A uniquely TrainedSecurity Force

Training

07

Training

root9B understands the cognitive aspects of cyber operations. Our curriculum provides the hands-on technical skills students require to attain a variety of advanced cybersecurity qualifications. We instill the knowledge, skills, and abilities necessary for our students to defeat the adversary.

dynamic development of skills

building a foundation of security principles

Customizable curriculum
and real-world
environment
simulation

Available Courses

Below are our available courses. Please check back often as our course offerings are updated regularly. Government organizations, please contact root9b directly via training@root9b.com for pricing and purchasing information.

May 1, 2017
 (
Honolulu, HI
)
May 8, 2017
 (
San Antonio, TX
)
July 10, 2017
 (
Annapolis Junction, MD
)
August 14, 2017
 (
Colorado Springs, CO
)
September 25, 2017
 (
San Antonio, TX
)

root9B has developed a new cyber defense approach that is focused on Active Adversary Pursuit or ‘HUNT’. This three-phased course is designed to give cybersecurity practitioners the fundamental understanding of how to perform cyber hunting on systems in their network. We will teach students how to collect relevant data, apply proven analytical processes and use the conclusions to identify systems an adversary would target. We will then demonstrate how to query these systems and find malicious code and evidence of adversary actions that will allow students to see how an organized cyber threat is moving through their network. 

Divided into three (3) one week courses, the Hunt Certification Course begins by establishing a basic understanding of Active Adversary Pursuit and then overlays successive levels of technical and operational tradecraft. 

Level 1 – Focus on HUNT operations and Windows end-point data collection and analysis.

Level 2 – Focus on HUNT operations and Linux end-point data collection and analysis.

Level 3 – Completes HUNT operations to include network data collection and analysis.

Each course is taught by personnel who have spent much of their professional lives working with and leading organizations tasked with conducting cyber operations for U.S. Intelligence Agencies and Military units.

ROOT9B HUNT CERTIFICATION COURSE – WINDOWS

LEVEL 1 - HUNT OPERATIONS AND WINDOWS END POINT DATA COLLECTION & ANALYSIS

The first of three courses in root9B’s HUNT Certification program is designed to train cybersecurity professionals to actively defend critical Windows systems. The course exposes students to a “Think like the Adversary” mindset in order to actively detect sophisticated and tailored adversary attacks. This course establishes the foundation upon which the certification is based; preparing cybersecurity professionals to ‘HUNT’ for evidence of adversary presence within their network that was previously not detected by automated enterprise security devices and software. 

Rather than just reacting to network attacks, students will learn methods to remotely interrogate systems and analyze data to proactively identify systems targeted by an adversary. Students will exercise the identification of malicious code, evidence of adversary presence, and lateral movement within a network. Throughout the program, instructors will share their experience in cybersecurity, operations, and tool development. This will provide students an appreciation of the challenges they face in countering the cyber adversary. 

The Level 1 HUNT course starts with a discussion on the concepts of real-time detection and identification of adversary attacks. Students will be exposed to advanced Windows operating system concepts, with an emphasis on adversary file manipulation and persistence techniques used to bypass cybersecurity systems and infrastructure. 

Follow-on certification courses in root9B’s HUNT series will focus on Linux- and Network Device-based Active Adversary Pursuit methodologies and operations.

INTENDED AUDIENCE

This class is intended for individuals with intermediate to advanced knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

COURSE MATERIALS

  • Lecture slides in PDF 
  • Exercise materials (files, VMs, etc)

STUDENT REQUIREMENTS

  • Students are required to bring their own properly configured laptops. Students are also required to test their systems prior to class. 
  • Students will need a laptop with Windows 7 or newer installed as the host operating system. The recommended configuration is Windows 7+ (preferably 64-bit) as the host operating system with at least 6GB of RAM, 100 GB free hard-drive space available, Ethernet port, and ability to install or configure software. 
  • Students are required to preconfigure their machines with VirtualBox (or VMware) and install Kali Linux as a virtual environment. Students can use a Mac or Linux system with a different virtual machine product running both Windows and Kali Linux on virtual machines. Detail laptop configuration requirements:
    • Confirm that Windows 7+ is installed and working
    • Download and install VirtualBox from https://www.virtualbox.org/wiki/Downloads
    • Download Kali Linux from https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-do...
    • Confirm that your system can start up Kali Linux and run a program.
    • Attain administrator access to the operating system and all security software installed. Configuration changes to personal firewalls and other host-based software are required for the exercises to perform properly.
    • Anti-virus software will need to be disabled to install some of the tools.

