New
Level: Advanced

Cyber Threats Detection & Mitigation

5 Day | Instructor Led

INVESTIGATING NETWORK INTRUSIONS AND PROTECTING AGAINST THEM.
Cyber threats are increasing at an alarming rate every year and the ability for organizations to defend against full-scale, distributed attacks quickly and effectively has become much more difficult. An Intrusion Detection/ Prevention System (IDS/IPS) affords security administrators the ability to automate the process of identifying attacks among the thousands of connections on their network, provided the system is properly configured and the signatures are well written. Taught by leaders in network defense who work in the cyber security industry, this course demonstrates how to defend large-scale network infrastructures by building and maintaining IDS/IPS and mastering advanced signature-writing techniques. With Intrusion Detection Systems and trained network security auditors, organizations have a reliable means to prioritize and isolate the most critical threats in real time.

Inquire About
Cyber Threats Detection & Mitigation

Ideal Candidates for Cyber Threats Detection & Mitigation Class


  • Incident Responders who need to understand and react to IDS alerts

  • Network Defenders seeking to automate threat detection

  • IDS administrators who wish to improve their signature writing skills

  • Security Operations Center Staff seeking to automate traffic analysis

  • Penetration Testers looking to reduce their network visibility

Cyber Threats Detection & Mitigation Prerequisites


  • A strong understanding of TCP/IP networking

  • Successful completion of the Network Traffic Analysis and Malicious Network Traffic Analysis courses

What You'll Get in Cyber Threats Detection & Mitigation

What You'll Learn in Cyber Threats Detection & Mitigation


  • Recognize the benefits and limitations of different intrusion detection system types (network- and host- based, and distributed systems)

  • Identify optimal sensor placement and gaps in coverage

  • Write basic IDS signatures to identify traffic of interest and tune them to reduce false positives

  • Use reassembly and pre-processing engines to automatically reconstruct streams of network data prior to analysis

  • Apply decoding and other techniques to overcome IDS evasion efforts

  • Develop complex signatures employing rule chaining, event filtering and post-detection analysis to identify distributed attacks, multi-stage events, and other more complex threats

  • Use regular expressions to effectively detect variable or morphing attacks

  • Manage rule sets to reduce redundancy and maintain system efficiency

No Certification Test Available For This Course

No Certification Test Available For This Course

Cyber Threats Detection & Mitigation Outline

DAY 1 AGENDA

INTRUSIONS
  • Types and Methodology
  • Incident Response
  • Incident Response Team Exercise COMMON THREATS
  • Cyber Crime
  • Social Engineering Malware Installation
  • Exploit Servers & Drive-by Downloads
  • Ransomware Types
  • DNS Hijacking
  • Data Exfiltration Walk-Through
INTRUSION DETECTION SYSTEMS
  • HIDS vs NIDS
  • True and False Positives
  • Active and Passive Response Types
  • Sensor Placement
  • Distributed IDS
  • Detection Types and Methodology
  • Rule Writing Best Practices
  • IDS Shortcomings and Vulnerabilities
INTRODUCTION TO SNORT
  • Snort Components
  • Key Files and Paths
  • Protocol Support
  • Output Formats
  • Output Plugins
INTRODUCTION TOBRO
  • Overview
  • Bro Architecture
  • BroControl
  • Bro Logs

DAY 2 AGENDA

SNORT CONFIGURATION AND VARIABLES
  • Rule Types
  • Signature ID Allocation and Reservations
  • Rule Header Fields
  • Rule Actions
  • Defining and Using Variables
SNORT OUTPUT
  • Formats
  • Adding Output types
OUTPUT PLUGINS
  • Barnyard and Barnyard2
  • Squil
  • Snorby
  • Squert
  • MySQL
SIGNATURE WRITING
  • Basic Syntax and Guidelines
SNORT RULE OPTIONS
  • Msg
  • Reference and the reference.config File
  • Rev Usage and Change Control
  • Classtype and the classification.config File
  • Priority usage and Incidence Response
  • Content
  • Content Modification nocase

