Ultimate Defensive Cyber Bundle – log analysis, malware analysis, and packet analysis

There is just no getting around it. If you really want to be able to protect today’s networks you’ve gotta be a defensive cyber analysis guru. That means you’ve got to know log analysis, malware analysis, and packet analysis.

Don’t worry buddy – I’ve got EXACTLY what you need. It’s a 3-day course that is 100% hands-on. That means….

ABSOLUTELY NO DEATH BY POWERPOINT!!!!!

This class is all labs, real logs, and live malware.
log analysis, malware analysis, packet analysis

All you need is a Linux virtual machine for this class. You can use Kali Linux, or any modern Linux distribution or you can download my Linux virtual machine from here:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts

If you are worried that you aren’t strong enough in Linux for and you want to prepare for this class you can watch and do the following videos before the start of the class on Monday:
https://www.youtube.com/playlist?list=PL6gx4Cwl9DGCkg2uj3PxUWhMDuTw3VKjM

Students will receive

  • 40 hours of CPEs (certificate of completion upon sending in class homework)
  • Linux virtual machines
  • Lab manual

Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time, or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response). Just send an email to [email protected] with any issues or concerns that you may have.

Schedule

  • Monday 9th April (6:00 pm EST – 10:00 pm EST)
  • Wednesday 11th April (6:00 pm EST – 10:00 pm EST)

Course Cost

This course bundle cost $100 for access

$100.00Select options

Advanced Threat Hunting with Splunk

Advanced Threat Hunting

Advanced Threat Hunting with Splunk – When it comes to log analysis Splunk is one the most popular enterprise-grade solutions in the field today. It can pull logs from nearly any device in the network, and it can integrate with most of the popular security products on the market. In the InfoSec field today Splunk is a common tool for what called Cyber Threat Hunting/Hunt Teaming/Malware Hunting/Defensive Cyber Operations (DCO)/Cyber Threat Analysis and many other names.

 

As popular as Splunk is – surprisingly few people are comfortable performing security event analysis with it. We decided to develop a Hands-on Splunk course designed specifically for InfoSec Professionals that want to do HANDS-ON DEEP TECHNICAL SECURITY ANALYSIS with Splunk.

 

Class Syllabus

Module 1: Deploying Splunk, configuring logging and forwarding

  • Installing Splunk
  • Configuring logging in Windows and Linux
  • Setting up log forwarding
  • Understanding how Windows Event logging works

Advanced Threat hunting

 

Module 2: Attacking Servers and Workstations

  • Learning attacker tools/tactics/procedures (TTPs)
  • Generating real-world security events to analyze
  • Attacking Workstations
  • Attacking Application Servers
  • Learning what types of security events generate log events
  • Writing basic queries for common attacks
  • Analyzing PCAP files with Splunk

Advanced Threat hunting

 

 

Module 3: Hunting with Splunk

  • Data-Centric vs End-Point Hunting
  • Understanding IOCs/IOAs
  • Indicators of Compromise (IOCs)
  • Indicators of Attack (IOAs)
  • Integrating data from popular security products
  • Writing complex queries
  • Detecting Zero-Day attacks

Advanced Threat hunting

 

Who is this class for?

IT System Administrators, IT Security Professionals, SOC Analysts, First Responders, Incident Handlers, Intrusion Analysts, Malware Analysts

 

 

Class pre-requisites

Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.

Students should be familiar with VMware Workstation and be able to create and configure virtual machines.

Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops, and functions; however, no programming experience is necessary.

Students will be provided with detailed courseware, detailed lab manuals, and copy/paste notes so that even if a student is not very strong technically they will be able to complete the lab exercises and take notes effectively.

 

Class Schedule

May 7th & 9th, 7:00 pm EST – 9:00 pm EST

 

Class Delivery Method

Live-online instructor-led

 

NOTE:

Online students will be given access to VMWare virtual machines to download for the class and the previous version of the Splunk course as well. A new updated version of the courseware will be delivered on the first day of class

 

Students will receive

  • 24 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab manual

Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response). Send all questions/concerns to [email protected]

Class Cost: $200

The class cost is regularly $500, but you can get it for $200 if you sign up before April 20th.