WINDOWS CERTIFICATION COURSE OUTLINE

MODULE 1 - INTRODUCTION TO HUNT [WINDOWS]

  • Definition of Hunt
  • Hunt vs IR vs Forensics
  • Hunt Platform
  • Hunt Methodologies
    • System Baseline
    • Collect
    • Normalize
    • Visualize
    • Analyze
    • Report
    • Reassess
  • Hunt Team Composition

MODULE 2 - UNDERSTANDING THE ADVERSARY

  • Motivators
  • Case Studies
  • Attribution and Analysis Models
  • Indicators of Compromise (IOC)

MODULE 3 -HUNT METHODOLOGIES

  • HUNT TTPs
  • System Baselining
    • Holistic Approach (Users, Systems, usage, etc.)
    • Network Enumeration
    • Passive Network Enumeration
    • Active Network Enumeration

MODULE 4 - DATA COLLECTION

  • Passive vs Active
  • Data Sets
    • Alerts
    • Raw Data
    • Metadata
  • Data Sources
    • Documentation & Diagrams
    • Host Data
      • Windows Architecture – Kernel Subsystems
      • Requirements
        • Windows Authentication Mechanisms
        • Windows Remote Access and Remote Process Execution
      • Windows Remote System Collection Techniques
      • Remote System Interrogation
        • Boot Process and BootKits
        • File Obfuscation
        • Windows Features and Dual Use Technology
        • Registry/DLL/Driver Persistence Techniques
        • Windows Process Management
        • Windows Memory Management
        • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 5 - DATA NORMALIZATION

  • Preparing for SIEM database ingestion

MODULE 6 - DATA VISUALIZATION

  • Data Visualization
    • Multi-node data
    • SIEM data representations

MODULE 7 - DATA ANALYSIS

  • Tactical Differential Analysis
    • Host Data
      • Boot Process and BootKits
      • File Obfuscation
      • Windows Features and Dual Use Technology
      • Registry/DLL/Driver Persistence Techniques
      • Windows Process Management
      • Windows Memory Management
      • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 8 - REPORTING

  • Alerting
  • After Action Report

MODULE 9 - INTEGRATING THREAT INTELLIGENCE

  • Driving Hunt Operations
    • Tipping & cueing
  • Intelligence Sharing
    • Indicators of Compromise (IOC)
      • STIX/TAXII/CyBox
      • MAEC
      • YARA

MODULE 10 - HUNT CULMINATION EXERCISE

 

 

 

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

April 18, 2017
 (
Honolulu, HI
)
May 16, 2017
 (
Annapolis Junction, MD
)
June 13, 2017
 (
Colorado Springs, CO
)
August 29, 2017
 (
San Antonio, TX
)
November 7, 2017
 (
Honolulu, HI
)

Threat Intelligence (TI) provides crucial defense posturing for proactive defense against malicious actors. Alternatively, the application of the intelligence processes to reactive incident response protocols offers valuable insight and context into the likely threat vector, the stage of the attack plan and the motive of a cyber adversary. This threat insight and attack context greatly reduces the time it takes to respond to an event.

COURSE OVERVIEW

This course will present through scenario based instruction, utilization of the intelligence cycle (Planning, Collection, Analysis, and Dissemination) to guide students through the process of discovering an event as well as the consequent investigation of an incident. Students will use intelligence to reorient their strategic response plan to leverage the power of tailored response and recovery to greatly reduce reaction times. Students will learn to apply intelligence collection and analytic methodologies to both internal forensic investigation and external threat intelligence by coupling the hands on application of threat intelligence collection and analysis to digital forensic doctrines and techniques.

MODULES IN THIS COURSE

Foreward: Scenario introduction

Lesson 1: Introduction to Intelligence & Incident Response

Lesson 2: Planning and Directing DFIR

Lesson 3: Generating DFIR Requirements

Lesson 4: Intelligence Collection & DFIR Operations

Lesson 5: Evidence and Information Processing and Exploitation

Lesson 6: DFIR Analysis and Reporting

Lesson 7: Case Wrapup & Exercise

TARGET AUDIENCE

Students that are likely to conduct incident response though the use of digital forensics and the application of intelligence to guide ongoing operations. 

PREREQUISITES

Students should bring a laptop and possess a basic comprehension of digital forensics.

COURSE LENGTH

24 hours of course work ideally delivered over 3 days. 

TESTING/CERTIFICATION

Course includes a certificate of attendance.

COURSE STRUCTURE/CONTENT OUTLINE

FOREWARD: SCENARIO INTRODUCTION

Students are introduced to scenario which will play out throughout the ongoing introduction to course content. 

