Class Details

Within the course you will learn the characteristics of a number of attacks, and a process to evaluate these attacks for the possibility of an intrusion. The section on intrusion analysis will show the data that can be scavenged after a variety of different types of attacks. These attacks can be from the most basic type all the way through advanced emerging threat attacks. The systematic process you will not only learn, but also practice in the workshop will allow you to analyze virtually all types of intrusions.

Once you have examined the different intrusion methods you will be introduced to an incident response life cycle, and practice implementing it with “live” events and scenarios from actual computer incidents. Each “live” exercise will have a series of events from firewall logs to users calling the help desk, and your task will be to review the information and then using a defined incident response plan determine what is required to be recorded, reported and the required steps to move forward. The incidents will increase in scope and become more challenging as the workshop progresses.

By the time you leave the course you will have seen a multitude of different attack scenarios, and in the end created your own process for responding to potential incidents to an enterprise network architecture.

Course Outline

Module One: I. Introduction to Forensics

  • Computer Forensics defines
  • Traditional forensics
  • “Live” system forensics
  • Establishing a Forensic Methodology
    • Repeatable process 

LAB : Forensic Analysis: What were up against

  • In this lab, the student will examine files that have been obfuscated to hide information in them, the files that have had their headers modified will be explored to see how the data can be extracted, or where encryption is used identified to the point of classification of the algorithm and potential methods to try and decrypt the data

Module Two: Intrusion Analysis Intrusion Analysis of Network Traffic on Windows and Linux

  • Identifying normal vs abnormal traffic
  • Determining cause of abnormal traffic
    • Error
    • Malicious
  • Recognizing common patterns of network attacks
  • Identifying the OS from the network traffic
    • Passive fingerprinting characteristics
    • Nuances of the TCP/IP stack 

LAB: Analyzing basic attacks

  • In this lab, the student will review the packet capture files of normal traffic then be introduced to abnormal traffic capture files, they will learn how to follow a systematic process and use tools to assist in identifying the abnormal components of the traffic located within the capture files. The student will create and customize their own attack tools then capture and review the results from these attacks 
  • Components of a sophisticated attack o Deception techniques
    • Protocol camouflage 
    • Encryption and tunnels 

LAB: Analyzing a sophisticated attack

  • In this lab, the student will review capture files that have deployed sophisticated methods such as the deployment of obfuscation and other camouflage deception techniques. The student will learn the methods of protocol encoding that is used by an attacker to try and confuse the analyst. The method of identifying protocols that have been tunneled or are using encryption will be practiced to include the decryption of the traffic once we have identified the presence and obtained the key
  • Components of advanced attacks
    • Protocol encapsulation
    • More than one layer 7
    • Web attacks
    • Services
    • SQL
    • XSS
    • Access controls

LAB: Analysis of Web Attacks

  • In this lab, the student will explore the encapsulation of protocols that are designed to wrap inside of another Layer 7 Application protocol such as the SOAP object inside of an HTTP packet. The top web application attacks will be reviewed using static packet capture files, then the student will perform the different web application attacks and learn the process to analyze these attacks by seeing what their characteristics are at the packet level

Chapter Three: Intrusion Analysis Tools

  • Snort 
  • Suricata

Security Onion Lab: Installing Suricata

  • In this lab, the students will install Suricata, the requirement will be to install the tool on a minimum of two different Operating Systems, so they gain experience with installing on different platforms Security Onion Configuration and Tuning
  • Sguil
    • Examining the packet data - Squert 
    • Viewing the details

Lab : Using Sguil and Squert

  • In this lab, the students will first learn the fundamental methods of the tools, following this, the students will explore different tool options. The lab will include a discussion on which tool and which option is preferred by the student
  • Extracting a transcript using Squil
  • Interpreting sessions

Lab : Sessions in Sguil

  • In this lab, the students will examine the different sessions in Sguil and practice methods and techniques to analyze the different sessions
  • Graphing with Squert o Alert visualization

Chapter Four: Introduction to Incident Response

  • Security Policy and its role in incident response 
  • Introduction and overview of computer forensics and incident response 
  • Planning for incident response: Developing a plan of action
  • Incident response life cycle explained Incident Response 

Workshop One

  • In this workshop, the students will receive the process of how to respond to an incident then the student will receive a sequence of events that provide the challenge of handling the incident from initial inception up through response, the process of Validation, Reporting, Mitigation, Response, Recovery and Feedback

Chapter Five: Planning a Response to a potential incident

  • Search and seizure laws 
  • What you can and cannot
  • Laws of digital evidence
    • Hearsay
    • Exceptions to the hearsay law 
    • Digital evidence references

Chapter Six: Processing Windows “LIVE” Forensics information to discover malware

  • Analyzing volatile data o Network connections
    • Ports
    • Processes
    • Memory of processes
    • Open files and handles 
    • Routing tables
    • System memory
  • Analyzing non-volatile data
    • System version 
    • Time and date stamp 
    • Registry data
    • Login history
    • Auditing policy
    • Examining the event viewer
    • Logs and using logparser
    • Using logparser 
    • Developing powerful queries
      • Basic 
      • Advanced 

LAB: Windows “LIVE”

  • In this lab, the student will practice the process required to analyze volatile and non-volatile data. Reviewing the “live” memory on a windows machine to include the process memory and the characteristics of the process in memory to include the handles and other artifacts of interest. The non-volatile data to include the registry data will be examined for modifications and changes 

Incident Response Workshop Two

  • In this workshop, the student will continue with the knowledge and skill gained from the lab to identify infections within memory and to perform a triage of the received events up to when required escalation to a higher authority

Chapter Seven: Malware Incident Response

  • Advanced Windows Forensics: Performing low-level internal analysis to identify advanced memory corruptions 
  • Windows internals o System architecture 
    • Memory management 
    • Cache management 
    • Dumps analysis 
    • Tools 
      • Filemon 
      • Regmon
      • Process explorer 
      • Process explode 
  • Windows rootkits 
    • Traditional
    • Trojaned files and processes 
  • Hooking 
    • Man in the middle attack against the descriptor table
    • DKOM  Unlinking processes direct in memory 

LAB: Malware Analysis

  • In this lab, the students will learn how malware infect memory, once the process of memory infection have been reviewed, the methods of extracting data and dumping the memory to include the processes, registry and handles from the infected process. The student will learn how powerful a rootkit can be and the methods of infection each rootkit uses and how to extract the required data to identify the type of rootkit infection Client side exploitation Binary payloads Malicious files Bypassing anti-virus and other protections Obfuscation and encoding Encoders Frameworks msfvenom veil Powershell empire powersploit 

LAB: Client Side Attack Vectors

  • In this lab, the student will explore the methods that an attacker uses when thy exploit the client, that is “click here.” Once the client does click, the student will observe the methods used to obfuscate and encode the communication between the infected client and the Command and Control server. The network traffic of this as well as the lateral movement will be explored to include the use of SMB, SSH and other protocols that are commonly used 

Incident Response Workshop Three

  • In this workshop, the student will practice the identifications of a variety of events that could be part of a malware campaign against them. The different events will be interpreted, discussed and responded on as a team, the incident response plan from the experience gained to this point will be flexed and tested using a team of students emulate an incident response team