Fill out this form to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

TCP Dump

What is tcpdump?

Tcpdump is considered a great security tool to depend on whenever connecting a computer or a device to a particular network that permits packets of type Transmission Control Protocol/Internet Protocol (TCP/IP). Besides being a free software due to the Berkeley Software Distribution (BSD) licenses it follows, Network packets can be captured and analyzed through Tcpdump along with its command line interface.

A great deal of Unix-like operating systems is supported to get tcpdump installed and run on them. For instance, it could run on the following operating systems perfectly. However, in order for such operating systems to recognize tcpdump and its functions, it depends on the library of packet capture (pcap).

  • Android
  • Linux
  • Mac OS
  • Sun Solaris
  • IBM Advanced Interactive eXecutive (AIX)
  • BSD
  • Hewlett Packard Unix (HP-UX)

On the other hand, Microsoft Windows operating system can run what is referred to as Windump, the Windows version of tcpdump, by utilizing the library of WinPcap on Windows port.
tcpdump

History

It is really vital now to get a historical background about tcpdump and its evolution over time. Well, it is really an old tool which is aged back to 1987. Who developed it then? Actually, they were three: Van Jacobson, Craig Leres, and Steven McCanne. The development of tcpdump is actually attributed to their Network Research Group at Lawrence Berkeley Laboratory where they all worked back then.

In 1990, several versions of tcpdump got released and became supported to run on a plenty of operating systems. Moreover, a lot of patches got distributed at that time although no perfect coordination occurred to such patches.

In 1999, the official website www.tcpdump.org got published to work. It was both Michael Richardson and Bill Fenner who were responsible for such important deed in the product’s history.

What can tcpdump be used for?

tcpdump

A great popped question up on one’s mind now is the natural question of the importance of using such security tool. Let’s pull out some of the main and common aspects where tcpdump can be utilized!

  • Network packets’ compositions can be displayed using tcpdump
  • Packet files which are readable by tcpdump are both those residing in a current Network Interface Card (NIC) or another saved file which was created previously.
  • Networks packets can be also written to a file or even a standard output.
  • The interactions or connections of another user or a computer device can be displayed or even intercepted by tcpdump 🙂
  • As soon as a user manages to gain all the required privileges to start operating to the network as if the device is the router or the gateway of the network, tcpdump can intervene very effectively at this point. Any unencrypted network traffic passing through such router or gateway could easily be read and captured. Such packets come in a format of HTTP or Telnet and they could be something like users’ credentials: IDs and passwords, users’ browsing information: URLs they use and even the content of such websites used, and all other important information passing without any means of encryption.
  • The number of captured or read network packets by tcpdump is up to any limitations imposed on their numbers. A maximum number could be set to such packets. Following this methodology, the output becomes much more useful and readable especially if there is so much of traffic passing through the network.
Does tcpdump have to be granted specific privileges?tcpdump

A good point now is to discuss the security policies that have to be imposed upon tcpdump. Well in fact and by default there are specific privileges that have to be given specifically to a user in order to be able to utilize tcpdump.

Only superusers, according to some Unix like operating systems, are allowed to use it hence thereafter they could simply do the critically important capturing data process. Nonetheless, this could be overcome using the -Z option; this could help granting some ordinary users privileges that they never had before capturing has been performed.

The reason for such required privileges is attributed to the critical packet capturing mechanism forbidden by some Unix like operating systems and only allowed for superusers. Still, this is not the real case because this mechanism could be manually allowed or in other words configured to some specific users according to other Unix like operating systems.

Examples on how to use tcpdump in real life

tcpdump

Throughout the rest of this article, I will go through several basic commands that could be used in tcpdump for accomplishing certain tasks.

