Advanced Threat Hunting with Splunk

Advanced Threat Hunting

Advanced Threat Hunting with Splunk – When it comes to log analysis Splunk is one the most popular enterprise-grade solutions in the field today. It can pull logs from nearly any device in the network, and it can integrate with most of the popular security products on the market. In the InfoSec field today Splunk is a common tool for what called Cyber Threat Hunting/Hunt Teaming/Malware Hunting/Defensive Cyber Operations (DCO)/Cyber Threat Analysis and many other names.

 

As popular as Splunk is – surprisingly few people are comfortable performing security event analysis with it. We decided to develop a Hands-on Splunk course designed specifically for InfoSec Professionals that want to do HANDS-ON DEEP TECHNICAL SECURITY ANALYSIS with Splunk.

 

Class Syllabus

Module 1: Deploying Splunk, configuring logging and forwarding

  • Installing Splunk
  • Configuring logging in Windows and Linux
  • Setting up log forwarding
  • Understanding how Windows Event logging works

Advanced Threat hunting

 

Module 2: Attacking Servers and Workstations

  • Learning attacker tools/tactics/procedures (TTPs)
  • Generating real-world security events to analyze
  • Attacking Workstations
  • Attacking Application Servers
  • Learning what types of security events generate log events
  • Writing basic queries for common attacks
  • Analyzing PCAP files with Splunk

Advanced Threat hunting

 

 

Module 3: Hunting with Splunk

  • Data-Centric vs End-Point Hunting
  • Understanding IOCs/IOAs
  • Indicators of Compromise (IOCs)
  • Indicators of Attack (IOAs)
  • Integrating data from popular security products
  • Writing complex queries
  • Detecting Zero-Day attacks

Advanced Threat hunting

 

Who is this class for?

IT System Administrators, IT Security Professionals, SOC Analysts, First Responders, Incident Handlers, Intrusion Analysts, Malware Analysts

 

 

Class pre-requisites

Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.

Students should be familiar with VMware Workstation and be able to create and configure virtual machines.

Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops, and functions; however, no programming experience is necessary.

Students will be provided with detailed courseware, detailed lab manuals, and copy/paste notes so that even if a student is not very strong technically they will be able to complete the lab exercises and take notes effectively.

 

Class Schedule

January 29th – 30th, 10:00 am EST – 4:00 pm EST

 

Class Delivery Method

Live-online instructor-led

 

NOTE:

Online students will be given access to VMWare virtual machines to download for the class and the previous version of the Splunk course as well. A new updated version of the courseware will be delivered on the first day of class

 

Students will receive
  • 24 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab manual
Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response). Send all questions/concerns to [email protected]

Class Cost: $200

The class cost is regularly $500, but you can get it for $200 if you sign up before January 19th.

Fill out this form to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Malware Analysis

                    Coming Soon

It is very important to inspect the capabilities of a malicious software, also called malware. This is in order to understand its effect and hence take necessary steps to prevent it. However, an Information Technology (IT) team cannot simply test such effects on the real system, which could result in a disaster for the entire system.

Questions about the mechanism of the malware, what it really does, and its effects are all of the main concerns to the IT team. Hence, a controlled environment is necessary to perform any required examinations on a particular malware. The following steps elaborate on some free and necessary toolkit for any IT security team. It makes teams capable of facing any security incident on a Windows operating system, which is commonly prone to malware exploitation.

There are some available utilities –all free– that one could harness to monitor the infected system behavior. This depends on the type of monitoring desired. Installation of one of the following tools on the test machine is necessary before infecting it with the malware.

The previous tools might be able to analyze the behavior, but it does not touch the problem from its roots. Analyzing the malicious code could lead to a more interesting result. Despite the fact that it is difficult to access the source code of the executable malicious file, there are some tools that can assist in this process.

Scylla and OllyDumpEx: These tools are helpful when dealing with packed executables which could not be disassembled. Instructions of such executables are often encoded and encrypted, and are only extracted into Ram when running. A dump file will be created having the protected code.

