Black Hat USA Training 2005
Caesars Palace Las Vegas • July 23-24 & July 25-26

Overview
This course is designed to teach the students how exploits affect the targeted system, the effects can be monitored in real-time, and response to the attack can be largely automated. Both theory and a specific implementation (on Linux) will be presented to the students through lectures, demonstrations, and hands-on lab exercises. Students should have a background in operating systems and programming and some understanding of how most vulnerabilities are exploited (i.e. familiarity with buffer overflows and ‘shellcode’).

Detailed information on the foot and finger prints created by attacks will be presented, and based on the information, the class will study and experiment with where and how the attacks can be detected in the operating system. Topics such as filesystem access, system call usage, and resource access will be presented and discussed. Understanding what information and system state parameters are under the attacker’s control is also a critical element of designing any intrusion detection system, so the class will spend some time focused on counter-detection and evasion.

Once the class has a good understanding of automated attack detection, the topic will move to response. An untraditional approach will be presented that is based on the needs of an incident investigator, rather than what is convenient for the developer of the intrusion detection system. In addition, a case will be made for automated response given today’s computing environments and threats.

Many people will find value in this class: developers and researchers interested in or building intrusion detection and prevention systems; security engineers interested in understanding the details of how IDS/IPS should work, where problems exist in many commercial products, and how they might extend or integrate various tools and products; pentesters interested in understanding how detectable their methods are and gaining insight on evasion and counter-detection techniques; and forensic technicians interested in making their jobs easier and pushing the state of the art.

Who should attend
Security Engineers, Security Software Developers, Researchers, Penetration Testers, Forensic Technicians

Prerequisites
Students with an understanding of operating system internals, programming, and vulnerability exploitation (x86 assembly in the context of attack entrance vectors and payloads) will benefit most from this course, though they are not required if the student wants a crash course in these subjects (and is willing to minimize the impact on their classmates). The demonstrations and labs will be done on x86 Linux systems, so a working knowledge of the Linux operating environment is a requirement to maximize the learning experience. Skimming through the book “Understanding the Linux Kernel” by Bovet and Cesati, particularly chapters 3, 9, and 20, will provide excellent background knowledge to absorb certain aspects of the class content.

Students must bring a laptop with Ethernet and 802.11x networking and a SSH client installed. Though not required, having Linux installed on the laptop directly or in a VM is preferable. The student must have the latest release of MetaSploit installed and operational on their system.

The student should have an understanding of most of the following concepts and technologies:

• Operating system internals; particularly process creation, resource allocation, system calls, and file systems
• Programming in C and Ruby (similar to Perl and Python, so if you are familiar with either don’t worry)
• A little x86 assembly
• Exploitation of vulnerabilities (buffer overflows, shellcode, etc.)

Dominique Brezinski, resident technologist at Black Hat, has spent the last few years thinking about and implementing advanced intrusion detection and response at the operating system level. His background in security spans the last decade and includes extensive experience in protocol and software vulnerability analysis, penetration testing, software research and development, and operations/incident response in large-scale computing environments. Dominique's former employers include Amazon.com, Decru, In-Q-Tel, Secure Computing Corporation, Internet Security Systems, CyberSafe, and Microsoft.