Description

During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Participants will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field. Participants will learn methodologies to approach investigations of incidents.

Technical content

• Basic Intrusion Detection Tools and Methods
  o Sysmon
  o Advanced Wireshark
  o Uncovering User-Accounts
  o OS Fingerprinting
  o GeoIP Integration
  o Streams Analysis
  o Incident Investigation
  o Hashing Tables
  o Analyzing Cyber-Events
  o Web-Filtering
  o Network Events
  o TShark: Wireshark CLI Tool
• Using Scapy Module
  o Crafting and Analysing Packets
  o Working with PCAP Files
  o Replaying Packets for Investigating

Description

This module will drill down to SIEM (Security Information and Event Management), the primary system used by SOC analysts for monitoring the network. Participants will install a freely available open-source SIEM platform and simulate different scenarios through a pre-prepared virtual environment mimicking an organization. The virtual environment will include: Firewall, WAF, a Domain Controller, and an Antivirus. During this part, participants will have to demonstrate the various practical capabilities they acquired during the course and operate in a real-time environment.

Technical content

Building SIEM Environment

• Installing AlienVault
  Running and Configuring your SIEM
  SIEM Monitoring and Correlation
  Notifications
• Setting-up an Open Source SIEM
  Connecting Devices to the SIEM
  Vulnerability Assessment and Monitoring
  File Integrity Monitoring
• Deploying Security-Onion
  Installing and Configuring Security-Onion
  Upgrading your Log Filtering with Bro
• Setting your Methodology to Cyber Threats
• Network and Host DLP Monitoring and Logging

Monitoring using the Virtual Environment

• Firewall Monitoring and Management using Glasswire
• Centralized Logging Platforms
• Email and Spam Gateway and Web Gateway Filtering
• Threat Monitoring and Intelligence
• Application Whitelisting or File Integrity Monitoring
• Vulnerability Assessment and Monitoring
• Setting your Methodology to Cyber Threats

Description

This module will explain and expand on the use of Windows Management Instrumentation. Participants will learn how to accomplish the core management process and to use WMI to manage both local and remote computers on the LAN network to consolidate the acquired knowledge into building tools skills in PowerShell scripts and regular WMI usage.

Technical content

WMI Architecture

• WMI Classes and Namespaces
• Using WMI Methods
• Associations
• Working with Remote Computers
• Access to the Registry
• Information Gathering
• Storage Information
• Command Execution
• WMI Common Events
• Detection with WMI

Description

This module will teach the participant to manage an enterprise security incident, while avoiding common errors, increasing both the effectiveness and efficiency of your incident response efforts.

Technical content

Tools and Techniques for digital investigations

• Data Analysis of data formats analysis for investigative purposes
• Behavior Analysis
• Review of Data Collection Techniques
• IR Essentials
• Base Policy and Common Detection
• Fingerprinting New Systems
• Intro to Threat Hunting