LESSON 1 INTRODUCTION TO INTELLIGENCE & INCIDENT RESPONSE

1.1 What is Incident Response?

1.1.1 Incident Response Life Cycle and Protocols

1.1.2 Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident Actions

1.1.3 Integrating Forensics into Incident Response

1.2 What is Cyber Threat Intelligence?

1.2.1 Intelligence vs. Information vs. Evidence

1.2.2 Reducing Uncertainty 

1.2.3 Proactive vs. Reactive

1.2.4 Introduction to the Intelligence Cycle

1.2.5 All-Source Intelligence Lead Operations

LESSON 2 PLANNING AND DIRECTING DFIR

2.1 Strategic Planning

2.2 Operational Planning

2.3 Tactical/Technical Planning

LESSON 3 GENERATING DFIR REQUIREMENTS

3.1 Generating Requirements

3.1.1 Where requirements come from

3.1.2 Requirements Examples

3.2 Requirements for Digital Forensics Incident Response Operations 

LESSON 4 INTELLIGENCE COLLECTION & DFIR OPERATIONS

4.1 Collections Management (Tasking) & Planning

4.1.1 Developing a Collections Plan & Collection Platform

4.1.2 Single-Source Intelligence Assets

4.1.3 Intelligence Led Operations

4.1.3.1 Threat Intelligence

4.1.3.2 Digital Forensics

4.1.4 Scenario Application

LESSON 5 EVIDENCE AND INFORMATION PROCESSING AND EXPLOITATION

5.1 Source Specific exploitation and processing

5.1.1 Malware Analysis

5.1.2 Log/Data Analysis

5.1.3 Hunting (F3EAD)

5.1.4 Forensic Discovery and Exploitation

5.1.5 Scenario Application

LESSON 6 DFIR ANALYSIS AND REPORTING

6.1 Structured Analytic Techniques

6.1.1 Threat Modeling

6.1.2 Scenario Application: Attribution

6.2 Reporting Overview

6.2.1 Report Types: Strategic, Operational, Tactical

6.2.1.1 Tactical reporting to provide technical guidance 

LESSON 7 CASE WRAPUP & EXERCISE

7.1 Case re-examination Exercise

7.2 Satisfied Requirements

7.3 Post-Incident Report

 

 

 

 

 

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
May 15, 2017
 (
Annapolis Junction, MD
)
June 5, 2017
 (
Honolulu, HI
)
June 19, 2017
 (
San Antonio, TX
)
July 24, 2017
 (
San Antonio, TX
)
July 31, 2017
 (
Augusta, GA
)
October 2, 2017
 (
Honolulu, HI
)
October 16, 2017
 (
San Antonio, TX
)

root9B’s Adversary Tactics and Techniques course is an intense 5-week hands-on course that teaches students the methodology and technical details of how attackers recon, gain access to, pivot, and remain hidden within a target network, and any artifacts their actions may leave behind. Whether they’re on a path to become pen-testers, red team members, or cyber hunters, the Adversary Tactics and Techniques course prepares students to excel by establishing a firm foundation in operational cyber exploitation methodologies. Future pen-testers will know how to infiltrate networks, and cyber defense analysts and operators will be better equipped to identify the tell-tale signs of an intrusion in progress. The course takes students with a basic understanding of computers and computer networks to a level where they are capable of executing fundamental exploitation operations in Windows and Linux environments.

The course begins by establishing a firm foundation on the Windows and Linux operating systems and how those systems communicate on networks, and finishes with using offensive tools, tactics, and procedures on those operating systems, with an emphasis on protecting assets and acquired accesses. Students will learn the technical details of how fundamental exploit techniques are executed and why they work. Modules covering topics from packet analysis to pivoting and tunneling are done in a way that emphasizes a capability independent mindset.

The course is taught by leading professionals in the cyber security field. All instructors have either had previous experience conducting cyber operations within the Intelligence Community, or have been pen-testers or red team members within the military or government. This experience is leveraged to enhance training and best prepare students to execute their organization’s mission no matter what cyber terrain they operate in.

The course focuses on five major topics: Windows, Linux, Networking, Tactical Forensics, and Adversary Methodologies & Exploitation Techniques. Every course module is taught through the use of numerous hands-on exercises designed to reinforce the practical application and employment of the most fundamental techniques used by sophisticated cyber organizations. Students learn by following along with the instructor and completing complex exercises designed to force students to think outside of the box and act within a dynamic environment. As students learn the concepts, they are simultaneously challenged to develop and apply their critical thinking skills to produce innovative solutions to complex problems. Additionally, students are taught advanced techniques and procedures to hide their tracks and remain hidden. Students will develop and demonstrate their skills throughout the course by achieving cyber objectives in live virtual environments. 

The final week of the course includes several days of extensive exercises that require students to gradually combine everything learned in the previous modules, culminating in a final scenario that simulates a full-scale cyber operation. Students leave the ATT course with a thorough understanding of the exploitation process and the technical knowledge to perform a full range of fundamental cyber operations on target networks.

INTENDED AUDIENCE

Cyber professionals with existing system administration, networking and/or cyber security backgrounds who are preparing to enter positions or advanced training in the fields of penetration testing, red teaming, or cyber hunting operations. 

COURSE MATERIALS

• Lecture slides in PDF 

• Exercise materials (files, VMs, etc)

PREREQUISITES

Basic operating system fundamentals and understanding of related components such a memory, CPU, storage devices, I/O devices.
Basic Linux command line knowledge such as filesystem navigation and creating and modifying files.
Basic Windows command line knowledge such as filesystem navigation and creating and modifying files.
Basic understanding of networking devices such as switches and routers and protocols within the OSI model.
Cyber security fundamentals to include exploitation concepts and terminology. 

COURSE SCHEDULE

Module 1 – Adversary Tactics & Techniques –  Linux Fundamentals 

Module 2 – Adversary Tactics & Techniques –  Network & Network Devices

Module 3 – Adversary Tactics & Techniques –  Windows Fundamentals

Module 4 – Adversary Tactics & Techniques – Tactical Forensics / Live Memory Analysis / Reverse Engineering

Module 5 – Adversary Tactics & Techniques –Tradecraft & Exploitation Techniques / Culmination Exercise

ADVERSARY TACTICS &TECHNIQUES COURSE OUTLINE

1. MODULE 1 - ADVERSARY TACTICS & TECHNIQUES - LINUX FUNDAMENTALS (DAYS 1-6)

1.1. Introduction to Linux Operating System  – This topic covers an introduction to the history of the Linux operating system, its uses, and the different distributions available for use with a focus on Red Hat Enterprise Linux (CentOS).

