Adversary Tactics: Detection

May 10, 11, 12 and 13th

Course Abstract

Enterprise networks are under constant attack from adversaries of all skill levels. Blue teamers are facing a losing battle; as the attacker only needs to be successful once to gain access. Since the scales are heavily tipped in the attacker’s favor, a new defensive mindset is required. Rather than focusing just on preventing attacks from being successful, assume a breach could occur and proactively search for evidence of compromise in the environment. Malicious techniques used to laterally spread, pivot, and privilege escalate are not normal in networks and can be detected. A proper Threat Hunting program is focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat.

Threat Hunting takes a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This course builds on standard network defense and incident response (which target flagging known malware) by focusing on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). We will teach you how to create threat hunting hypotheses based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will use free and open source data collection and analysis tools (Sysmon, ELK and Automated Collection and Enrichment Platform) to gather and analyze large amounts of host information to detect malicious activity. You will use these techniques and toolsets to create threat hunting hypotheses and perform threat hunting in a simulated enterprise network undergoing active compromise from various types of threat actors.

Outline

Day 1:

  • Threat Hunting Introduction
  • MITRE ATT&CK and Adversary TTPs
  • Data Source Identification
  • Data Quality Assessment
  • Host Baselining
  • Threat Hunting Campaign Types

Day 2:

  • Interpreting Threat Reports
  • Host-based Collection Methodology
  • Defensive Indicator Design
  • Hunt Hypothesis Generation Process
  • Post Hunt Activities

Day 3:

  • Digital Signature Validation
  • Dynamic Binary Analysis
  • Hunt Hypothesis Generation
  • Hypothesis Execution

Day 4:

  • Capstone
  • Threat Hunting Engagement
  • Live Environment/Adversary

Who Should Attend

This class is intended for defenders wanting to learn how to effectively Hunt in enterprise networks. Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.

What to Bring

Students will be supplied with a customized virtual machine that includes all tools needed to perform the training. Students need to bring a laptop with at least 8 gigabytes of RAM, the ability to run a virtual machine (VMWare Fusion, Player, or workstation), and a wireless network adapter.

Bio

SpecterOps ,

Specific instructors will be determined soon. The SpecterOps team consists of sought-after experts, who bring years of breach assessment (hunt) and red team experience from both commercial and government sectors.

Return to training sessions