Blue Knight

SEC503 is an incredibly important course for your information security career! It's known for being challenging but also highly rewarding. If you're looking to be an effective threat hunter and uncover zero-day activities on your network before they become public knowledge, then this course is perfect for you.

Let’s dive into the details of what you’ll learn in SEC503:

1. Understanding Network Protocols:
   • Gain a deep understanding of TCP/IP protocols and how they work.
   • Learn about common application protocols like DNS and HTTP.
   • Develop the ability to intelligently examine network traffic for signs of compromise or zero-day threats.
2. Effective Threat Detection and Mitigation Tools:
   • Learn how to use industry-leading automated threat detection and mitigation tools.
   • Develop efficient detection capabilities and understand the purpose of existing rules.
   • Instrument your network to perform detailed threat hunting, incident analysis, network forensics, and reconstruction.
3. Critical Thinking and Deep Fundamentals:
   • Develop critical thinking skills and apply them to the deep fundamentals of network monitoring and forensics.
   • Gain a deeper understanding of various security technologies used today.
4. Hands-on Training and Tools:
   • Get hands-on experience with tools like tcpdump, Wireshark, Snort, Suricata, Zeek, tshark, SiLK, and NetFlow/IPFIX.
   • Master these tools through daily exercises suitable for all experience levels.
   • Apply theory to real-world problems during evening Bootcamp sessions.

SEC503 is perfect for individuals who monitor, defend, and conduct threat hunting on their network. This includes security analysts, those working in Security Operations Centers (SOCs), and even red team members looking to enhance their skills. By taking this course, you’ll learn how to analyze network traffic, identify zero-day threats, customize and tune network monitoring, triage network alerts, reconstruct events, and perform network forensic investigations.

Now, let’s take a look at some of the business takeaways from SEC503:

• Avoid becoming a front-page headline for security breaches.
• Augment detection in traditional, hybrid, and cloud network environments.
• Increase efficiency in threat modeling for network activities.
• Decrease attacker dwell time.

By the end of SEC503, you’ll be able to configure and run tools like Snort, Suricata, and Zeek. You’ll be proficient in writing effective rules, performing network forensics, identifying abnormal traffic, and using flow analysis tools. Additionally, you’ll have the knowledge to customize the placement of network monitoring sensors and sniff traffic off the wire.

Lets look in Syllabus:

Stage1(Network Monitoring and Analysis: Part I):

Concepts of TCP/IP

• Why is it necessary to understand packet headers and data?
• The TCP/IP communications model
• Data encapsulation/de-encapsulation
• Bits, bytes, binary, and hex

Introduction to Wireshark

• Navigating around Wireshark
• Wireshark profiles
• Examination of Wireshark statistics options
• Stream reassembly
• Finding content in packets

Network Access/Link Layer: Layer 2

• Introduction to the link layer
• Addressing resolution protocol
• Layer 2 attacks and defenses

IP Layer: Layer 3

• IPv4
  • Examination of fields in theory and practice
  • Checksums and their importance, especially for network monitoring and evasion
  • Fragmentation: IP header fields involved in fragmentation, composition of the fragments, modern fragmentation attacks

UNIX Command Line Processing

• Processing packets efficiently
• Parsing and aggregating data to answer questions and research a network
• Using regular expressions for faster analysis

Stage2(Network Monitoring and Analysis: Part II):

Wireshark Display Filters

• Examination of some of the many ways that Wireshark facilitates creating display filters
• Composition of display filters

Writing BPF Filters

• The ubiquity of BPF and utility of filters
• Format of BPF filters
• Use of bit masking

TCP

• Examination of fields in theory and practice
• Packet dissection
• Checksums
• Normal and abnormal TCP stimulus and response
• Importance of TCP reassembly for IDS/IPS

UDP

• Examination of fields in theory and practice
• UDP stimulus and response

ICMP

• Examination of fields in theory and practice
• When ICMP messages should not be sent
• Use in mapping and reconnaissance
• Normal ICMP
• Malicious ICMP

IP6

• Fundamentals
• Improvements over IP6
• Multicast protocols and how they are leveraged by IP6
• IP6 threats

Real-world application: Researching a network

• Who are the top talkers?
• What are people connecting to?
• What services are running on our network?
• What kind of east-west traffic is present?

Stage3(Signature-Based Threat Detection and Response):

Scapy

• Packet crafting and analysis using Scapy
• Writing packets to the network or a pcap file
• Reading packets from the network or from a pcap file
• Practical Scapy uses for network analysis and network defenders

Advanced Wireshark

• Exporting web and other supported objects
• Extracting arbitrary application content
• Wireshark investigation of an incident
• Practical Wireshark uses for analyzing SMB protocol activity
• Tshark

Introduction to Snort/Suricata

• Configuration of the tools and basic logging
• Writing simple rules
• Using common options

Effective Snort/Suricata

• More advanced content on writing truly efficient rules for very large networks
• Understanding how to write flexible rules that are not easily bypassed or evaded
• Snort/Suricata “Choose Your Own Adventure” approach to all hands-on activities
• Progressive examination of an evolving exploit, incrementally improving a rule to detect all forms of the attack
• Application of Snort/Suricata to application layer protocols

DNS

• DNS architecture and function
• DNSSEC
• Modern advances in DNS, such as EDNS (Extended DNS)
• Malicious DNS, including cache poisoning
• Creating rules to identify DNS threat activities

Microsoft Protocols

• SMB/CIFS
• Detection challenges
• Practical Wireshark application

Modern HTTP

• Protocol format
• Why and how this protocol is evolving
• Detection challenges
• Changes with HTTP2 and HTTP3

How to Research a Protocol

• Using QUIC as a case study
• Comparison of GQUIC vs. IETF QUIC

Real-world Application: Identifying Traffic of Interest

• Finding anomalous application data within large packet repositories
• Extraction of relevant records
• Application research and analysis

Stage4(Building Zero-Day Threat Detection Systems):

Network Architecture

• Instrumenting the network for traffic collection
• Network monitoring and threat detection deployment strategies
• Hardware to capture traffic

Introduction to Network Monitoring at Scale

• Function of a network monitoring tools
• The analyst’s role in detection
• Analysis flow process

Zeek

• Introduction to Zeek
• Zeek operational modes
• Zeek output logs and how to use them
• Practical threat analysis and threat modeling
• Zeek scripting
• Using Zeek to monitor and correlate related behaviors

IDS/IPS Evasion Theory

• Theory and implications of evasions at different protocol layers
• Sampling of evasions
• Necessity for target-based detection
• Zero-day monitoring evasions

Stage5(Large-Scale Threat Detection, Forensics, and Analytics):

Using Network Flow Records

• NetFlow and IPFIX metadata analysis
• Using SiLK to find events of interest
• Identification of lateral movement via NetFlow data
• Building custom NetFlow queries

Threat Hunting and Visualization

• Various approaches to performing network threat hunting at enterprise scale in networks
• Exercises involving approaches to visualizing network behaviors to identify anomalies
• Applications of data science to streamline security operations and perform threat hunting
• Experimenting with an AI-based system to identify network protocol anomalies on a defended network

Introduction to Network Forensic Analysis

• Theory of network forensics analysis
• Phases of exploitation
• Data-driven analysis versus alert-driven analysis
• Hypothesis-driven visualization

Purchase – 7,999,990 IRT

Released On

05/2024