1.2. Command Line Interface and Bash Scripting  – Fundamental knowledge of command line usage to properly navigate and survey a Linux OS environment. Introduction to Bash scripting.

1.3. Linux Daemons and File Systems – Students learn of the different daemons typically found on a Linux system, how they gain execution, and their functions. We will also cover a detailed overview of the Linux file system structure concentrating on system files, directories, and permissions.

1.4. Linux Boot Process  – Detailed overview of the Linux operating systems boot process taking the students from the power on self-test to a command prompt.

1.5. Linux Run Levels  – Detailed explanation of Linux run levels, their configurations, default settings, and uses.

1.6. Linux Forensics – This module covers the many different files, directories, logs, and other artifacts that may contain evidence of an attacker’s activity.

1.7. Linux Log Files and Log Cleaning – An overview of the common logs and logging locations on a Linux operating system with an introduction into methods, tools, and tradecraft behind cleaning log files on a Linux operating system.

1.8. Remote Logging – Overview of the different types of remote logging, the protocols most commonly used, and the methods to capture those logs.

1.9. Linux Authentication Methods – A look into how Linux systems validate a user’s credentials and the different methods used to harvest those credentials.

1.10. Linux Exploitation Techniques and System Surveying – Students will fuse everything they have learned to properly triage and survey a host system to determine safety of tools, techniques, and operations. Students learn the art of exploitation in this module focusing on blending in with the environment and cleaning up their tracks. This topic is focused on getting students to think like an operator, protecting their toolset, treading lightly, unnoticed, and only executing commands that are necessary and utilizing the least intrusive means.

1.11. Python Introduction – Familiarizes students with basic Python usage. Students will understand how to interpret, write and debug python scripts. Students will build upon this section later by using python as a powerful tool to streamline and automate various activities.

1.12. Module 1 Assessment – Students will be assessed on their understanding of the Module 1 training objectives.

2. MODULE 2 - ADVERSARY TACTICS & TECHNIQUES - NETWORKING & NETWORK DEVICES (DAYS 7-10) 

2.1. Network Fundamentals – Overview of the networking fundamentals, TCP/IP stack, and relevant protocols utilized in an Ethernet network.

2.2. Network Devices – Overview of common network devices, their functions, and how those devices affect an attacker’s view of the network.

2.3. Protocol Encapsulation – This lesson covers an in-depth overview of protocol encapsulation and how to manipulate encapsulation to avoid detection and bypass security measures.

2.4. Packet Capture and Analysis – Detailed overview of the tools and filters available to capture network traffic and methods used to analyze the captured data.

2.5. Packet Crafting and Protocol Manipulation – Using Python with Scapy to generate tailored network traffic to meet a specific need such as fuzzing, covert command & control, and network enumeration.

2.6. Python Scriptint to conduct Network Fingerprinting – Students will create a python scanning utility to conduct a network scan of the environment to include OS fingerprinting and port identification.

2.7. Tunneling with SSH – Application of forward and reverse tunneling utilizing the SSH protocol.

2.8. Multi-Hop Tunneling – Tunneling through multiple hosts of different operating systems utilizing different utilities to enable tunneling through multiple networks. 

2.9. Module 2 Assessment – Students will be assessed on their understanding of the Module 2 training objectives.

3. MODULE 3 - ADVERSARY TACTICS & TECHNIQUES - WINDOWS FUNDAMENTALS (DAYS 11-15)

3.1. Introduction to the Windows Operating System – This module covers a detailed overview of the many different versions of windows, their features, and system specific processes

3.2. Command Line Interface and Windows Batch Scripting – Fundamental knowledge of command line usage to properly navigate and survey a Windows OS environment. Introduction to batch scripting.

3.3. Windows Drivers and Services – Students learn the different uses of drivers and services on a Windows operating system and how they gain execution. Students also learn about the different security mechanism put into place to restrict driver execution.

3.4. Windows File Systems and Registry – An overview of the Windows OS file structure, focusing on file system types, directories of interest, and permissions. Detailed explanation of Windows registry organization, purpose, and implementation in the Windows operating system.

3.5. Windows Boot Process – This topic covers the Windows boot process detailing the process taken in order to get the operating system up and running.

3.6. Windows Forensics – This lesson covers the many different files, directories, registry keys, logs, and other artifacts that may contain evidence of an attacker’s activity.

3.7. Windows Logging and Log Cleaning – Students will learn about the different types of event logs, the information contained within those log entries, and the methods available to clean those logs. Students will also learn how to extract information from logs to further their exploitation goals. This topic also covers the different types of logging that may occur on a Windows operating system outside the scope of Windows event logs. Students learn how to identify the logs of interest and clean them as well.

3.8. Windows Users and Groups – An overview of the different types of users and groups found on Windows operating system, to include their default roles and privileges.

3.9. Active Directory and Kerberos – In depth look into Active Directory use, structure, and different means of interacting with Active Directory. This module will also cover Kerberos authentication.

3.10. Simple Message Block (SMB) and Netbios – Detailed instruction introducing students to the different versions of SMB, protocol specific session setup, the authentication process, and the information contained within.

