HBFITES Data Center, Collaboration, Security, Storage, Wireless, Telepresence Training +91-9886770046 info@hbfites.com

CTDM - Cyber Threats Detection and Mitigation

Description

Cyber threats are increasing at an alarming rate every year and the ability for organizations to defend against fullscaled distributed attacks quickly and effectively is becoming more and more difficult. In order to be safe and secure on today's Internet organizations must learn to become more automated. This means being capable of characterizing attacks across hundreds or even thousands of IP sessions and improving their ability to recognize attack commonalities. With Intrusion Detection Systems and trained network security auditors organizations have a reliable means to prioritize, and isolate only the most critical threats in real time.

Taught by leaders in network defense who work in the computer security industry, this course demonstrates how to defend large scale network infrastructure by building and maintaining intrusion detection systems, network security auditing, and incident response techniques.

Course Details:

  • 70% Labs, 30% Lecture using real-world networking attacks
  • Laptops are provided during the class
  • Students receive USB Flash drives of all student labs

Objectives

Attending students will learn:

  • How to identify the best defensive measures to effectively protect a network
  • How to setup and maintain an intrusion detection system
  • How to conceptualize and develop intrusion detection rules and rulesets
  • How to analyze and respond to intrusion attempts
  • How to recover from a successful intrusion

Prerequisites

You should possess knowledge of the following:

  • Attending students should have a thorough understanding of Microsoft Windows
  • Knowledge of networking protocols and Wireshark filtering is highly recommended

Who Should Attend

  • Network defenders who want to respond to networking threats
  • Incident responders who need to quickly address a system security breach
  • Individuals who need a firm understanding of signature development and SNORT

Outline

  • Intrusions Defined
  • Historical Intruders
    • Jonathan James
    • Adrian Lamo
    • Kevin Mitnick
    • Kevin Poulsen
    • Robert Tappen Morris
    • Vladimir Levin
    • Lloyd
    • David Smith
    • Mafia Boy
    • Mark Abene
  • Historical Intrusions
    • Morris Worm
    • Melissa
    • VBS Loveletter (I Love You Virus)
    • Code Red
    • Nimda
    • Sql Slammer
    • MS Blaster
    • MyDoom
    • Sasser
    • Witty
  • Wireshark Overview
    • Interface
    • Capturing
    • Packet Decoding
    • Filter Generator
    • Right Click Contexts
    • Marking Packets
    • Statistical Information
    • Find Features
    • Stream Reconstruction
  • TCP Session Initialization Review
  • Incident Response
    • Incident Response Plan
    • Incident Response Team
    • Incident Response Policy
    • Types of Incidents
      • Denial of Service
      • Malicious Code
      • Unauthorized Access
      • Inappropriate Usage
      • Multiple Component
    • Incident Response Phases
      • Preparation
      • Detection and Analysis
      • Containment Eradication and Recovery
      • Post-Incident Activity
  • NetFlow Analysis
    • Cisco Netflows Ver 1 Ver 9 (IPFIX)
    • SFlows
    • JFlows
    • Silk and Argus Collectors
  • Intrusion Detection Systems
    • Definition
    • IDS Types
      • NIDS
      • HIDS
      • DIDS
    • Scanning versus Compromise
    • IDS Known Good versus Known Bad Approaches
    • Rule Based IDS
    • Protocol Analysis IDS
    • Heuristics Based IDS
    • Response Actions
      • Passive Response
      • Active Response
    • Inline IDSs
    • Problems with Active Response
    • Defense in Depth
      • Physical Security
      • Social Engineering
      • O/S Security
      • Application Security
      • Internal Threats
      • Network Security
    • False Positives and False Negatives
  • Intrusion Prevention Systems
    • Active Response Techniques
  • Introduction to Snort
    • Packet Sniffer
    • Packet Logger
    • NIDS
    • Protocol Support
      • ICMP, UDP, IP
    • Sourcefire
    • Packet Decoder
    • Preprocessors
    • Detection Engine
    • Alert and Logging
  • Detection Rules
    • Actions after a match
    • What rules cant do
    • Fundamentals of a Rule
      • Rule Header
      • Rule Body
    • Rule Actions
      • Alert, Log, Pass, Activate, Dynamic, Drop, Reject, Sdrop
    • Rule Body Options
      • MSG, References, ID, Rev, Classtype, Severity, Content
    • Content Modifiers
      • No Case, Rawbytes, Depth, Offset, Distance, Within, Http_uri, etc
    • Pre-Processors
      • Frag3, Stream4, Flow, Stream5, Http_Inspect
    • Output Plug-ins
      • Alert_Syslog, Alert_Fast, Alert_Full, CSV, Database, etc.
  • Attack Scenarios
    • Writing Signatures around many attack scenarios applicable to real world situations
  • Syslog Tools
    • Kiwi SyslogD Server Setup
  • Non Payload Detection Rules
    • Dsize
    • Fragoffset
    • TTl
    • TOS
    • ID
    • IPOpts
    • Fragbits
    • Flags
    • Flow
    • Flowbits
    • Seq
    • Window
    • Etc.
  • Post-Detection Rule Options
    • Logto
    • Session
    • Resp
    • React
    • Tag
  • Writing Effective SNORT Rules
    • Content Matching
    • Catch Vulnerabilities
    • Oddities of the protocol
  • Optimizing IDS Rules
  • Attack Scenarios
    • Writing Signatures around many attack scenarios applicable to real world situations
  • Student Practical Demonstration:
    • Students are given five attack scenarios in which they need to write SNORT rules to defend against. Once the students have implemented the rules in their SNORT System the instructor will then launch attacks against them to determine if their rules were effective.

    Lab Outline

  • Day 1
    • Incident Response Team Exercise
    • Wireshark Display Filtering Exercise Part 1
    • Wireshark Display Filtering Exercise Part II
    • Researching an Intrusion in Wireshark Lab 1
    • Researching an Intrusion in Wireshark Lab 2
    • Researching an Intrusion in Wireshark Lab 3
    • Researching an Intrusion in Wireshark Lab 4
    • Researching an Intrusion in Wireshark Lab 5
    • Determining if an Intrusion has occurred using Wireshark Part 1
    • Determining if an Intrusion has occurred using Wireshark Part II
  • Day 2
    • NetFlow Analysis using Wireshark
    • NetFlow Placement Strategies Lab
    • Intrusion Detection Worksheet
  • Day 3
    • Configuration of the SNORT IDS
    • Writing SNORT Detection Rules
    • Payload Detection Rules
      • Content Matching and Modifiers
    • Attack Scenarios (1-5)
  • Day 4
    • Non Payload Detection Rules
      • Writing DSIZE Alerts
      • Writing Flags Alerts
      • Writing Flow Established Alerts Post Detection Actions
    • Using Pre-Processors in SNORT
    • Using Output Plugins in SNORT
    • Attack Scenarios (1-5)
      • Practice Writing Detection Rules around Real World Threat Scenarios
  • Day 5 Student Practical Demonstration:
    • Students are given five attack scenarios in which they need to write SNORT rules to defend against. Once the students have implemented the rules in their SNORT System the instructor will then launch attacks against them to determine if their rules were effective.