  • All the interfaces could be looked at using the following command line
    tcpdump
  • Or maybe we need to look at a particular interface through this command
    tcpdump
  • It can view the raw output with a verbose output. It is important to see that there is no need for any port numbers or even hostname’s resolution. This applies also to absolute sequence numbers and human-readable timestamps. The following command does that.
    tcpdump
  • We are usually in need of getting to know the passing traffic through a specific IP whether such traffic is going to or from the device of such IP. In other words, this device could be the source or the destination. Following is an example considering the IP is 1.2.3.4
    tcpdump
  • Moreover, Transmitted and received data inside network packets are displayed in a hexadecimal format via the following command. This feature allows for isolating a few candidates for the sake of reaching a closer scrutiny at the end of the day.
    tcpdump
    tcpdump
  • One of the good features allowed through tcpdump is to filter traffic and isolate it. A particular IP, again whether it is a source or a destination in the network. For sources, “src” is used while “dst” is for destination IPs. The following screenshot illustrates the idea.
    tcpdump
  • In the same regard, a traffic going through a specific network can be spotted and found through the “net” option. Furthermore, “src” and “dst” can simply be combined with this option as well. The usage of “net” is shown in the following image
    tcpdump
  • If we need to know a particular port number and need to display its traffic, then the solution for this is to use “port” which can also be combined with the “src” option. These two points are displayed in the following commands as well.
    tcpdump
  • We can also specify a range of values to the port number. Then, “port range” is used at this time for finding the passing traffic through these ports residing within a given range.
    tcpdump
  • On the other hand, if we are interested in the type of passing network following a particular network protocol, then we are left with a plenty of options for this sake. For instance, we can use “tcp” or “udp”. The following command uses “icmp” which is also supported.
    tcpdump
  • Also, the traffic of IP4 or IP6 could be found alone. The following command specifies IP6 regardless of the others.
    tcpdump
  • For the sake of simplicity and more of functionality, the size of targeted packets could be specified. This could be performed through “less”, “greater”, “<=”, “>=”, and their similar symbols.
    tcpdump
  • Captured data could be exported to a file created as a pcap file. This could be done using “capture_file” along with -w switch.
    tcpdump
  • Finally, pcap files could be imported a pcap file to be processed. This could be handled with the same “capture_file” command but with -r option now. Note that capturing new data and processing the already captured files cannot be performed simultaneously.
    tcpdump
References

http://www.tcpdump.org/manpages/tcpdump.1.html

https://danielmiessler.com/study/tcpdump/#gs.FFKz=sI

https://en.wikipedia.org/wiki/Tcpdump

https://www.quora.com/Why-traffic-is-always-going-on-Kali-Linux-when-you-write-tcpdump-but-not-browsing

 

Snort

 What is Snort?

One of the most important open source projects in the field of network security is Snort. It has proved itself as one of the best network security tools for years now. It specializes as a Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). Additionally, it has proved itself as the de facto standard for intrusion detection and prevention systems for years. In the meanwhile, Snort is a free software which is perfect for many.

In case you didn’t know and in order to get a little bit of more insight about the subject, I will elaborate what NIDS is in a nutshell. Fundamentally, monitoring of all network happens by use of such a software. This is just to make sure that everything is on track and under great control.

As long as there are any abnormal or malicious activities or if there is a violation of security policies for some reason, NIDS monitors these cases accordingly and reports to the security administrator.

Practically, there is what we call a Security Information and Event Management (SIEM) system. It acquires data –often known as logs—from diverse sources like Snort for instance. Depending on some predefined filters, this SIEM has the capability to trigger an alarm/alert message if any violations occur. Among such violations are definitely those malicious activities that Snort records and sends to SIEM.

Let’s know Snort’s History

Snort

It is often a great idea to know the history of successful figures in any field of interest. I perceived discussing the history of a highly proven successful security software tool as a must. This is because this really enriches our knowledge about the beginnings of such amazing projects.

In fact, Snort has witnessed several turning points in its history since its creation. Snort was initially developed back in 1998 by Martin Roesch. He later founded a technology company by the name Sourcefire in 2001. He became the Chief Technology Officer at this corporation he established.

In 2005, Check Point Software Technologies acquired Sourcefire for a deal worth $225 million. To be noted, the information technology media business InfoWorld named Snort as one of the “greatest [pieces of] open source software of all time,” reaching its famousness peak to be remembered at all the times since then.

A European organization specialized in testing network security called NSS Group compared Snort in practice with other IDS products created by other vendors such as Computer Associates, and Symantec. Snort outstandingly out-performed all of the other products in 2005.

