courses 101 - 201 - 301 - carleton university€¦ · course 101 (4 days) introduction to incident...
Post on 10-Aug-2020
6 Views
Preview:
TRANSCRIPT
CYBER DEFENCE TRAINING
2018-2019
COURSES 101 - 201 - 301
PROGRAM DESCRIPTION This document details the program of 3 intensive courses in
cyber security incident response. Each of these courses lasts 4
days (may be customized based on customer preference) and
focuses on hands-on exercises.
Attendees will learn to think like cyber attackers which will
enable them to optimize defenses, create realistic attack
scenarios and perform dynamic threat hunting through red
versus blue scenarios.
Course 101 (4 days) Introduction to incident response
This course will familiarize attendees with the cyber attack
process and with incident response processes. The course leans
on freely available offensive and defensive tools to execute a
series of practical hands-on exercises simulating real attack
scenarios.
Course 201 (4 days) Automation in incident response This course allows attendees to expand the capabil ities of
offensive and defensive tools using technologies such as
PowerShell and WMI. This enables the scaling of incident
response processes to an enterprise level size to counter
sophisticated attacks.
Course 301 (4 days) Advanced attacks and enterprise defense This course teaches attendees the fundamentals of enterprise
level defenses, such as access control management, GPO
deployment and application white listing. These
countermeasures enable the disruption and the detection of
critical step in the execution of sophisticated attacks.
COURSES OVERVIEW
Learning objectives
At the end of this course, the attendee will be able to apply a
deliberate incident response process for incidents involving
malware.
Key capabilities acquired
COURSE 101 Introduction to incident response
Understanding the attack process
Applying the intelligence lifecycle
Use elementary defensive tools
(Sysinternals suite, native tools, Wireshark)
Use elementary offensive tools
(Metasploit, Armitage)
Day 1
Introduction and threat briefing Presentation aimed at increasing awareness of current threats and
distinguishing different types of cyber threats, in particular
targeted and non-targeted threats.
The attack process - Infection and persistence [red] Demo and exercises providing a better understanding of
techniques used by attackers to infect machines as well as the
artifacts used for detecting these techniques.
Day 2 Incident response – The Intelligence cycle [blue] Presentation and exercises teaching the cycle of artifact discovery
followed by cyber investigation as well as the basic technical tools
for analyzing cyber incidents.
The attack process - Command and control [red] Exercises aimed at familiarizing attendees with methods used by
attackers to establish communications for command and control.
COURSE 101 Introduction to incident response
Day 3 Network surveillance [blue] Exercises introducing the network security monitoring process to
detect network artifacts.
Introduction to cyber forensics [blue] Exercises introducing cyber forensics tools enabling the collection
of additional artifacts necessary for the detection of certain cyber
attacks.
Day 4 Capstone exercises [red vs blue] Whole class exercises enabling attendees to integrate what they have
learned through realistic cyber attack scenarios.
COURSE 101 Introduction to incident response
Learning objectives
At the end of this course, the attendee will be able to personalize
tools using scripting languages in order to scale up incident
response and collection of cyber attack artifact processes.
Key capabilities acquired
Use Indicators of Compromise (IoC)
Programmatic collection of artifacts
Offensive uses for native Windows tools (PowerShell, VMI)
COURSE 201 Automation in incident response
Day 1
Threat briefing Presentation covering current threats and pointing at the need to
scale up enterprise defenses.
Review – Artifact detection [blue] Exercises aimed at refreshing the memory of students with regards
to the main artefacts linked with cyber attacks and their collection
techniques.
Day 2 The attack process – Automating infection and persistence
[red] Demo and exercises teaching advanced techniques leveraging native
Windows tools used by attackers to infect machines .
The attack process - Command and control and lateral
movement [red] Demo and exercises teaching advanced techniques leveraging
native Windows tools used by attackers to expand their
access and establish command and control.
COURSE 201 Automation in incident response
Day 3
Incident response - Indicators of compromise (IoC)
[blue] Demo and exercises teaching how native Windows tools may be
used to automate collection and analysis of indicators of
compromise.
Incident response - Logging and artifact collection [blue] Demo and exercises teaching how native Windows tools can be used
in conjunction with logging to automate elements of the intelligence
lifecycle.
Day 4 Capstone exercises [red vs blue] Whole class exercises enabling attendees to integrate what they
have learned through realistic cyber attack scenarios .
COURSE 201 Automation in incident response
Learning objectives
At the end of this course, the attendee will be able to
understand interactions between enterprise level defenses
and attack techniques as well as understand which
artifacts or logs are best positioned to detect control
bypasses.
Key capabilities acquired
Understanding of authentication and authorization
mechanisms used in AD environments
Effects of security configurations on standard attack
methods
Limits of application white listing
COURSE 301 Advanced attacks and enterprise defence
Understanding the man-in-the-middle class of attacks
Day 1
Advanced attacks and enterprise defence Presentation providing in-depth understanding of enterprise
defenses, in particular defenses related to an Active Directory
environment, and the effect of those defenses on advanced
attacks.
Privilege escalation [red and blue] Exercises teaching different techniques used to bypass access
privilege limitation controls as well as artifacts left by those
techniques.
Day 2 Lateral movement [red and blue] Exercises illustrating the different attack techniques to bypass
access controls and privilege controls in Windows environment
(e.g. pass-the-hash, token stealing, Golden ticket attack).
The effect of different Group Policy Objects (GPO) on the ability to
implement these attacks will also be highlighted in the exercises.
COURSE 301 Advanced attacks and enterprise defence
Day 3 Network interception [red and blue] Exercises teaching man-in-the-middle attacks enabling the
extension of the scope of authentication attacks on Windows
enterprise networks.
Application white listing [red and blue] Exercise illustrating the usefulness of application white listing to
prevent a number of infection vectors as well as techniques to
bypass white listing.
Day 4 Capstone exercises [red and blue] Whole class exercises enabling attendees to integrate what they
have learned through realistic cyber attack scenarios.
COURSE 301 Advanced attacks and entreprise defence
CONTACT :
info@QuantumCyberDefence.com
top related