DAY 3 AGENDA

THE DETECT OFFSET POINTER (DOE)
  • Payload Decoding and Processing
  • Start Position and Movement of the doe DOE CONTENT MODIFIERS
  • Depth
  • Offset
  • Distance
  • Within
DOE RULE OPTIONS
  • Byte_jump
  • Isdataat
  • Byte_test
SNORT PACKET HEADER RULE OPTIONS
  • IP Header Options
  • TCP Header Options
  • ICMP Header Options
  • Dsize
PRE-PROCESSORS
  • Snort Pre-Processors
  • Stream5 Rule Options – flow, stream_size
  • HTTP_Inspect Rule Options

DAY 4 AGENDA

POST DETECTION
  • Post Detection Rule Options
  • Using Tag to follow a Malicious Actor
  • Using detection_filter and event_filter to tune signatures
EFFECTIVE RULE WRITING
  • Content and Fast Pattern Matching
  • Vulnerability versus Exploitation Rules
  • Reversing Imported Rules
PERL COMPATIBLE REGULAR EXPRESSIONS
  • PCRE Meta-characters
  • Snort Specific PCRE
  • PCRE Rule Option Parameters and Usage
TRACKING STATE ACROSS SESSIONS USING FLOWBITS
  • Flowbits Rule Option Parameters andUsage
GROUP EXERCISE Using all tools and techniques learned in class, students will record and analyze an OS discovery scan. Using the captured packets, they will work in teams to write and tune signatures to detect the scanning tool. This exercise was designed to prepare students for the final practical on Friday.

DAY 5 AGENDA

STUDENT PRACTICAL DEMONSTRATION: Students are given several packet captures contain- ing a variety of scanning and exploitation techniques. They are tasked with identifying the significant ele- ments of the attack and translating them into IDS signatures. Finally, they are tasked with tuning those signatures to reduce false-positives and limit exces- sive events.

Testimonials

A. Erlich

RITSC, N6C

I just wanted to say your presentation on Social Media Technology and Security was the finest I have ever attended.

Wilder Guerra

US Navy Reserve

This course is definitely an eye opener. With how much social media has taken over, it is important to be fully aware of the capabilities along with all the risks it brings. It is important to get this course because social media is the new norm.

Rebekah Coughlin

MicroTech

The Social Media and Security Training course offered by UKI is a great and beneficial course combining technical training to fully understand TCP IP networking, DNS, and the harms of malware and cross-site scripting; as well as practical training that allowed attendees to play with open source social intelligence gathering solutions. This is the perfect class for those involved in IT security and interested in social media and identity theft.


Top Related Courses

The Ransomware exercise is a customized, six-hour, live fire Cyber Range training exercise hosted on ACRE. This exercise is led by expert cyber security engineers and can be executed in a classroom as well as remotely. In this exercise, a ransomware-based attack (i.e., “WannaKry”) is launched via a malicious spear phishing originated compromise. This exercise includes a hands-on keyboard interface, which creates realistic technical training and management interaction opportunities. This exercise is not simulated – it is real malware, detonated in representative network enviroment. Participants are encouraged to view the attack as if it were happening to their institutions in real time, and asked to share what they have done or would do based on the facts provided. Such “range-based” exercises help institutions better understand the impact of an attack and prompt them to improve the ways in which their network defenders respond, communicate, request assistance, and recover from real-world cyber attacks. Institutions that have participated in this exercise have benefited directly by building greater interaction with their security community, as well as increasing capability maturity levels and resiliency across their specific customer sector.



All actions in war, regardless of the level, are based upon either taking the initiative or reacting in response to the opponent. By taking the initiative, we dictate the terms of the conflict and force the enemy to meet us on our terms. The initiative allows us to pursue some positive aim even if only to preempt an enemy initiative. It is through the initiative that we seek to impose our will on the enemy.



One major catalyst of change is the advancement of technology. As the hardware of war improves through technological development, so must the tactical, operational, and strategic usage adapt to its improved capabilities both to maximize our own capabilities and to counteract our enemy's. MCDP-1 Warfighting

For the first time in history, the cyber and warfare climate have intertwined. The blending of these two worlds has shown the importance of functional, practical and aggressive cybersecurity. UKI’s CyberVanguard Series Tier I: Enterprise Guardian focuses on enhancing foundational policies and best practices, with advanced fundamentals, empowering cybersecurity teams to protect their enterprise network.

 



© 2018 Ultimate Knowledge Insitute | All Rights Reserved | GSA# GS-35F-0469W