Introduction:

The internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques. By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers.

This course addresses the latest cutting-edge insidious attack vectors, the attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do! The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks. The course will help you know:

• How best to prepare for an eventual breach
• The step-by-step approach used by many computer attackers
• Proactive and reactive defenses for each stage of a computer attack
• How to identify active attacks and compromises
• The latest computer attack vectors and how you can stop them
• How to properly contain attacks
• How to ensure that attackers do not return
• How to recover from computer attacks and restore systems for business
• How to understand and use hacking tools and techniques
• Strategies and tools for detecting each type of attack
• Attacks and defenses for Windows, Unix, switches, routers, and other systems
• Application-level vulnerabilities, attacks, and defenses
• How to develop an incident handling process and prepare a team for battle
• Legal issues in incident handling

Course Objectives:

By the end of this course, delegates will be able to:

• Apply incident handling processes-including preparation, identification, containment, eradication, and recovery-to protect enterprise environments
• Analyze the structure of common attack techniques in order to evaluate an attacker's spread through a system and network, anticipating and thwarting further attacker activity
• Utilize tools and evidence to determine the kind of malware used in an attack, including rootkits, backdoors, and Trojan horses, choosing appropriate defenses and response tactics for each
• Use built-in command-line tools such as Windows TASKLIST, WMIC, and REG, as well as Linux NETSTAT, PS, and LSOF to detect an attacker's presence on a machine
• Analyze router and system ARP tables along with switch CAM tables to track an attacker's activity through a network and identify a suspect
• Use memory dumps and memory analysis tools to determine an attacker's activities on a machine, the malware installed, and other machines the attacker used as pivot points across the network
• Gain access to a target machine using METASPLOIT, and then detecting the artifacts and impact of exploitation through process, file, memory, and log analysis
• Analyze a system to see how attackers use the malware to move files, create backdoors, and build relays through a target environment
• Run the NMAP port scanner and Nessus vulnerability scanner to find openings on target systems, and apply tools such as TCPDUMP and NETSTAT to detect and analyze the impact of the scanning activity
• Apply the TCPDUMP sniffer to analyze network traffic generated by a covert backdoor to determine an attacker's tactics
• Employ the NETSTAT and ISOF tools to diagnose specific types of traffic-flooding denial-of-service techniques, and choose appropriate response actions based on each attacker's flood technique
• Analyze shell history files to find compromised machines, attacker-controlled accounts, sniffers, and backdoors

Who Should Attend?

IT Engineers, IT Professionals, IT Directors, Engineers, IT Project Managers, IT Auditors, IT Compliance Managers, IT Coordinators, IT Support Managers, IT Officers, IT Support Specialists, IT System Administration, Technical Support Professionals, Chief Information Officers, Chief Risk Officers, Information Assurance Officers, Program Managers, Network Systems Analysts, Government Program Managers, R&D Project Managers, Software and System Developers, Chief Security Officers, Security Specialists, Chief Information Security Officers, Directors of Security, Security Architects, Security Operation Center Managers, Security Consultants, Security Managers, Security Auditors, Security Directors, Systems Administrators, Incident Response Analysts, Business Owners, Security Analysts, Security Systems Engineer, Network Architect, Operations Managers, Risk Management Professionals, Network Administration Professionals, Application Developers, Application Support Analysts, Application Engineers, Associate Developers, Technology Officers, Information Officers, Help Desk Specialist, Help Desk Technician, Database Administrators, Network Architects, Network Engineers, Network System Administrators, System Analysts, System Architects, System Designers

Course Outline:

Preparation

• Building an incident response kit
• Identifying your core incident response team
• Instrumentation of the site and system

Identification

• Signs of an incident
• First steps
• Chain of custody
• Detecting and reacting to Insider Threats

Containment

• Documentation strategies: video and audio
• Containment and quarantine
• Pull the network cable, switch and site
• Identifying and isolating the trust model

