Tactical Response is a multidisciplinary approach to understanding the methodologies, techniques, and tools for both offensive and defensive security. This 2 day course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Using a combination of new tools, and uncommon techniques students will learn how to defend a network against today's evolving threats. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.
Students will learn:
- How to manipulate enterprise tools and infrastructures in unusual ways for better security
- Build and employ custom logging tools for detecting lateral movement, persistence mechanisms, data targeting, and exfiltration
- How to provide actionable data to help decision makers
- New techniques to help drive rapid intelligence from files and systems.
- Properly defend against and respond to incidents on a network
- Offensive mindset for defensive purposes
Students will get the chance to work with real "APT" tools and see the unique differences between how they are used in real attacks vs the penetration testing tools used today. These differences will help students learn how to truly detect real adversaries.
Topics Covered:
- Real offensive mindsets, not penetration testing mindsets, for enterprise response
- Proper response mechanisms and communication
- Host and network indicator extraction for enterprise results
- Quickly gather and identify data for incident use
- Host logging and auditing
- Leveraging active directory, AV, and other tools in unique ways for alerting
- PCAP and network intelligence extraction
- Leveraging windows syscalls for alerting across an enterprise
- Advanced host and file triage capabilities
- Host command and process monitoring across a host
This course is well-suited to incident responders and in general any defenders. This course is also well suited for the offensively focused minds. This class can help penetration testers learn what NOT to do.
8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig's of memory is needed.
Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.
We encourage students to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.
Students must have:
- Familiarity with scripting languages such as Python/Perl/Ruby
- A familiarity with Windows and Linux administration.
- Familiarity with the malware analysis and reverse engineering malware processes
Students will walk away from the class with full documentation and the entire custom and non-custom tools that we have given them or they have designed in class. Students walk away from AR training sessions with more than just the "usual" training materials but a wealth of knowledge for defending networks.
