$4,000

(SOSummit) Adversary Tactics - Detection Training Course

Event Information

Share this event

Date and Time

Location

Location

Embassy Suites by Hilton San Antonio Landmark

5615 Landmark Parkway

San Antonio, TX 78249

View Map

Refund Policy

Refund Policy

Refunds up to 7 days before event

Event description

Description

This course is being held as part of the first SpecterOps Summit and will include evening events and social activities.

---------------------------------------------------------------------------------

Tired of "detecting" a breach after an incident has already begun? Hunt operations focus on proactively searching for malicious threat actors and closing the gap from infection to detection. Many security solutions attempt to prevent the initial compromise, or detect known post-exploitation activity, but can be bypassed by skilled attackers. This course will teach you how to create threat hunting hypothesis and execute them in your environment to proactively search for attacker indicators not identified by existing security solutions.

In this course, you will:

  • Build a comprehensive Hunt Hypothesis.
  • Assess the quality of your data sources.
  • Develop metrics to track the effectiveness of your hunt program.
  • Perform basic triage procedures for suspicious activity.
  • Practice in a simulated enterprise network against real advanced adversary techniques and malware samples.
  • Collect extensive Windows host telemetry and metadata using built-in and open source tools.
  • Efficiently analyze gathered data to detect threat actor post-exploitation technique.

Course Summary

Enterprise networks are under constant attack from adversaries of all skill levels. Blue teamers are facing a losing battle; as the attacker only needs to be successful once to gain access. Since the scales are heavily tipped in the attacker's favor, a new defensive mindset is required. Rather than focusing just on preventing attacks from being successful, assume a breach could occur and proactively search for evidence of compromise in the environment. Malicious techniques used to laterally spread, pivot, and privilege escalate are not normal in networks and can be detected. A proper Threat Hunting program is focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat.

Threat Hunting takes a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This course builds on standard network defense and incident response (which target flagging known malware) by focusing on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). We will teach you how to create threat hunting hypotheses based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will use free and open source data collection and analysis tools (Sysmon, ELK and Automated Collection and Enrichment Platform) to gather and analyze large amounts of host information to detect malicious activity. You will use these techniques and toolsets to create threat hunting hypotheses and perform threat hunting in a simulated enterprise network undergoing active compromise from various types of threat actors.

Course Syllabus

Day 1:

  • Threat Hunting Introduction
  • MITRE ATT&CK and Adversary TTPs
  • Data Source Identification
  • Data Quality Assessment
  • Host Baselining
  • Threat Hunting Campaign Types

Day 2:

  • Interpreting Threat Reports
  • Host-based Collection Methodology
  • Defensive Indicator Design
  • Hunt Hypothesis Generation Process
  • Post Hunt Activities

Day 3:

  • Digital Signature Validation
  • Dynamic Binary Analysis
  • Hunt Hypothesis Generation (based on Threat Intel Report)
  • Hypothesis Execution

Day 4:

  • Capstone
  • Threat Hunting Engagement
  • Live Environment/Adversary

Student Requirements

This class is intended for defenders wanting to learn how to effectively Hunt in enterprise networks. Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.

Hardware Requirements

The course lab is accessed through a browser with connectivity to the internet. Participants will need to bring a laptop with a browser that can connect to a publicly routed Apache Guacamole instance over ports 80/443.

What's Included

  • Four day training
  • All day beverages and snacks
  • Daily lunch
  • Evening activities as part of SpecterOps Summit

Accommodations

Training will be taking place in the Embassy Suites by Hilton San Antonio Landmark in San Antonio, Texas

FAQs

How can I contact the organizer with any questions?

Please email info@specterops.io with any questions.

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

the lab is accessed through student laptops via a browser with connectivity to the internet

Share with friends

Date and Time

Location

Embassy Suites by Hilton San Antonio Landmark

5615 Landmark Parkway

San Antonio, TX 78249

View Map

Refund Policy

Refunds up to 7 days before event

Save This Event

Event Saved