Linux Forensics Inspection

and Incident Response at scale

Learn more

About

Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use-cases and teach critical aspects of how to handle Linux incidents properly. Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux/Network internals and investigation steps needed to get the full picture of post-exploitation activities and artifacts they leave behind. At scale.

Agenda

  • How to run DFIR tasks at scale across many Linux endpoints
  • Recent Linux APT analysis
  • RE&CT Enterprise Matrix
  • The importance of timeline analysis and NTP synchronization
  • Triage / collecting artifacts
  • Privileged user and group enumeration
  • Identification of logged accounts
  • Searching for files at scale
  • Establishing a baseline for different OS components (cron, at, rc.local, ACLs, hosts, resolv.conf, SELinux, filesystem hashing, packages, and checksums)
  • Process call chains / pstree / process arguments
  • Collecting and analyzing important process data (/proc)
  • Finding hidden processes, network connections, and kernel modules
  • Detecting capabilities in ELF, shellcode files
  • Detecting loaded shared libraries per process
  • Detecting web shells/file create notifications
  • Hunting for packers, extracting binary versions, and exports
  • Searching for exploitation attempts in logs
  • Hunting for Linux rootkits (user space / kernel space)
  • Hunting for artifacts of process injection techniques
  • Sysmon Events + Sigma detection rules
  • Runtime Security (Falco, Tracee)
  • Open source ways for memory acquisition and memory forensics
  • Creating Volatility profiles
  • Filesystem and process memory Yara scans
  • Endpoint data correlation and hunting for suspicious network events 
  • Network visibility with/without signature rules
  • Searching for persistence methods in use
  • Data correlation and hunting for suspicious network events + RITA
  • Direct interaction with the endpoint: command execution on demand, system modification, and quarantine examples
  • Hunts enrichment
  • Using theHive for incident management

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.

Interested?

If you are interested in dedicated, private training for your Security Operations team let us know. We love delivering on-site training sessions!

Customers