How to Build a free Malware Analysis Toolkit?

 

Fill out this form to sign up for the class.

$200.00Select options

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those ) classes may reschedule or cancel. In these situations a refund will be granted as the class will usually re-run the following week, or additional days will be added to the class schedule to make up for this.

How to Build a free Malware Analysis Toolkit?

Build a free Malware Analysis Toolkit

It is very important to inspect the capabilities of a malicious software, also called malware. This is in order to understand its effect and hence take necessary steps to prevent it. However, an Information Technology (IT) team cannot simply test such effects on the real system, which could result in a disaster for the entire system.

Questions about the mechanism of the malware, what it really does, and its effects are all of the main concerns to the IT team. Hence, a controlled environment is necessary to perform any required examinations on a particular malware. The following steps elaborate on some free and necessary toolkit for any IT security team. It makes teams capable of -facing any security incident on a Windows operating system, which is commonly prone to malware exploitation.

  1. Allocate an extra physical or virtual system for a test environmentMalware Analysis Toolkit

  • The importance of a test environment is great. This is because it is always preferable to run malware on a system to see how it behaves like through some security monitoring tools
  • Create a virtual environment –machine– or several ones which are all hosted on one physical computing device. There are several free virtual machine software installers available such as:
    • VirtualBox
    • VMware vSphere Hypervisor
    • Microsoft Virtual Server
  • The idea behind utilizing a virtual space is to do without several physical positions needed; the physical boxes that already exist are to be used to the maximum benefit through virtualization
  • It is highly recommendable to invest in a good Random-Access Memory (RAM) size as much as possible and a large Hard Drive disk as well. Both of these will be really beneficial to host several virtual machines and run them simultaneously.
  • On one of the created virtual systems, simply take a snapshot of the system before the infection by the malware. Then, after infection, compare the behavior and understand the influence that such malware had on the virtual system. It is very simple to take the aforementioned snapshots, which serve like a whole record for the state of a machine when using virtual systems.
  • A malware may have the ability to identify the fact that it runs on a virtual system, and it will not thereby leave the same influence as if it was running on a physical system. In this case, the solution is to have the test environments on some physical devices. Make use of old computer devices that are not in use anymore. There is no actual need for a high-performing CPU, a great RAM, or a big hard disk drive.
  • Make the test environments connected whether they are on virtual systems or physical ones. The point is to understand the malware’s network interaction, which is an essential part of the malware’s analysis from the IT’sperspective.
  1. Make the test and production environments isolatedMalware Analysis Toolkit

  • A production environment has to be kept protected from the testing of a malware and its effect
  • Although the network between the production environment and the test ones could be secure via the use of firewalls, it is a better idea not to connect them. This is in order to avoid any malware bypassing the applied filtering restriction.
  • Bring the malware into the test systems on a write-once removable disk such as a DVD or a USB having a mechanical write-lock switch. This is for the sake of not having the media carrying the malware after installing it on the test environment.
  • In the case of using physical test systems, dedicate a special DSL or a cable modem to provide internet connection for the test environment. Elsewhere, if it is the same network as the production, attempt to make the test systems connected as minimal as possible. This is to evade the risk of having other systems on the network harmed by the malware.
  • In the case of using virtual test systems, always be up to date with any security patches which the virtualization software vendors release to overcome any vulnerabilities in their software. The host machine should be merely in use for the purpose of hosting the virtual test machines, not any other functions.
  1. Install a tool to analyze behavior

There are some available utilities –all free– that one could harness to monitor the infected system behavior. This depends on the type of monitoring desired. Installation of one of the following tools on the test machine is necessary before infecting it with the malware.