3.11. Windows Management Instrumentation Command-Line (WMIC) – This topic highlights the many different uses of the Windows Management Instrumentation and teaches students how to utilize WMIC to extract information from a target machine.

3.12. PowerShell Scripting – This module consists of writing PowerShell scripts and utilizing PowerShell to do almost anything on a Windows operating system. Students will learn how to gain information about processes, inject code directly into memory, extract memory from a running process, and much more – all without ever laying a binary onto disk.

3.13. Windows Exploitation Techniques and System Surveying – Students will fuse everything they have learned to properly triage and survey a host system to determine safety of tools, techniques, and operations. Students learn the art of exploitation in this module focusing on blending in with the environment and cleaning up their tracks. This topic is focused on getting students to think like an operator, protecting their toolset, treading lightly, unnoticed, and only executing commands that are necessary and utilizing the least intrusive means.

3.14. Module 3 Assessment – Students will be assessed on their understanding of the Module 3 training objectives.

4. MODULE 4 - ADVERSARY TACTICS & TECHNIQUES - TACTICAL FORENSICS/LIVE MEMORY ANALYSIS/REVERSE ENGINEERING (DAYS 16-19)

4.1. Open Source Forensic Software – An overview of several open source forensics software tools: sleuthkit, Volatility, Mandiant Redline, F-Response, EnCase, KnTDD and others.

4.2. Data acquisition – Detailed introduction on acquisition techniques to include physical and remote access data acquisition methods, data size considerations.

4.3. File System Forensics Analysis – This lesson covers forensic analysis techniques on file systems in a tactical environment. Students will learn basic concepts and theory on volume and file system data storage. This topic is focused on getting students to understand how a computer system stores data and teach principles that an adversary will use to hide malicious software from forensics analysis.

4.4. Timeline Analysis – Students will learn how to create data sets to perform timeline analysis of systems. Timeline analysis increase situational awareness by showing when processes were started and data was created, deleted or modified. Understanding the systems at this level is critical for an adversary in order to stay undetected in their target environment.

4.5. Reverse Engineering – This module takes Students through concepts and techniques to deeply inspect and determine if software is malicious. Students will be introduced to software that allows for program deconstruction, fundamentals of program execution and uncovering techniques used by malware to prevent its detection by anti-virus and security software.

4.6. Live Memory Forensics – Rootkits and back doors are successful in hiding from security software because they take advantage of the fact that most security software does not look for malware in system memory. This module teaches students how to successfully collect, analyze and discover malicious software that has successfully bypassed security software and is allowing adversary cyber organizations a vector into the network. Students will learn the advanced concepts of Rootkits memory hijacking techniques and how they can be discovered with the proper technique and tradecraft.

4.7. Module 4 Assessment – Students will be assessed on their understanding of the Module 4 training objectives.

5. MODULE 5 - ADVERSARY TACTICS & TECHNIQUES - TRADECRAFT AND EXPLOITATION (DAYS 20-25)

5.1. Exploitation Methodology – This lesson takes students through the exploitation methodology, providing them with the framework to understand adversary targets.

5.2. Metasploit Framework Introduction – Metasploit is the most widely used exploitation framework in use today, and is used in this class as a mechanism to quickly build familiarity with functional exploit methodologies. This lesson is focused on getting students accustomed to the different tools, syntax, and modules available for use within Metasploit.

5.3. Understanding and Extending the Metasploit Framework – Students will learn the architecture of the Metasploit Framework and understand how to incorporate custom modules to enhance its functionality.

5.4. Scanning and Enumeration Techniques – There are many different tools available for scanning and enumerating targets. Students will learn a wide range of tools and techniques for scanning and enumerating a target system while being the least intrusive and causing minimal network traffic decreasing their chance of detection.

5.5. Exploitation Fundamentals – This topic is designed to teach students the fundamentals behind exploit code by having students write their own buffer overflow. Students will debug a process, create an exploit, create shell code, and gain access to a target utilizing the exploit they created. They will utilize python to fuzz an application, create an overflow, and will then generate an exploit that can be imported in Kali Linux.

5.6. Exploitation Payloads and Shells – Covers the initial stages during a remote exploit to include types of payloads, payload generation or acquisition, and delivery. Students learn the difference and benefit to multi-stage and single-stage payloads, bind shells and reverse shells as well as understanding when to use which type of payload.

5.7. Exploitation and Tunneling Theory – Students will learn of the theory behind exploiting through tunnels. This module will teach students how to properly create a payload that will behave as intended while traversing through their managed tunnels.

5.8. Exploitation through Tunneling – During this part of the course students will actively create tunnels and deploy exploits through them, gaining access deep within target networks.

5.9. Unknown Process/Binary Triaging and Analysis – This module will teach students how to methodically prosecute an unknown process and determine with a high level of confidence the capabilities, related files, and network connections of that running process.

5.10. Culmination Exercise – The culmination exercise helps reinforce all the training objectives and techniques the students have been exposed to through a mission-driven real-world scenario within a controlled cyber range. The students will be expected to conduct open-source research, target analysis, covert infrastructure acquisition through exploitation, and target infiltration and exploitation through various modern techniques. From that point, students will need to survey and enumerate the target network, identify critical infrastructure and laterally move toward the valuable information. Students will need to overcome malware, logging, firewall restrictions, administrator’s actions due to IDS/IPS alerts, and much more. This exercise is used to solidify a student’s tradecraft and enhance their thought process as they move through hosts and networks.