Eradication

• Evaluating whether a backup is compromised
• Total rebuild of the Operating System
• Moving to a new architecture

Recovery

• Who makes the determination to return to production?
• Monitoring to system
• Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents

• Espionage
• Inappropriate use

Incident Record-keeping

• Pre-built forms
• Legal acceptability

Reconnaissance

• What does your network reveal?
• Are you leaking too much information?
• Using Whois lookups, ARIN, RIPE and APNIC
• Domain Name System harvesting
• Data gathering from job postings, websites, and government databases
• Recon-ng
• Pushpin
• Identifying publicly compromised accounts
• Maltego
• FOCA for metadata analysis

Scanning

• Locating and attacking unsecure wireless LANs
• War dialing with War-VOX for renegade modems and unsecure phones
• Port scanning: Traditional, stealth, and blind scanning
• Active and passive Operating System fingerprinting
• Determining firewall filtering rules
• Vulnerability scanning using Nessus and other tools
• CGI scanning with Nikto
• Powershell Empire
• Bloodhound
• Rubber Duckie attacks to steal wireless profiles
• User Behavioral Analytics

Intrusion Detection System (IDS) Evasion

• Foiling IDS at the network level
• Foiling IDS at the application level: Exploiting the rich syntax of computer languages
• Web Attack IDS evasion tactics
• Bypassing IDS/IPS with TCP obfuscation techniques

Network-Level Attacks

• Session hijacking: from Telnet to SSL and SSH
• Monkey-in-the-middle attacks
• Passive sniffing

Gathering and Parsing Packets

• Active sniffing: ARP cache poisoning and DNS injection
• Bettercap
• Responder
• LLMNR poisoning
• WPAD Attacks
• MITMf
• DNS cache poisoning: Redirecting traffic on the Internet
• Using and abusing Netcat, including backdoors and nasty relays
• IP address spoofing variations

Operating System and Application-level Attacks

• Buffer overflows in-depth
• The Metasploit exploitation framework
• Format string attacks
• AV and application whitelisting bypass techniques

Netcat: The Attacker's Best Friend

• Transferring files, creating backdoors, and shoveling shell
• Netcat relays to obscure the source of an attack
• Replay attacks

Password Cracking

• Analysis of worm trends
• Password cracking with John the Ripper
• Hashcat
• Rainbow Tables
• Password spraying

Web Application Attacks

• Account harvesting
• SQL Injection: Manipulating back-end databases
• Session Cloning: Grabbing other users' web sessions
• Cross-Site Scripting

Denial-of-Service Attacks

• Distributed Denial of Service: Pulsing zombies and reflected attacks
• Local Denial of Service

Maintaining Access

• Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other popular beasts
• Trojan horse backdoors: A nasty combo
• Rootkits: Substituting binary executables with nasty variations
• Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks

• File and directory camouflage and hiding
• Log file editing on Windows and Unix
• Accounting entry editing: UTMP, WTMP, shell histories, etc.
• Covert channels over HTTP, ICMP, TCP, and other protocols
• Sniffing backdoors and how they can really mess up your investigations unless you are aware of them
• Steganography: Hiding data in images, music, binaries, or any other file type
• Memory analysis of an attack

Putting It All Together

• Specific scenarios showing how attackers use a variety of tools together
• Analyzing scenarios based on real-world attacks
• Learning from the mistakes of other organizations
• Where to go for the latest attack info and trends

Hands-on Analysis

• Nmap port scanner
• Nessus vulnerability scanner
• Network mapping
• Netcat: File transfer, backdoors, and relays
• More Metasploit
• Exploitation using built in OS commands
• Privilege escalation
• Advanced pivoting techniques
• Incident handlers
• Leaders of incident handling teams
• System administrators who are on the front lines defending their systems and responding to attacks
• Other security personnel who are first responders when systems come under attack

COURSE LOCATIONS