Difference between revisions of "Training 2015 - Tactical Exploitation and Response"
From BruCON 2016
(Created page with "=Tactical Exploitation and Response= ===Course Description=== This unique class offers a view into attacker and defender models in one single session. Tactical Exploitation...") |
m (Protected "Spring Training 2015 - Tactical Exploitation and Response" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
(No difference)
|
Revision as of 20:51, 21 January 2015
Tactical Exploitation and Response
Course Description
This unique class offers a view into attacker and defender models in one single session. Tactical Exploitation and Response will dive into the mechanics used in real attacker scenarios. Students will learn how to attack systems using real world techniques vs penetration testing techniques. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.
After learning techniques that will be successful in attacking any target students will turn to learning unique ways to defend and detect against these attacks. This section of the course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.
Topics Covered:
- Real offensive mindsets, not penetration testing mindsets
- How attacker recon isn't about processes and software
- Using Windows against itself
- Privilege Escalation without exploits
- Evasion Techniques
- Lateral movement options
- Host logging and auditing
- Leveraging active directory
- Host and network indicator extraction for enterprise results
- Proper response mechanisms and communication
- PCAP and network intelligence extraction
- Advanced host and file triage capabilities
- Host command and process monitoring across a host
Course Contents
Introduction
- Class fundamentals
- Incident Response/Exploitation Fundamentals and Methodologies
- Attacker Methodologies and Mindsets
Host based Exploitation
- Web hacking techniques for Black Hats
- Customizing exploits for weaponization
- Shells through the web
Lateral Movement
- Network Recon and how it is different from host
- Working through networks
- Uncommon lateral movement techniques
- Abusing Single Sign On for lateral movement
Host Monitoring
- Host monitoring and logging
- Detecting ALL methods of logging on and off
- Process Tracing/Tracking
- Finding Maliciousness in processes
- Windows Event Logs Concepts
- Lateral Movement and Event Logs
Memory Analysis
- Acquisitions and limitations
- Intro to Volatility
- Memory Analysis Basics
- Memory Analysis Advanced
- Poor Man's Memory Analysis
Network Logging Modules
- DNS/Web logs and the basics
- Detecting DNS Tunnels
- Automating DNS logs
- Normal Web Detection Techniques
- Advanced Web Detection Techniques
Network Monitoring
- Neflow and PCAP concepts
- Finding suspicious traffic in network monitoring
- Lateral Movement detection through network monitoring
Malware Analysis 101
- Lab Setup
- Goals
- File Artifacts and Analysis
Requirements
Students must have:
- Familiarity with scripting languages such as Python/Perl/Ruby
- A familiarity with Windows and Linux administration
- Familiarity with the malware analysis and reverse engineering malware processes
Software and hardware requirements
Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gigs of memory is needed. Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.
Trainer Biography
Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research, LLC.
More information is available on carnal0wnage
Links :
Wed. 22 - 24 April 2015 (09:00 - 17:00)