Intel-based hunting
• Hypotheses-based hunting (Analytics-driven, Intelligence-driven, Situational-awareness driven)
• Hybrid hunting

• OODA mindset
• Know your environment:
• the importance of network baselining
• Identification of high-value users and assets

• Overview of available network telemetry and hunting tools in PurpleLabs:
• Network
• Endpoint
• Pivoting to forensic phase with Velociraptor DFIR

• Network-process context is the key
• Generating Hunting Hypotheses in the scope of:
• Initial Access 
• Execution 
• Persistence
• Privilege Escalation
• Defense Evasion 
• Credential Access
• Discovery 
• Lateral Movement 
• Collection 
• Command and Control 
• Exfiltration 
• Impact 

• Auditing ingress/egress traffic
• Searching for Known Indicators of Compromise / Attack (IoC / IoA)
• Hunting using network signatures:
• ET Open Rules
• Talos rules

• Hunting for beacons - regular activity patterns
• Detecting ICMP C2 channel
• DNS analytics / Domain Generation Algorithm (DGA) Detection & Analysis
• HTTP / HTTPS Malleable profile analysis and detection
• Anomaly Detection in HTTP / Proxy Logs
• Proxying identification
• File extraction from PCAP and network streams
• Brute-force, password spraying detection
• Lateral Movement Detections:
• SMB Traffic Analysis
• RPC Traffic Analysis
• RDP Traffic Analysis
• SSH Traffic Analysis
• Fingerprinting with JA3, JARM, and HASSH 
• LLMNR, NBT-NS, MDNS poisoning detection
• Detection of VPN-based C2 channels
• Detection of blockchain-based C2 channels
• Hunting for exfiltration behaviors → download/upload ratio, packet/bytes statistics, chunking detection
• Hunting enrichment with:
• GeoIP / ASN
• Greynoise
• Hybrid Analysis
• VirusTotal

• Constructing hunt flows with Kestler and Jupyter Notebooks
• Playing with Attack PCAP analysis
• Hunting for suspicious network events with RITA
• Development of Suricata rule
• Expanding Zeek visibility
• Using theHive for threat hunting and incident management

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

• CSIRT / Incident Response Specialists
• Red and Blue team members
• Penetration testers
• Threat Hunters
• Security / Data Analytics
• IT Security Professionals, Experts & Consultants
• SOC Analysts and SIEM Engineers
• AI / Machine Learning Developers
• Open Source Security Enthusiasts

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.