Malware Analysis Toolkit

  • Wireshark: it serves as a perfect network traffic analyzer showing what happens on the network such as downloads, DNS resolution requests, etc.
  • Process Monitor with ProcDOT: these two tools are perfect to get to know how the malware affects the registry files and entries. Any delete, read, or write actions to such files are monitored and recorded through these tools.
  • Process Explorer and Process Hacker: they are alternatives for Windows Task Manager to display the current malicious processes and network ports that malware attempts to open.
  • Regshot: This tool fundamentally highlights the main changes which occurred in the system – the registry and file system– after infection.
  1. Install Code-Analysis tools

The previous tools might be able to analyze the behavior, but it does not touch the problem from its roots. Analyzing the malicious code could lead to a more interesting result. Despite the fact that it is difficult to access the source code of the executable malicious file, there are some tools that can assist in this process.

  • Scylla and OllyDumpEx: These tools are helpful when dealing with packed executables which could not be disassembled. Instructions of such executables are often encoded and encrypted, and are only extracted into Ram when running. A dump file will be created having the protected code.Malware Analysis Toolkit
  • OllyDbg and IDA Pro Freeware: These tools have the ability to disassemble malicious executables into their source code, and further execute each piece of it in a slow manner to perfectly understand the malware.
  1. Use online utilities

Online utilities which are free to use are a great addition to the proposed toolkit. In fact there are a plenty of online utilities which analyze the behavior of malware albeit the executable ones. Some of such tools are

  • Anubis
  • EUREKA
  • Malwr
  • ThreatExpert

If one suspects a given URL of offering a malware, there are two websites which could be beneficial at this point.

Malware Analysis Toolkit

  • WebInspector, and Wepawet: they test the URL and give information whether the URL is malicious or not.
  • URLVoid and MxToolbox: they provide some historical data about malicious websites and reputable ones.

References:

https://zeltser.com/build-malware-analysis-toolkit/#install-behavioral-analysis-tools

https://www.google.com.eg/search?q=malware&tbm=isch&source=lnms&sa=X&ved=0ahUKEwjFuoKQhOTUAhVCiRoKHTUSAWYQ_AUIBygC&biw=1366&bih=662#imgrc=P5peN1u1wyb4PM:

https://www.google.com.eg/search?q=virtual+machine&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiUzabkheTUAhWQHsAKHc5WBgcQ_AUICigB&biw=1366&bih=613#imgrc=UEl9ooqLuHIeEM:

https://www.google.com.eg/search?q=test+environment&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjWvpnbleTUAhWBVhoKHYcRBqgQ_AUICigB&biw=1366&bih=613#imgrc=n_lP8LWH5VKB3M:

https://www.google.com.eg/search?q=wireshark&tbm=isch&source=lnms&sa=X&ved=0ahUKEwic7sX5muTUAhUJPhQKHeYLCUQQ_AUIBygC&biw=1366&bih=613#imgrc=pgrvqipBWTQ71M:

https://www.google.com.eg/search?q=scylla&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjX1MiWnuTUAhWDSBQKHfjqA3kQ_AUICigB&biw=1366&bih=613#tbm=isch&q=ollydump&imgrc=M_x0zac-DyvuJM:

https://www.google.com.eg/search?q=urlvoid&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjFqJTkoOTUAhXKVRQKHRvlDH4Q_AUICygC&biw=1093&bih=490#imgrc=m4htcDvR1L4YlM:

PowerShell For InfoSec Professionals

PowerShell For InfoSec Professionals 2018

The simple fact is if you are going to be attacking or defending modern environments with newer operating systems (Windows 10, Server 2016) – you need Powershell!

There is no getting around it, and the sooner you drink the Powershell Koolaid the better InfoSec Professional you will be.