 

 

 

 

 

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
March 27, 2017
 (
San Antonio, TX
)
April 24, 2017
 (
Colorado Springs, CO
)
April 24, 2017
 (
Honolulu, HI
)
June 5, 2017
 (
Colorado Springs, CO
)
June 5, 2017
 (
Boise, ID
)
June 19, 2017
 (
Annapolis Junction, MD
)
September 11, 2017
 (
Boise, ID
)
August 7, 2017
 (
San Antonio, TX
)
September 11, 2017
 (
Boise, ID
)
September 25, 2017
 (
Honolulu, HI
)
October 9, 2017
 (
Annapolis Junction, MD
)
October 23, 2017
 (
Colorado Springs, CO
)

This 5-day Instructor-Led Training (ILT) course teaches network defenders to collect, analyze and apply targeted cyber intelligence to defensive operations in order to proactively act on and adapt to sophisticated and dedicated attacks by cyber adversaries. As malicious software incorporates more advanced counter-detection techniques, the limited signature and heuristic analysis capabilities of anti-virus software and Intrusion Detection and Prevention Systems (IDS/IPS) become less and less effective. White-listing and sandboxing technologies have proven to mitigate many host-based attacks, but additional methodologies of analysis and attribution of known and unknown APT actors are needed to positively identify and prioritize the most formidable threats to the network. This course applies the Intelligence Cycle to the full-spectrum exercise of proactive network defense. It is intended as the core competency of Threat Intelligence operations and as the precursor to additional technical intelligence collection courses. It further serves to provide students with the all-source methodology of employing cyber collection sources and disciplines in a cumulative effort to apply to network defensive postures. When properly employed, this process fosters a cyber environment of preemptive action and provides network defenders and operators with an understanding of the tools, techniques and procedures (TTPs) needed to generate the timely and relevant intelligence that is required to preemptively apply network fortifications before compromise and to respond to cyber events in an expeditious manner.

COURSE OVERVIEW

Students will learn how to apply all-source cyber intelligence-informed operational methodologies, including proactive cyber analysis, to accurately identify risks from specific threats. This is delivered through method-driven instruction of Intelligence Analysis techniques taught by experienced Intelligence Community (IC) professionals. The instructors will teach the intelligence-driven operations cycle – data collection, exploitation, analysis, reporting and dissemination – to develop the student’s methods of identifying threats and assessing and prioritizing risk. Students will be introduced to cyber intelligence sourcing, risk management and assessment, indicators of compromise, application and assessment of adversarial profiles and TTPs to proactively defend networks.

The principle objective of this course is to equip network defenders, intelligence analysts, and other security operations personnel with a modern methodology to characterizing, investigating, attributing, and responding to advanced cyber threats in a collaborative, real-time environment. Students should expect to leave this course with proficiency in intelligence-driven network defense operations.4 

MODULES IN THIS COURSE:

Module 1 – The Art of Intelligence

Module 2 – Understanding Cyber Threat Intelligence

Module 3 – Cyber Threat Intelligence Collection & Operations

Module 4 – Cyber Threat Intelligence Exploitation & Analysis

Module 5 – Cyber Threat Intelligence Reporting & Dissemination

Module 6 – Cyber Threat Intelligence Culmination Exercise

TARGET AUDIENCE

Individuals that are tasked with network defense, internal risk assessment or the analysis of cyber threats to their respective organizations network. 

PREREQUISITES

There are no required prerequisites for course attendance, but students are will benefit from possessing a relative working knowledge of network defenses and networking. 

COURSE LENGTH

40 hours of course work, ideally delivered over 5 consecutive business days of a week.

TESTING/CERTIFICATION

Course includes a certificate of attendance.

COURSE STRUCTURE/CONTENT OUTLINE

Module 1: The Art of Intelligence

  • LESSON 1-1: What is Intelligence?
    • Intelligence vs. Information
    • The Intelligence Cycle: Refining Intelligence from Information
    • Reducing Uncertainty
  • LESSON 1-2: Bias and Cognition
    • Types of Cognitive Bias
    • Logical Fallacies
    • Cognition: Thinking About Thinking
    • Analysis of Competing Hypotheses

Module 2: Understanding Cyber Threat Intelligence

  • LESSON 2-1: Cyber Threat Intelligence, the Adversaries and their TTPs
    • Why Cyber Threat Intelligence?
    • Contextual Cyber Threat Intelligence
    • Know Thy Enemy: The Importance of Attribution
    • Hacking Methodology, Attack Vectors & Attack Cycle
  • LESSON 2-2: Implementing Threat Intelligence For Proactive Network Defense
    • The Reticle
    • Threat Intelligence Informed Risk Management
    • Reducing Risk and Outsmarting the Adversary with OODA
    • Infinite Proactive Defense Loop
    • Acting Upon Intelligence

