CYBER DEFENCE TRAINING

2018-2019

COURSES 101 - 201 - 301

PROGRAM DESCRIPTION This document details the program of 3 intensive courses in

cyber security incident response. Each of these courses lasts 4

days (may be customized based on customer preference) and

focuses on hands-on exercises.

Attendees will learn to think like cyber attackers which will

enable them to optimize defenses, create realistic attack

scenarios and perform dynamic threat hunting through red

versus blue scenarios.

Course 101 (4 days) Introduction to incident response

This course will familiarize attendees with the cyber attack

process and with incident response processes. The course leans

on freely available offensive and defensive tools to execute a

series of practical hands-on exercises simulating real attack

scenarios.

Course 201 (4 days) Automation in incident response This course allows attendees to expand the capabil ities of

offensive and defensive tools using technologies such as

PowerShell and WMI. This enables the scaling of incident

response processes to an enterprise level size to counter

sophisticated attacks.

Course 301 (4 days) Advanced attacks and enterprise defense This course teaches attendees the fundamentals of enterprise

level defenses, such as access control management, GPO

deployment and application white listing. These

countermeasures enable the disruption and the detection of

critical step in the execution of sophisticated attacks.

COURSES OVERVIEW

Learning objectives

At the end of this course, the attendee will be able to apply a

deliberate incident response process for incidents involving

malware.

Key capabilities acquired

COURSE 101 Introduction to incident response

Understanding the attack process

Applying the intelligence lifecycle

Use elementary defensive tools

(Sysinternals suite, native tools, Wireshark)

Use elementary offensive tools

(Metasploit, Armitage)

Day 1

Introduction and threat briefing Presentation aimed at increasing awareness of current threats and

distinguishing different types of cyber threats, in particular

targeted and non-targeted threats.

The attack process - Infection and persistence [red] Demo and exercises providing a better understanding of

techniques used by attackers to infect machines as well as the

artifacts used for detecting these techniques.

Day 2 Incident response – The Intelligence cycle [blue] Presentation and exercises teaching the cycle of artifact discovery

followed by cyber investigation as well as the basic technical tools

for analyzing cyber incidents.

The attack process - Command and control [red] Exercises aimed at familiarizing attendees with methods used by

attackers to establish communications for command and control.

COURSE 101 Introduction to incident response

Day 3 Network surveillance [blue] Exercises introducing the network security monitoring process to

detect network artifacts.

Introduction to cyber forensics [blue] Exercises introducing cyber forensics tools enabling the collection

of additional artifacts necessary for the detection of certain cyber

attacks.

Day 4 Capstone exercises [red vs blue] Whole class exercises enabling attendees to integrate what they have

learned through realistic cyber attack scenarios.

COURSE 101 Introduction to incident response

Learning objectives

At the end of this course, the attendee will be able to personalize

tools using scripting languages in order to scale up incident

response and collection of cyber attack artifact processes.

Key capabilities acquired

Use Indicators of Compromise (IoC)

Programmatic collection of artifacts

Offensive uses for native Windows tools (PowerShell, VMI)

COURSE 201 Automation in incident response

Day 1

Threat briefing Presentation covering current threats and pointing at the need to

scale up enterprise defenses.

Review – Artifact detection [blue] Exercises aimed at refreshing the memory of students with regards

to the main artefacts linked with cyber attacks and their collection

techniques.

Day 2 The attack process – Automating infection and persistence

[red] Demo and exercises teaching advanced techniques leveraging native

Windows tools used by attackers to infect machines .

The attack process - Command and control and lateral

movement [red] Demo and exercises teaching advanced techniques leveraging

native Windows tools used by attackers to expand their

access and establish command and control.

COURSE 201 Automation in incident response

Day 3

Incident response - Indicators of compromise (IoC)

[blue] Demo and exercises teaching how native Windows tools may be

used to automate collection and analysis of indicators of

compromise.

Incident response - Logging and artifact collection [blue] Demo and exercises teaching how native Windows tools can be used

in conjunction with logging to automate elements of the intelligence

lifecycle.

Day 4 Capstone exercises [red vs blue] Whole class exercises enabling attendees to integrate what they

have learned through realistic cyber attack scenarios .

COURSE 201 Automation in incident response

Learning objectives

At the end of this course, the attendee will be able to

understand interactions between enterprise level defenses

and attack techniques as well as understand which

artifacts or logs are best positioned to detect control

bypasses.

Key capabilities acquired

Understanding of authentication and authorization

mechanisms used in AD environments

Effects of security configurations on standard attack

methods

Limits of application white listing

COURSE 301 Advanced attacks and enterprise defence

Understanding the man-in-the-middle class of attacks

Day 1

Advanced attacks and enterprise defence Presentation providing in-depth understanding of enterprise

defenses, in particular defenses related to an Active Directory

environment, and the effect of those defenses on advanced

attacks.

Privilege escalation [red and blue] Exercises teaching different techniques used to bypass access

privilege limitation controls as well as artifacts left by those

techniques.

Day 2 Lateral movement [red and blue] Exercises illustrating the different attack techniques to bypass

access controls and privilege controls in Windows environment

(e.g. pass-the-hash, token stealing, Golden ticket attack).

The effect of different Group Policy Objects (GPO) on the ability to

implement these attacks will also be highlighted in the exercises.

COURSE 301 Advanced attacks and enterprise defence

Day 3 Network interception [red and blue] Exercises teaching man-in-the-middle attacks enabling the

extension of the scope of authentication attacks on Windows

enterprise networks.

Application white listing [red and blue] Exercise illustrating the usefulness of application white listing to

prevent a number of infection vectors as well as techniques to

bypass white listing.

Day 4 Capstone exercises [red and blue] Whole class exercises enabling attendees to integrate what they

have learned through realistic cyber attack scenarios.

COURSE 301 Advanced attacks and entreprise defence

CONTACT :

info@QuantumCyberDefence.com