PowerShell

What will we be doing you ask – check this out:

 

Fundamentals:

  • Simple programming fundamentals
  • Cmdlets
  • Variables
  • WMI Objects

 

Security tasks with Powershell:

  • PowerShell Tool Development
  • PCAP Parsing and Sniffing
  • Malware Analysis

 

Pentesting tasks:

  • Ping Sweeping
  • Port Scanning
  • Enumerating Hosts/Networks
  • Download & Execute
  • Parsing Nmap scans
  • Parsing Nessus scan

 

 

Tool development:

  • Programming logic for security tasks
  • Tool structure
  • …..and of course, integrating with Metasploit, and other security tools

PowerShell

Students will receive

  • 20 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

 

 

 

Support

Each student will receive access to an InfoSec Addicts Group for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedule

19th and 21st of February 2018 from 7pm to 9pm EST

Fill out this form below to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Python For InfoSec Professionals

Python For InfoSec Professionals Night Class

This class aims at making students comfortable with using Python to perform simple IT Security tasks. Going beyond using other peoples’ tools in this field is the hardest step on the ladder to proficiency. This class will take you over that difficult step, enabling you to modify popular security tools or write your own. Most importantly, it is all taught in a simple manner that won’t put you to sleep like most programming courses.

 

Class Outline

Programming Concepts, Parsing Files, Logs, and PCAPs

  • Python Basics
  • Text File Parsing
  • CSV File Parsing
  • Log Parsing

python

 

  • PCAP Parsing
  • Port-Scanning
  • Bind/Reverse Shells
  • Scapy

 

  • SQL Injection
  • XSS
  • RFI/LFI

 

  • Memory Analysis
  • Identifying/Classifying/Analyzing Malware
  • Exploit Development with Python
  • Debugger automation

Please register to attend the class:

 

python

Students will receive

  • 30 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Each student will receive access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

Class Schedule

28th and 30th of May 2018 from 7pm to 9pm EST

 

Class Cost: $200

Fill out this form to sign up for the class.

$200.00Select options

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

InfoSec Addicts Defensive Saturday Bundle: Splunk/ELK/Suricata/Bro-IDS

Defensive Security

When it comes to log analysis Splunk and the ELK / Elastic Stack are the biggest enterprise grade solution approaches in the field. Splunk is a publicly traded company that offers a full commercial solution with a 15 day trial across its different products. ELK is an acronym for ElasticSearch, Logstash and Kibana, a free open source stack for log analytics with commercial support, managed solutions, and additional tools.

When it comes to hunting malware Bro and the Suricata IDS are preferred by malware hunters. This month of defensive classes is the absolute real deal if you are interested in hunting malware on the network.

Saturday Classes in the month of June

You can click here to purchase the $100 June 2017 Saturday Defensive Bundle.

3rd of June Splunk (9 am EST – 4 pm EST)

Splunk: We’ll be covering building, deploying, and configuring Splunk. You can purchase this individual by clicking on this link.
Splunk

10th of June ELK (9 am EST – 4 pm EST)

ELK: We’ll be covering building, deploying, and configuring ELK. You can purchase this individual by clicking on this link.

Splunk

17th of June Suricata (9 am EST – 4 pm EST)

Suricata            17th of June                – Surricata

Suricata: We’ll be covering building, deploying, and configuring Suricata. You can purchase this individual by clicking on this link.

Splunk

24th of June Bro IDS (9 am EST – 4 pm EST)

Bro-IDS            24th of June     – Bro-IDS

Bro-IDS: We’ll be covering building, deploying, and configuring Bro-IDS. You can purchase this individual by clicking on this link.

Splunk

Students will receive
  • 32 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab manual
Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response).

Schedule

Saturday Classes in the month of June

  • 3rd of June Splunk for InfoSec (9 am EST – 4 pm EST)
  • 10th of June ELK for InfoSec (9 am EST – 4 pm EST)
  • 17th of June Suricata IDS (9 am EST – 4 pm EST)
  • 24th of June Bro IDS (9 am EST – 4 pm EST)

Bundle Cost

This course bundle cost $100 for access to all 4 of these defensive courses.

Saturday Classes in the month of June

You can click here to purchase the $100 June 2017 Saturday Defensive Bundle.