New
Level: Foundation

Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise

1 Day | Instructor Led

The BEC XXE exercise is a customized, six-hour, Cyber Range exercise hosted on ManTech’s Advanced Cyber Range Environment (ACRE). Lead by expert cyber security engineers, the exercise can be executed in a classroom and remotely. In this exercise, BEC-based attacks are simulated. Participants will be introduced to variations of the BEC attack (both external and internal) and will capture, preserve and recover network and host-based artifacts from the attacks. They will also determine the origin of the attacks, the extent of the compromise, and any on-going activity related to it. Discussion focuses on blue team threat hunter tasks. This exercise uses a hands-on keyboard approach to create realistic technical training and management interaction opportunities where participants respond to and report events as identified. Participants are engaged via an Incident Response "Observe/Engage" Model and are encouraged to view the attack as if it were happening to their institutions in real time. Participants are asked to share what they have done or would do based on the facts provided.

Inquire About
Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise

Ideal Candidates for Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise Class

Beginner, Intermediate, and Expert Cyber Security Analyst wishing to update their hands-on skills.

Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise Prerequisites

Technical experience in Incident Response, security operations, cyber forensics, or threat hunting. Experience in windows or network administration also helpful.

What You'll Get in Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise

What You'll Learn in Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise

Phase 1 – Introduction and Analysis of the Compromise, Phase 2 – Discussion, Phase 3 - Analysis of the Second Compromise, Phase 4 – Hot Wash.

Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise Certification

No certification test available for this course

Business Email Compromise (BEC) XML Entity Injection (XXE) Exercise Outline

Phase 1 – Introduction and Analysis of the Compromise Participants will be introduced to the environment, potential threat from the threat actors, and will work to capture, preserve and recover network and host based artifacts from the attacks, determine the origin of the attacks, the extent of the compromise, and if there is any on-going activity related to it. Methodology used in this attack scenario will be more detectable and provide more artifacts to recover and analyze. The attack script begins with a VPN compromise and uses XML injection. Various components of attack covered in this exercise include session hijacking, sequel injection, admin credentials capture, and database exfiltration. Once the network is compromised from an external attack, then attacks are staged from personnel inside the network simulating data exfiltration and attackers staging for a BEC based attack, simulated via malicious spear phishing originated compromises. Phase 2 – Discussion Discussion focuses on blue team threat hunter tasks. Participants are asked to share what they have done or would do based on the facts provided. Objectives are reviewed so that participants may: Identify vulnerabilities and tools used to compromise the environment and any devices and accounts effected by the compromise. Discuss and identify means to better protect and defend the environment, and to capture and identify vulnerabilities. Phase 3 - Analysis of the Second Compromise This phase is a repeat of the attack techniques used in the initial phase, but the methodology used in this attack scenario will be less detectable and provide fewer artifacts to recover and analyze. As before, the attack script begins with a VPN compromise and uses XML injection. Various components of attack covered in this exercise include session hijacking, sequel injection, admin credentials capture, and database exfiltration. Once the network is compromised from an external attack, then attacks are staged from personnel inside the network simulating data exfiltration and attackers staging for a BEC based attack, simulated via malicious spear phishing originated compromises. As before, participants will work to capture, preserve and recover network and host based artifacts from the attacks, determine the origin of the attacks, the extent of the compromise, and if there is any on-going activity related to it. Phase 4 – Hot Wash Discussion is similar to that of Phase II, but with the end to identify the differences between the first and second attack. Objectives include: Identify vulnerabilities and tools used to compromise the environment and any devices and accounts effected by the compromise. Identify differences in vulnerabilities used between Phase 1 and Phase III. Discuss and identify means to better protect and defend the environment, and to capture and identify vulnerabilities. Relate the lessons learned to what can be implemented within the intuition’s own environments. Attacker Point of View: A Red Team member then briefs the participants on the details and different methods used in each attack for further discussion on what might have been missed and what can be learned and improved upon.

Testimonials

A. Erlich

RITSC, N6C

I just wanted to say your presentation on Social Media Technology and Security was the finest I have ever attended.

Wilder Guerra

US Navy Reserve

This course is definitely an eye opener. With how much social media has taken over, it is important to be fully aware of the capabilities along with all the risks it brings. It is important to get this course because social media is the new norm.

Rebekah Coughlin

MicroTech

The Social Media and Security Training course offered by UKI is a great and beneficial course combining technical training to fully understand TCP IP networking, DNS, and the harms of malware and cross-site scripting; as well as practical training that allowed attendees to play with open source social intelligence gathering solutions. This is the perfect class for those involved in IT security and interested in social media and identity theft.


Top Related Courses

Cyber Vanguard Series- Cyber Storm Assault Tactics

All actions in war, regardless of the level, are based upon either taking the initiative or reacting in response to the opponent. By taking the initiative, we dictate the terms of the conflict and force the enemy to meet us on our terms. The initiative allows us to pursue some positive aim even if only to preempt an enemy initiative. It is through the initiative that we seek to impose our will on the enemy.


Cyber Vanguard Series-Cyber Strike

Cyber Vanguard Series - Cyber Strike takes the offensive and defensive assault tactics and applies them in several different real world scenarios. The entire course is hands on and builds upon the skills and knowledge the students have previously received. Applications include Offensive only - Hunt Teaming, Data Harvesting, and Asset Extraction, Defensive Only – Defending Your Assets, Setting Active Intrusion Systems, Vulnerability Assessment and Remediation, and Offensive and Defensive – Capture the Flag, where teams are pitted against each other to protect their own resources while attacking the opposing team.


FireEye Enterprise Incident Response with MIR

This two-day instructor-led course provides an introduction to using Mandiant for Intelligent Response (MIR) as an incident response tool. Labs take students through a breach, teaching how to perform sweep hit analysis, build live response scripts, basic unknown binary analysis, and basic Indicator of Compromise (IOC) creation.


© 2018 Ultimate Knowledge Insitute | All Rights Reserved | GSA# GS-35F-0469W