In & Out -

The main goal of the training is to achieve better detection of exfiltration / post-exploitation activities and get more effective incident handling, thus allowing to reduce the number of false positives in the SOC environment. Individual detection lab cases will be launched and analyzed together in details by finding new and using existing DFIR artifacts. A modular lab-oriented form of the training allows for later use and combination within your own SOC infrastructure, expanding and delivering complex tactics, techniques and procedures (TTP).

An advanced lab-based training created to present participants:

• Significance of security events correlation including context to reduce the number of false positives and better detection of adversary activities
• Advanced detection methods and techniques against exfiltration and lateral movement including event mapping, grouping, and tagging
• Understand the tactics and behaviors of the adversary after gaining initial access to the network (Linux/Windows) 
• Detection methods of tunneling, hiding, pivoting and custom, simulated malicious network events
• Capabilities of many popular Open Source tools and integration with 3rd party security (IDS/IPS/WAF/EDR) and analytics solutions against adversaries actions
• Verification methods and techniques for product and service providers from IT Security space → in terms of internal testing and PoC / PoV programs

Agenda

• The value behind Adversary Simulations.
• MITRE Attack Framework for APT detection.
• Open Source Security Software for your Security Operation Center - introduction to cloud-based LAB environment and more.
• Network baseline profiling and hunting for malicious events - BRO / Suricata IDS
• Low-level analysis of Sigma rules + Sysmon for better lateral movement detection.
• Auditing subsystems: auditd, eBPF, OSquery.
• Web security - using WAF for greater application visibility.
• Detecting ATT&CK techniques & tactics for Linux / Windows.
• Understanding Linux / Windows Malware Persistence Methods.
• Detecting C2 network exfiltration and post-exploitation TTPs → use cases.
• Summary.

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

• Red and Blue team members
• Security / Data Analytics
• CIRT / Incident Response Specialists
• Network Security Engineers
• SOC members and SIEM Engineers
• AI / Machine Learning Developers
• Chief Security Officers and IT Security Directors

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL 2019.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.