Hunt The Hacker
"Hunt The Hacker" A practical training that teaches attendees how to discover hackers that have bypassed existing security mechanisms, and are now operating invisibly within the internal network. This course is Windows domain centric. Brought to you by professional hackers!
Training duration: 2 days of instruction, predominantly in the form of hands-on hunting labs.
Group size: 10 participants maximum
Target audience: Everybody who needs to know more about what threat hunting is, why it is necessary, what is required to start doing it, and how it should be done. Appropriate roles include: CISOs, Security Managers, SOC staffers, Incident Responders, Forensic Analysts and System Administrators.
Pre-requisites: To maximize value to the attendee, prior HOHE participation is highly recommended, but not mandatory.
Price: 2 days, 800 EUR + VAT
Contents of the training
Participants learn how to hunt hackers within our Windows 10 lab network, using a range of highly effective threat hunting technologies and techniques, looking for real life attacks.
Sysmon: Sysmon is the go-to solution for hunters working with Windows machines, and is the technology that Microsoft itself uses to hunt hackers within their own networks.
WEF: Windows Event Forwarding is the official Microsoft “agentless” mechanism by which Windows Events are streamed from endpoints into a “data lake”, for analysis by hunters.
Elastic stack, formerly “ELK”: The Elastic Stack is a suite of mature open source technologies that is popularly used for hunting by big name companies. The principles that are taught in this course using the Elastic Stack are also more generally applicable to other data lake products such as Splunk, Sumo and others.
WinRM: Windows Remote Management (WinRM) allows hunters to interrogate their fleet of Windows machines in real time from a central collection point. Students will learn how to issue various hunting questions to the fleet, and how to process the results in ways that will highlight the activities of attackers.
PowerShell: PowerShell in Windows is a double-edged sword, being immensely useful for both defense and offense. In this course students will be taught:
- How PowerShell can be safely leveraged in order to hunt attackers
- How Windows fleets can be set up to log PowerShell activities
- How PowerShell logs can be scanned for attacker activities
YARA: YARA is a Google-owned technology which, from their own description, is “the Swiss-army knife for malware researchers (and everyone else)”. Students will learn how to leverage the power of YARA in order to pick up the “fingerprints” of malicious activities from log files.
Known bad: Students will learn how to research and develop hunts for known indicators of attack.
Known good: Students will learn how to “find evil by knowing normal”, using various processes of elimination to reduce a set of raw collected data down to “not known good”. Students will then determine through investigation whether the remaining data constitute indicators of attack or benign in nature. Benign items are labeled as “known good” so that they need not be investigated again.
Outliers: Outlier detection is the “power technique” of threat hunting. Students will learn how to leverage statistical analysis in order to force anomalies in large-scale sets of data to become apparent, which will commonly highlight indicators of attack.
It is important to note that although this course is Windows-centric, the building-block technological capabilities and hunting principles are equally applicable to Linux and MacOS.
Karl joined the team in September 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving Web Attack Campaign overview in Cyber Defense Exercises.
Karl is a trainer of our Hands-on Hacking Essentials (HOHE) course, Hands-on Hacking Advanced (HOHA) course and Hunt The Hacker (HtH) course.
Taavi joined the team in April 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving User Simulation Team Workflow in the Context of Cyber Defense Exercise. Taavi is a trainer of our Hands-on Hacking training series (HOHE, HOHE FU, HtH, HOHA).
The trainers engage participants with lectures, live demonstrations and Q&A sessions. Each participant spends the majority of their time performing a wide variety of hands-on hunts.
Participants will understand what threat hunting is, be utterly convinced of the need for it, know what infrastructure is required to facilitate it, and be able to start doing it with confidence within their own organizations.
The training environment is a remotely accessed lab that can be used by participants anywhere in the world as long as VPN connection via decent Internet connectivity is viable. The hunting lab is hosted on Clarified Security's own virtualized infrastructure. Each student has their own account on the shared environment, made up of a Windows domain plus threat hunting infrastructure.
Technical requirements for the training
Good Internet connection - at least 10Mbps download speed via a network cable (RJ45 connector) for connecting the classroom to the training server in Tallinn, via our VPN device. The VPN device just needs to get an IP address via DHCP and have outgoing IPSEC traffic enabled to our training environment IP addresses. The participants will be using a web browser and an RDP client to connect to computers and services within the training environment via this VPN connection.
Participants' computers - any computer or laptop with any Operating System will do, as long as a Windows RDP compatible client is installed. The customer is expected to provide the LAN (switch + cables + power jacks) that can be connected to our VPN device that supplies IP addresses via DHCP. In case of laptops, we can provide our own WiFi Access Point for creating a LAN. Minimum 1024x768 monitor resolution is recommended.
Video projector and large screen - so that command line activity is also easy to follow from the back row.