When 2013 came, it was the start of a new era of Snort and Sourcefire in general, since the large company of Cisco systems owned it. Several versions of Snort got released, and a self-tuning engine was injected inside the versions starting in 2005. Such self-tuning engine aimed to achieve the maximum efficiency whilst keeping a minimum error.

What is the benefit of Snort?
Snort

Roesch divides the stages which Threat-centric Security should go through into three main chronological events:

  • Before the attack: a defender ought to hard the assets, build the biggest and thickest castle, such that an attacker or a hacker never even attempt to get in.
  • During the attack: The last point never works, so this stage is of a great importance. On the launch of an attack, detecting the attack and further blocking it should be the greatest aim at this critical time. Utilization of some technologies and techniques occurs in order to stop such attack as much as possible.
  • After the attack: However, sometimes these technologies may fail to detect and block the attack. Then, the attack managed to get through the system. Several stages represent a great threat from the perspective of a defender who may lose control over their own network.

Therefore, scoping and containing the attack has to occur first so that the attack cannot spread any further through the network. Once this is achieved, a defender has to get rid of the attack which has to get remediated at this point. That is mainly the core of Snort.

Snort

The idea beyond Snort is to monitor a network traffic in real time, in order to scrutinize each packet of the network traffic closely. Analyzing such packets in this manner detects any payloads or anomalies.

Accordingly, there are three main fields where its role shines the best

  • An ordinary packet sniffer such as tcpdump
  • A packet logger, which debugs network traffic
  • A full methodology and platform for the sake of network intrusion prevention system.

Get into more details

Snort

A library packet capture called libpcap is what Snort fundamentally relies on to sniff network traffic and analyze it thereafter. Most similar sniffers that work with Transmission Control Protocol/Internet Protocol (TCP/IP) use such library and harness it for their packet monitoring and detection purposes.

The role of Snort does not merely stop at the detection phase. Besides that, Snort has the ability to analyze such packets and search for some patterns to spot any suspiciously malicious packet. Whenever this happens, an alert is sent automatically to a pop-up window indicating the alert to Windows clients. This happens by utilizing Samba’s smbclient, a UNIX socket or just send it to syslog, where alerts of several other sources are fetched as well.

If we are into defining some types of attacks that are identifiable by Snort, mentioning of a list of attacks has to occur in this regard:

  • Denial of service attack where legitimate users are prevented their basic privilege of accessing their computers, devices, or any other resources of the network.
  • Attacks which target Common Gateway Interface (CGI), where data requested by a user from a web application could be captured and collected before sending it back to the user
  • Stealth port scans which basically search for open ports to exploit and add any malware and apply their payloads through them.
  • Attacks that depend on buffer overflow, where an attacker attempts to send a largely sized network packet when the network will not be able to withstand such big size.
  • Server Message Block (SMB) probes attacks
Should I use Snort for my business?

Snort

One of the questions that a business owner has to be thinking of right now is a question of the uniqueness of Snort. What would drive him/her to utilize this Snort over all other NIDS or NIPS products? Throughout the few lines remaining for this article, I will propose three main reasons from my main point of view:

  1. Rapid response: Snort can protect the system from any new threats or malware through its real-time protection techniques. One of the best points about Snort is that Cisco Talos Security Intelligence and Research Group (Talos); they are able to spot any brand-new threats by updating Snort with any new threats every hour.
  2. Greater accuracy: Since Snort is an open source project, there is always a continual work on improving it and changing some of its features for the better. Several security teams improve the program through the Snort Community which is spread world wide.
  3. High adaptability: adding more functions to Snort through accessing its own source code is grants Snort a great privilege against its counterparts. This way could allow Snort to deal with any network security solutions.