Module 3: Cyber Threat Intelligence Collection & Operations

  • LESSON 3-1: Cyber Intelligence Collection Disciplines
    • Open Source Intelligence: “OSINT”
    • Data Analysis: “Data-Int”
    • Malware Analysis: “Mal-Int”
    • Cyber Intelligence: “CybInt”
    • Additional Intelligence Sources 

Module 4: Cyber Threat Intelligence Exploitation & Analysis

  • LESSON 4-1: Exploitation and Processing Exploitative TTPs
    • Indicators of Compromise 
    • Knowledgebases and Data Feeds
  • LESSON 4-2: The Fusing of Disciplines: Analyzing the Threat
    • All-Source Aggregation
    • Validation and Triage
    • Threat Profiles: Preparing to Report

Module 5: Cyber Threat Intelligence Reporting & Dissemination

  • LESSON 5-1: Anatomy of a ReportThe Nature of Intelligence Reporting
    • Reporting for Appropriate Dissemination
    • Types of Cyber Threat Intelligence Reports
    • Reporting Exercise

Module 6 – Cyber Threat Intelligence Culmination Exercise

  • LESSON 6-1: Completing the Cycle
    • Post-Compromise Incident Response Guidance Report Exercise

 

 

 

 

 

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

May 15, 2017
 (
Honolulu, HI
)
May 22, 2017
 (
San Antonio, TX
)
July 24, 2017
 (
Annapolis Junction, MD
)
August 28, 2017
 (
Colorado Springs, CO
)
October 9, 2017
 (
San Antonio, TX
)

The third course in the HUNT Certification series is designed to train cybersecurity professionals to actively defend critical network infrastructure. This 5-Day advanced course exposes students to a “Think Like the Adversary” mindset in order to actively pursue and detect adversary activity targeting network-based systems and infrastructure. When combined with the other two phases, this course completes root9B’s Certification series and prepares cybersecurity professionals to ‘HUNT’ for evidence of adversary presence within their network systems and infrastructure that goes undetected by automated security devices and software. 

Level 3 of the HUNT certification series starts with discussion on remote identification of routers and firewalls in the network and develops a plan to perform systematic remote interrogation, analytics, and adversary pursuit. The goal of the course is to teach the methodologies to conduct remote interactive HUNT operations to determine if a breach has occurred and define appropriate mechanisms for analysis and mitigation.

Students will learn to manually carve firmware through reverse engineering techniques to extract and analyze images. This course focuses on capturing the adversary’s ability to conduct cross-compiling, emulating firmware, and building custom firmware images. Students will be trained to identify backdoors, vulnerable code, and design mistakes to identify adversary attempts to circumvent network security products. Various open source and custom developed remote interrogation techniques will be used to analyze different networking devices. Students will be presented with real-world situations and leave with the ability to perform HUNT (Active Adversary Pursuit) operations on networking devices in a corporate network.

Level 1 and 2 of the HUNT certification series focuses on Windows- and Linux-based Active Adversary Pursuit methodologies and operations. 

INTENDED AUDIENCE

This class is intended for individuals with intermediate knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

COURSE MATERIALS

  • Lecture slides in PDF 
  • Exercise materials (files, VMs, etc)

STUDENT REQUIREMENTS

Students are required to bring their own properly configured laptops. The class does not have time allotted for proper configuration. Students are also required to test their systems prior to coming to class. 

Students will require a laptop with any host operating system that will run VirtualBox. The recommended configuration is Windows 7+ (preferably 64-bit) as the host operating system with at least 8GB of RAM (16GB preferred), 100 GB free hard-drive space available, Ethernet port, and ability to install or configure software. 

Students are required to preconfigure their machines with VirtualBox (or VMware) and install Kali Linux as a virtual environment. Students can use a Mac or Linux system with a different virtual machine product running both Debian or Ubuntu and Kali Linux on virtual machines, but the specific details for setting it up are left to the student. In addition, the host machine and Kali Linux virtual environment will require:4 

COURSE OUTLINE

DAY 1: HUNT OPERATIONS

  • HUNT “Big Picture” & Attack Surface Baseline Approach
  • Data collection
    • IDS
    • Proxy
    • Auditing & Logging
    • Remote System Interrogation
  • Incident Response vs. HUNT
  • Forensics vs. HUNT
  • One vs. Many
  • Team Composition 

DAY 2: HUNT METHODOLOGIES

  • Platform / Tools
  • Collect
  • Normalize
  • Visualize
  • Analyze
  • Alert

DAY 3: NETWORK CHARACTERIZATION

  • Understanding normal data and indicators within network traffic
  • Ability to identify anomalies within network traffic
  • Analyzing user behavior and statistics

DAY 4: IDENTIFYING INDICATORS OF COMPROMISE (IOCS)

  • Kill Chain
  • Anomalies
  • Logging (alerts)
  • ARP / Layer 2 relationships
  • Layer 3 relationships
  • Device configurations

DAY 5: IOCS CONTINUED AND CAPSTONE

  • Network Packet Analysis
  • Passive hunt vs active hunt
  • Reporting
  • Capstone

 

 

 

 

 

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
May 8, 2017
 (
Honolulu, HI
)
May 15, 2017
 (
San Antonio, TX
)
July 17, 2017
 (
Annapolis Junction, MD
)
August 21, 2017
 (
Colorado Springs, CO
)
October 2, 2017
 (
San Antonio, TX
)

The second course in the HUNT Certification program is designed to train cybersecurity professionals to actively defend critical Linux systems and infrastructure. This 5-day advanced course exposes students to a “Think like the Adversary” mindset in order to actively pursue and detect adversary activity targeting Linux based systems. This course, when combined with the other two phases, will prepare cybersecurity professionals to ‘HUNT’ for evidence of adversary presence within their Linux systems that was previously not detected by automated enterprise security devices and software. 

