See Beyond What Blinking Boxes Tell You
You bought all the latest detection tools, but somehow still can’t seem to detect mimikatz. IT is screaming about the resource consumption from the multitude of security tools on the endpoints, analysts are barely staying afloat in the oceans of data your toolsets have created, and the latest red team report detailed how response actions were ineffective again. If this sounds familiar for your organization, this is the course for you.
Adversary Tactics: Detection will provide you the understanding and ability to build robust detections, starting with the “Why?” and going all the way to the technical implementation of detecting threat actor activity. You will learn how to apply the methodologies and technical approaches practiced, regardless of the security toolsets deployed in your organization. We’ll walk you through starting with a detection engineering strategy first and then focusing on methodologies to build robust alerting, with the result of improving detection and response capabilities throughout security operations.
- Threat Hunting Introduction
- MITRE ATT&CK and Adversary TTPs
- Interpreting Threat Intelligence
- Data Source Identification
- Configure Test Environment
- Implement Attacker Technique
- Data Modeling
- Data Quality Assessment
- Detection Engineering Methodology
- Threat Hunting Campaign Types
- Develop Detections
- Alerting & Detection Strategies
- Hypothesis Generation (based on Threat Intel Report)
- Threat Hunting Engagement
- Detection Development
- Detection Presentation & Peer Review
Adversary Tactics: Detection builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will learn to use free or open-source data collection and analysis tools, such as Sysmon, Windows Event Logs, and ELK, to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create threat hunting hypotheses and build robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors.
This class is intended for security analysts and blue teamers wanting to learn how to effectively hunt in enterprise networks. This course offers benefits to participants of most levels of security operations experience, from SOC analysts to experienced security defenders. Those with a strong technical background will have opportunity for a deep dive into key concepts and labs. Participants in less technically focused positions will be exposed to a robust threat hunting concepts that provide the building blocks to create highly effective detection strategies.
Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.
Participants will need a laptop with a modern web browser. All labs are completed through a training portal that contains a range with simulated enterprise networks under attack and defensive workstations from which participants will operate.
There are no local virtual machines or special software required to fully participate in the course or labs.
During the course, participants will be provided access to a comprehensive range to perform course labs and goals.
Upon completion of the course, participants are provided with a copy of course slides and a certificate of completion.
See What Else We Have to Offer
If a public offering of the training classes does not fit your busy schedule, our team of experts are available to provide a private training offering to your organization. This is by far the best way for your team to get one on one access to the instructors and solidify the material. We provide all training material as well as laptops and classroom locations if needed.Private Trainings