A uniquely TrainedSecurity Force

HUNT Certification - Linux

HUNT Certification - Linux

Course Description

HUNT OPERATIONS AND LINUX END-POINT DATA COLLECTION AND ANALYSIS

The second course in the HUNT Certification program is designed to train cybersecurity professionals to actively defend critical Linux systems and infrastructure. This 5-day advanced course exposes students to a “Think like the Adversary” mindset in order to actively pursue and detect adversary activity targeting Linux based systems. This course, when combined with the other two levels, will prepare cybersecurity professionals for the root9B HUNT Certification; preparing cybersecurity professionals to HUNT for evidence of adversary presence within their Linux systems that is not detected by automated enterprise security devices and software.

This level of the HUNT training program starts with discussions on the concepts of real-time detection and identification of adversary attacks. The goal of the course is to teach the required skills, knowledge, and methodologies for the student to determine if an adversary is successfully avoiding detection from automated security products and maintaining persistence in a Linux network environment. Other topics include remote host-based forensics, malware analysis, adversary deterrence, and system protection.

Students will learn to detect and identify attacks, create mitigation techniques, and develop effective time-sensitive response plans. Students will be presented with real-world situations and leave with the ability to perform HUNT (Active Adversary Pursuit) operations on Linux machines in a corporate network.

Level 1 and Level 3 phases of the root9B HUNT Certification program focuses on Windows- and Network-based Active Adversary Pursuit methodologies and operations.

INTENDED AUDIENCE

This class is intended for individuals with intermediate to advanced knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

STUDENT PREREQUISITES

  • Basic understanding of computers 

COURSE MATERIALS PROVIDED

  • Lecture slides in PDF format
  • Exercise materials (e.g. files, VMs, etc.)
  • Course reference material (e.g. Books)

HUNT[LINUX] COURSE OUTLINE 

MODULE 1 - INTRODUCTION TO HUNT [LINUX]

  • Definition of HUNT
  • HUNT vs IR vs Forensics
  • HUNT Platform
  • HUNT Methodologies
    • System Baseline
    • Collect
    • Normalize
    • Visualize
    • Analyze
    • Report
    • Reassess
  • HUNT Team Composition

MODULE 2 - UNDERSTANDING THE ADVERSARY

  • Motivators
  • Case Studies
  • Attribution and Analysis Models
  • Indicators of Compromise (IOC)

MODULE 3 - HUNT METHODOLOGIES 

  • HUNT TTPs
  • System Baselining
    • Holistic Approach (Users, Systems, usage, etc.)
    • Network Enumeration
      • Passive Network Enumeration
      • Device Configuration Files
      • Passive Collection & Analysis
      • Event Log Analysis and Correlation
    • Active Network Enumeration
      • Network Mapping
      • System OS Identification
      • Host List(s) Creation

MODULE 4 - DATA COLLECTION

  • Passive vs Active
  • Data Sets
    • Alerts
    • Raw Data
    • Metadata
  • Data Sources
    • Documentation & Diagrams
    • Host Data
      • Linux Architecture
      • Requirements
        • Linux Authentication Mechanisms
        • Pluggable Authentication Modules (PAM)
        • Lightweight Directory Access Protocol (LDAP)
        • Common Internet File System (CIFS)
        • passwd and shadow files
        • SSH
      • Remote System Interrogation
        • User and Kernel Space
        • Kernel Initialization and Boot Process
        • Process Management
        • Memory Management
        • System Call Table
        • Loadable Kernel Modules
        • Rootkits
      • Linux Memory Interrogation
    • Network DataNetwork Connections
      • DNS
      • ARP

MODULE 5 - DATA NORMALIZATION

  • Preparing for SIEM database ingestion

MODULE 6 - DATA VISUALIZATION

  • Data Visualization
    • Multi-node data
    • SIEM data representations

MODULE 7 - DATA ANALYSIS

  • Tactical Differential Analysis
    • Host Data
      • User and Kernel Space Analysis
        • System Call Table Interrogation
      • Kernel Initialization and Boot Process Interrogation
      • Process Analysis
      • Loadable Kernel Module Interrogation
      • Rootkits
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 8 - REPORTING

  • Alerting
  • After Action Report

MODULE 9 - INTEGRATING THREAT INTELLIGENCE

  • Driving HUNT Operations
    • Tipping & cueing
  • Intelligence Sharing
    • Indicators of Compromise (IOC)
      • STIX/TAXII/CyBox
      • MAEC
      • YARA

MODULE 10 - HUNT LINUX CULMINATION EXERCISE

PRICE: $4,600

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancelation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancelation of a scheduled class, including, but not limited to, cancelation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Instructors

Craig Koroscil, Technical Director at root9B, is a 13-year veteran and U.S. Navy Chief. Craig brings to root9B significant depth and breadth of experience in cyber operations and planning, capability development, leadership and joint exercise planning within the Intelligence Community and US Cyber Command (USCC). Prior to joining root9B, Craig was a senior journeyman operator and technical lead for the National Security Agency and a USCC cyber planner supporting Geographic Combatant Commanders. Additionally, he was a pioneer and leader of multiple classified technical projects and is a NSA Cyber Exploitation Corps graduate with numerous industry certifications.

Dates & Locations

October 2, 2017
 (
San Antonio, TX
)
October 30, 2017
 (
Columbia, MD
)
December 4, 2017
 (
San Antonio, TX
)
December 4, 2017
 (
New York CIty, NY
)
January 15, 2018
 (
Columbia, MD
)
February 12, 2018
 (
Annapolis Junction, MD
)
March 19, 2018
 (
San Antonio, TX
)
May 14, 2018
 (
Annapolis Junction, MD
)
July 16, 2018
 (
Colorado Springs, CO
)
July 23, 2018
 (
Augusta, GA
)
July 23, 2018
 (
Honolulu, HI
)
September 17, 2018
 (
San Antonio, TX
)
October 1, 2018
 (
Columbia, MD
)
December 3, 2018
 (
Colorado Springs, CO
)
December 10, 2018
 (
Honolulu, HI
)

The instructors knowledge was spot on.