Level 2 of the HUNT certification series starts with discussion on the concepts of real-time detection and identification of adversary attacks. The goal of the course is to teach the required skills, knowledge, and methodologies for the student to determine if an adversary is successfully avoiding detection from automated security products and maintaining persistence in a Linux network environment. Other topics include remote host-based forensics, malware analysis, adversary deterrence, and system protection. 

Students will learn to detect and identify attacks, create mitigation techniques, and develop effective time-sensitive response plans. Students will be presented with real-world situations and leave with the ability to perform HUNT (Active Adversary Pursuit) operations on Linux machines in a corporate network.

Level 1 and 3 of the HUNT certification series focuses on Windows- and Network Device-based Active Adversary Pursuit methodologies and operations. 

INTENDED AUDIENCE

This class is intended for individuals with intermediate knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

COURSE MATERIALS

  • Lecture slides in PDF 
  • Exercise materials (files, VMs, etc)

STUDENT REQUIREMENTS

Students are required to bring their own properly configured laptops. The class does not have time allotted for proper configuration. Students are also required to test their systems prior to coming to class. 

Students will require a laptop with any host operating system that will run VirtualBox. The recommended configuration is Windows 7+ (preferably 64-bit) as the host operating system with at least 8GB of RAM (16GB preferred), 100 GB free hard-drive space available, Ethernet port, and ability to install or configure software. 

Students are required to preconfigure their machines with VirtualBox (or VMware) and install Kali Linux as a virtual environment. Students can use a Mac or Linux system with a different virtual machine product running both Debian or Ubuntu and Kali Linux on virtual machines, but the specific details for setting it up are left to the student. In addition, the host machine and Kali Linux virtual environment will require:

COURSE OUTLINE

DAY 1 - INTRODUCTION TO HUNT

  • HUNT Operations
    • HUNT “Big Picture” & Attack Surface Baseline Approach
    • Data collection
      • End-Point Security Programs (Anti-Virus, IDS)
      • Remote System Interrogation
      • Enterprise Log Collection and Analysis
    • Incidence Response vs. HUNT
    • Forensics vs. HUNT
    • One vs. Many
  • HUNT Team Composition
  • Linux HUNT Platform and Methodology
  • System configuration and environment setup

​DAY 2 - ADVERSARY TACTICS, TECHNIQUES, AND PROCEDURES

  • Linux Architecture – Kernel
    • Adversary Tactics Techniques and Procedures
      • User and Kernel Space
      • Kernel Initialization and Boot Options
      • Process Management
      • Memory Management
      • System Call Table
      • Loadable Kernel Modules
      • Rootkits

DAY 3 - LINUX HUNT OPERATIONS

  • Passive Network Enumeration
    • Device Configuration Files
    • Passive Network Collection & Analysis 
    • Event Log Analysis and Correlation
  • Active Network Enumeration
    • Network Mapping
    • System OS Identification
    • Host List(s) Creation
  • Linux Authentication Mechanisms
    • Pluggable Authentication Modules (PAM)
    • Lightweight Directory Access Protocol (LDAP)
    • Common Internet File System (CIFS)
    • password and shadow files
    • SSH 

DAY 4 - LINUX HUNT

  • Baselining and Tactical Differential Analysis
  • Linux Remote System Collection Techniques
    • SSH
    • PSSH
  • Remote System Interrogation
    • Process Enumeration and Interrogation
      • Listing open files
  • Kernel Module Enumeration and Interrogation
  • Boot Sequence Interrogation
  • Host Networking Interrogation

DAY 5 - LINUX HUNT (CONTINUED)

  • Remote System Interrogation
    • Linux Memory Interrogation
      • Live memory analysis
  • Local Storage
  • Remote Transfer and Storage
  • Network Traffic Capture Analysis
    • Adversary Lateral Movement Detection
      • Traffic capture techniques and analytics
      • Abnormal traffic behavior

DAY 5 - CULMINATION EXERCISE AND CERTIFICATION EVALUATION

 
 
 
 
 
root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Advanced Cybersecurity Training

root9B employs Top Secret (TS) cleared instructors and subject matter experts in the field of advanced computer network operations.

Our training areas include:

  • Advanced Cyber Operations
  • HUNT Methodologies
  • Computer Network Exploitation for Defenders
  • Advanced Computer Network Exploitation for Defenders
  • Windows Fundamentals
  • Firewall Exploitation and Administration for Defenders
  • Linux Fundamentals
  • Computer Forensics In-depth
  • Malware Analysis
  • Network Defense Administration
  • Wireless Exploitation and Attack for Defenders
  • Mobile Device Exploitation and Forensics
  • Windows Network Administration
  • Industrial Control System Protection