 

References:

https://en.wikipedia.org/wiki/Snort_(software)

https://en.wikipedia.org/wiki/Intrusion_detection_system

http://www.cisco.com/c/en/us/products/collateral/security/brief_c17-733286.html

http://searchmidmarketsecurity.techtarget.com/definition/Snort

https://www.helpnetsecurity.com/2005/10/24/the-story-of-snort-past-present-and-future/

http://piyush.me/tag/smb-probe/

https://www.youtube.com/watch?v=UJuqe4DHXUg

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=iZONqwXNesR6MM:

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=Wwt4hPsj68AybM:

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=itYCQ0kULGLs4M:

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=0KQGagHec4ClkM:

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=thPHR7xZ2EgURM:

https://www.google.com.eg/search?q=snort&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic7J6p9vDUAhUGNxQKHWCpCkMQ_AUICigB&biw=1366&bih=662#imgrc=HldWcigRmpz7qM:

https://answers.yahoo.com/question/index;_ylt=AwrC0CZzQVlZ5ywAICVPmolQ;_ylu=X3oDMTEyamxwcW85BGNvbG8DYmYxBHBvcwMyBHZ0aWQDQjI1NTdfMQRzZWMDc3I-?qid=20091029135057AAxOJ4X

Finally, take a look at my next post on Netcat and let me know your thoughts.

PowerShell For InfoSec Professionals

PowerShell For InfoSec Professionals June2018

The simple fact is if you are going to be attacking or defending modern environments with newer operating systems (Windows 10, Server 2016) – you need Powershell!

There is no getting around it, and the sooner you drink the Powershell Koolaid the better InfoSec Professional you will be.

PowerShell

What will we be doing you ask – check this out:

 

Fundamentals:

  • Simple programming fundamentals
  • Cmdlets
  • Variables
  • WMI Objects

 

Security tasks with Powershell:

  • PowerShell Tool Development
  • PCAP Parsing and Sniffing
  • Malware Analysis

 

Pentesting tasks:

  • Ping Sweeping
  • Port Scanning
  • Enumerating Hosts/Networks
  • Download & Execute
  • Parsing Nmap scans
  • Parsing Nessus scan

 

 

Tool development:

  • Programming logic for security tasks
  • Tool structure
  • …..and of course, integrating with Metasploit, and other security tools

PowerShell

Students will receive

  • 20 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

 

 

 

Support

Each student will receive access to an InfoSec Addicts Group for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedule

18th and 20th of June 2018 from 7pm to 9pm EST

Fill out this form below to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

InfoSec Addicts Defensive Saturday Bundle: Splunk/ELK/Suricata/Bro-IDS

 

When it comes to log analysis Splunk and the ELK / Elastic Stack are the biggest enterprise-grade solution approaches in the field. Splunk is a publicly traded company that offers a full commercial solution with a 15 day trial across its different products. ELK is an acronym for ElasticSearch, Logstash and Kibana, a free open source stack for log analytics with commercial support, managed solutions, and additional tools.

When it comes to hunting malware Bro and the Suricata IDS are preferred by malware hunters. This month of defensive classes is the absolute real deal if you are interested in hunting malware on the network.

Saturday Classes in the month of June

You can click here to purchase the $100 June 2017 Saturday Defensive Bundle.

3rd of June Splunk (9 am EST – 4 pm EST)

Splunk: We’ll be covering building, deploying, and configuring Splunk. You can purchase this individual by clicking on this link.
Splunk

10th of June ELK (9 am EST – 4 pm EST)

ELK: We’ll be covering building, deploying, and configuring ELK. You can purchase this individual by clicking on this link.

Splunk

17th of June Suricata (9 am EST – 4 pm EST)

Suricata            17th of June                – Surricata

Suricata: We’ll be covering building, deploying, and configuring Suricata. You can purchase this individual by clicking on this link.

Splunk

24th of June Bro IDS (9 am EST – 4 pm EST)

Bro-IDS            24th of June     – Bro-IDS

Bro-IDS: We’ll be covering building, deploying, and configuring Bro-IDS. You can purchase this individual by clicking on this link.

Splunk

Students will receive
  • 32 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab manual
Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response).

Schedule

Saturday Classes in the month of June

  • 3rd of June Splunk for InfoSec (9 am EST – 4 pm EST)
  • 10th of June ELK for InfoSec (9 am EST – 4 pm EST)
  • 17th of June Suricata IDS (9 am EST – 4 pm EST)
  • 24th of June Bro IDS (9 am EST – 4 pm EST)

Bundle Cost

This course bundle cost $100 for access to all 4 of these defensive courses.

Saturday Classes in the month of June

You can click here to purchase the $100 June 2017 Saturday Defensive Bundle.