TRAINER: Lukas Hlavicka
Director of Digital Forensic & Incident Response Department, LIFARS
TARGET AUDIENCE:
- Incident handlers
- Forensics analysts
- Malware analysts
- Security specialists with technical skills
PREREQUISITES:
The participants should:
- Be familiar with Windows PowerShell (beginner level)
- Have a little bit experience with Windows Forensics
- Bring a Windows laptop with at least 16GB of RAM, 100 GB of free space on HDD/SSD and installed VirtualBox 64-bit edition. VMWare should be also fine; however, it is not fully tested with our environment.
Threat Hunting
Windows hosts
22 September 2020 | PRAGUE
Chosen chapters from threat hunting were built to accelerate transition from reactive security operations to proactive security operations. In this course you learn how to proactively detect attackers in Windows environment in a network and find basic sets of evidence of their presence.
Description:
Incidents happen. The question is not whether, but when. Maybe next month. Maybe next week. Maybe today. Or… is it already happened? It is better to be prepared for these situations in advance. Use proactive approach and detect security breach early. Then take containment action and remediate the incident.
During this training the participants will see most common techniques used by attackers when they got access to the victim network – we will introduce adversary tactics and techniques based on real-world observations. The participants will see various post-exploitation scenarios, including information gathering and data collection, communication with command and control servers, credential dumping and privilege escalation, internal network reconnaissance and lateral movement, achieving persistency and defense evasion.
Moreover, we will focus to detection of introduced techniques and attacker presence in the network. The participants will have an opportunity to get hands-on experiences with tools and procedures for searching and investigating the network and endpoints to detect and isolate these advanced threats.
Learning objectives:
- Identify necessary sources of data needed for threat hunting
- Learn how to use comprehensive set of tools tactics and procedures for systematical threat hunting
What should you take from this training:
Extension of your professional skills as a security specialist to threat hunting, know the difference between forensics and threat hunting and obtain a mindset of threat hunter as opposite from standard security operations
Course structure
- Threat hunting vs. Digital Forensics Analysis
- Threat hunting process in Windows host
- Attack vectors / TTP of Attacker – case studies
- Persistence mechanisms of attackers/ malware and their detection
- Security model of Windows systems / Authentication / GPO and common vulnerabilities
- Types of lateral movements and detection possibilities
- Windows Logging and auditing capabilities, use cases and setup guides
- IOC in standard attacks, where to find them and how to interpret them
- Automating detection of IOC in multiple hosts with / without domain
- Sniper threat hunting forensics in Windows environment
This will be a technical training
Course level: Intermediate to professional
Duration: 8 hours including lunch break and two 15-minutes coffee breaks
Number of attendees: Up to 20 attendees