Tactical Response is a multidisciplinary approach to understanding the methodologies, techniques, and tools for both offensive and defensive security. This four-day course introduces a tactical approach for instrumenting and weaponizing your infrastructure. Using a combination of new tools, and uncommon techniques students will learn how to defend a network against today’s evolving threats. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.
Students will learn:
• How to manipulate enterprise tools and infrastructures in unusual ways for better security
• Build and employ custom logging tools for detecting lateral movement, persistence mechanisms, data targeting, and exfiltration
• New techniques to help drive rapid intelligence from files and systems.
• Properly defend against and respond to incidents on a network
• Offensive mindset for defensive purposes
Students will get the chance to work with real “APT" tools and see the unique differences between how they are used in real attacks vs the penetration testing tools used today. These differences will help students learn how to truly detect real adversaries.
Topics Covered: The following items are the topic areas that will be covered in the class:
• Real offensive mindsets, not penetration testing mindsets
• Leveraging active directory, AV, and other tools in unique ways for alerting
• Host logging and auditing
• Leveraging windows syscalls for alerting across an enterprise
• Playing with “APT"
• Advanced host and file triage capabilities
• Host and network indicator extraction from file format exploits
• Developing your own custom process trace capabilities
• Binary de-obfuscation techniques
• PCAP destruction
• Binary unpacking techniques
Students will test all of the skills they have gained in the course against a virtual network specially designed for the class. The labs will be interwoven into the lecture so that students will receive a significant amount of time practically exercising these new skills as they learn. By the end of the class students will have spent 50% of the time in a lab environment. A significant portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult adversary. Questions can be sent to firstname.lastname@example.org.
This course is well-suited to incident responders, reverse engineers, and in general any defenders. This course is also well suited for the offensively focused minds. This class can help penetration testers learn what NOT to do.
Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig’s of memory is needed.
Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.
We encourage students to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware. Students must have:
• Familiarity with scripting languages such as Python/Perl/Ruby
• A familiarity with Windows and Linux administration.
• Familiarity with the malware analysis and reverse engineering malware processes
• Programming in C and previous knowledge of assembly will help students, but is not a must.
Students must bring a laptop that is capable of fulfilling the information in the student requirements section.
Students will walk away from the class with full documentation and the entire custom and non-custom tools that we have given them or they have designed in class. Students walk away from AR training sessions with more than just the “usual" training materials but a wealth of knowledge for both attacking and defending networks.
Russ Gideon (email@example.com)
Russ has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to running effective Red Teams from across the United States government. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research and Training at Attack Research.
Val Smith (firstname.lastname@example.org)
Val Smith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Val Smith founded Attack Research which is devoted to deep understanding of the mechanics of computer attack. Previously Val Smith founded Offensive Computing, a public, open source malware research project.
Colin Ames (email@example.com)
Colin Ames is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.
Dave Kerb (firstname.lastname@example.org)
David Kerb has worked in the computer security arena for the past ten years. He has specialized in reverse engineering, malware research, and penetration testing. During the past ten years he has worked with various places including Offensive Computing, a Malware Research Company. He is currently conducting research at Attack Research which is set up to help understand the internals of attacks. Dave Kerb has focused on *nix systems and enjoys figuring out how to abuse various trust relations between *nix systems.