A uniquely TrainedSecurity Force

HUNT Certification - Windows

HUNT Certification - Windows

Course Description

HUNT OPERATIONS AND WINDOWS END-POINT DATA COLLECTION & ANALYSIS

The first of three courses in root9B’s HUNT Certification program is designed to train cybersecurity professionals to actively defend critical Windows systems. The course exposes students to a “Think like the Adversary” mindset in order to actively detect sophisticated and tailored adversary attacks. This course establishes the foundation upon which the root9B HUNT Certification is based; preparing cybersecurity professionals to HUNT for evidence of adversary presence within their network that was previously not detected by automated enterprise security devices and software.

Rather than just reacting to network attacks, students will learn methods to remotely interrogate systems and analyze data to proactively identify systems targeted by an adversary. Students will exercise the identification of malicious code, evidence of adversary presence, and lateral movement within a network. Throughout the program, instructors will share their experience in cybersecurity, operations, and tool development. This will provide students an appreciation of the challenges they face in countering the cyber adversary.

The HUNT[WINDOWS] course starts with a discussion on the concepts of real-time detection and identification of adversary attacks. Students will be exposed to advanced Windows operating system concepts, with an emphasis on adversary file manipulation and persistence techniques used to bypass cybersecurity systems and infrastructure. Follow-on training courses in root9B’s HUNT (Active Adversary Pursuit) series will focus on Linux- and Network- based methodologies and operations.

INTENDED AUDIENCE

This class is intended for individuals with intermediate to advanced knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

STUDENT PREREQUISITES

  • Basic understanding of computers

COURSE MATERIALS PROVIDED

  • Lecture slides in PDF format
  • Exercise materials (e.g. files, VMs, etc.)
  • Course reference material (e.g. Books)

WINDOWS CERTIFICATION COURSE OUTLINE

MODULE 1 - INTRODUCTION TO HUNT [WINDOWS]

  • Definition of HUNT
  • HUNT vs IR vs Forensics
  • HUNT Platform
  • HUNT Methodologies
    • System Baseline
    • Collect
    • Normalize
    • Visualize
    • Analyze
    • Report
    • Reassess
  • HUNT Team Composition

MODULE 2 - UNDERSTANDING THE ADVERSARY

  • Motivators
  • Case Studies
  • Attribution and Analysis Models
  • Indicators of Compromise (IOC)

MODULE 3 -HUNT METHODOLOGIES

  • HUNT TTPs
  • System Baselining
    • Holistic Approach (Users, Systems, usage, etc.)
    • Network Enumeration
      • Passive Network Enumeration
      • Active Network Enumeration

MODULE 4 - DATA COLLECTION

  • Passive vs Active
  • Data Sets
    • Alerts
    • Raw Data
    • Metadata
  • Data Sources
    • Documentation & Diagrams
    • Host Data
      • Windows Architecture – Kernel Subsystems
      • Requirements
        • Windows Authentication Mechanisms
        • Windows Remote Access and Remote Process Execution
      • Windows Remote System Collection Techniques
      • Remote System Interrogation
        • Boot Process and BootKits
        • File Obfuscation
        • Windows Features and Dual Use Technology
        • Registry/DLL/Driver Persistence Techniques
        • Windows Process Management
        • Windows Memory Management
        • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 5 - DATA NORMALIZATION

  • Preparing for SIEM database ingestion

MODULE 6 - DATA VISUALIZATION

  • Data Visualization
    • Multi-node data
    • SIEM data representations

MODULE 7 - DATA ANALYSIS

  • Tactical Differential Analysis
    • Host Data
      • Boot Process and BootKits
      • File Obfuscation
      • Windows Features and Dual Use Technology
      • Registry/DLL/Driver Persistence Techniques
      • Windows Process Management
      • Windows Memory Management
      • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 8 - REPORTING

  • Alerting
  • After Action Report

MODULE 9 - INTEGRATING THREAT INTELLIGENCE

  • Driving HUNT Operations
    • Tipping & cueing
  • Intelligence Sharing
    • Indicators of Compromise (IOC)
      • STIX/TAXII/CyBox
      • MAEC
      • YARA

MODULE 10 - HUNT CULMINATION EXERCISE

PRICE: $4,600

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Dates & Locations

January 8, 2018
 (
Columbia, MD
)
February 5, 2018
 (
Annapolis Junction, MD
)
March 12, 2018
 (
San Antonio, TX
)
May 7, 2018
 (
Annapolis Junction, MD
)
June 4, 2018
 (
Colorado Springs, CO
)
June 11, 2018
 (
Annapolis Junction, MD
)
July 9, 2018
 (
Colorado Springs, CO
)
July 16, 2018
 (
Augusta, GA
)
July 16, 2018
 (
Honolulu, HI
)
September 10, 2018
 (
San Antonio, TX
)
September 24, 2018
 (
Columbia, MD
)
November 26, 2018
 (
Colorado Springs, CO
)
December 3, 2018
 (
Honolulu, HI
)

Recommend it to all of the Cyber Protection Teams to attend.