A uniquely TrainedSecurity Force

HUNT Certification - Network

HUNT Certification - Network

Course Description

HUNT OPERATIONS AND NETWORK DATA COLLECTION & ANALYSIS

The third course in the HUNT Certification program is designed to train cybersecurity professionals to collect and analyze data from a network using a holistic approach beyond single node analysis. This 5-Day advanced course exposes students to a “Think Like the Adversary” mindset in order to actively pursue and detect adversary activity targeting network-based systems and infrastructure. When combined with the other two levels, this course will prepare cybersecurity professionals for the root9B HUNT Certification; enabling cybersecurity professionals to HUNT for evidence of adversary presence within their network systems and infrastructure that goes undetected by automated security devices and software.

This level of the HUNT training program starts with discussion on remote identification of infrastructure devices and supporting systems in the network and develops a plan to perform systematic remote interrogation, analytics, and adversary pursuit. The goal of the course is to teach the methodologies to conduct remote interactive HUNT operations to determine if a breach has occurred and define appropriate mechanisms for analysis and mitigation.

Students will learn to collect, normalize, visualize and analyze data across a network from various sources. This course focuses on capturing the adversary’s ability to compromise a network, conduct lateral movement, establish C2, tunnel, and exfiltrate data. Students will be trained to identify covert communications, malicious activity, and other network data anomalies. Various open source and custom developed remote interrogation techniques will be used to analyze different networking devices and supporting systems to include logging and alerts. Students will be presented with real-world situations and leave with the ability to perform HUNT (Active Adversary Pursuit) operations across a corporate network.

Level 1 and Level 2 phases of the root9B HUNT training program focuses on Windows- and Linux-based Active Adversary Pursuit methodologies and operations. 

INTENDED AUDIENCE 

This class is intended for individuals with intermediate to advanced knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

STUDENT PREREQUISITES

  • Basic understanding of computers

COURSE MATERIALS PROVIDED

  • Lecture slides in PDF format
  • Exercise materials (e.g. files, VMs, etc.)
  • Course reference material (e.g. Books)

HUNT[NETWORKS] COURSE OUTLINE

MODULE 1 - INTRODUCTION TO HUNT

  • Definition of HUNT
  • HUNT vs IR vs Forensics
  • HUNT Platform
  • HUNT Methodologies
    • System Baseline
    • Collect
    • Normalize
    • Visualize
    • Analyze
    • Report
    • Reassess
  • HUNT Team Composition

MODULE 2 - UNDERSTANDING THE ADVERSARY

  • Motivators
  • Case Studies
  • Analytic Models
  • Indicators of Compromise (IOC)

MODULE 3 - HUNT METHODOLOGIES

  • HUNT TTPs
  • System Baselining
    • Holistic Approach (Users, Systems, usage, etc.)
    • Network Enumeration & Characterization
      • Passive Network Enumeration
      • Active Network Enumeration
    • Network Mapping

MODULE 4 - DATA COLLECTION

  • Passive vs Active
  • Data Sets
    • Alerts
    • Raw Data
    • Metadata
  • Data Sources
    • Documentation & Diagrams
    • Requirements
      • Telnet
      • SSH
      • SNMP
      • Authentication Mechanisms
    • Network Devices
      • Embedded OS
      • Configuration
    • IDS
    • Proxy
    • Auditing, Logging & Alert Systems
    • Network Data
      • Raw Packets
        • Sensors & Taps
      • DNS
      • Layer 4 Protocols
      • IP / Layer 3 Relationships
      • ARP / Layer 2 Relationships

MODULE 5 - DATA NORMALIZATION

  • Preparing for SIEM database ingestion
  • Writing Parsers & Transforms

MODULE 6- DATA VISUALIZATION

  • Data Visualization
    • Multi-node aggregated data
    • SIEM data representations
      • Tables
      • Charts
      • Graphs

MODULE 7 - DATA ANALYSIS

  • Tactical Differential Analysis
    • Understanding normal data and indicators within network traffic
    • Ability to identify anomalies within network traffic
    • Analyzing user behavior and statistics
  • Layer 4+ Protocol Analysis
  • Layer 3 Nodal Analysis
  • ARP / Layer 2 Nodal Analysis
  • System Log Analysis
  • IDS Log Analysis
  • Proxy Log Analysis
  • Auditing, Logging & Alert Systems
  • Network Data
    • Packet Analysis
    • Embedded OS integrity validation
    • Configuration Validation
  • DNS Log Analysis
  • IP / Layer 3 Relationships
  • ARP / Layer 2 Relationships
  • Statistical Analysis

MODULE 8 - REPORTING

  • Alerting
  • After Action Report

MODULE 9 - INTEGRATING THREAT INTELLIGENCE

  • Driving HUNT Operations
    • Tipping & cueing
  • Intelligence Sharing
    • Indicators of Compromise (IOC)
      • STIX/TAXII/CyBox
      • MAEC
      • YARA

MODULE 10 - HUNT CULMINATION EXERCISE

PRICE: $4,600

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Instructors

Craig Koroscil, Technical Director at root9B, is a 13-year veteran and U.S. Navy Chief. Craig brings to root9B significant depth and breadth of experience in cyber operations and planning, capability development, leadership and joint exercise planning within the Intelligence Community and US Cyber Command (USCC). Prior to joining root9B, Craig was a senior journeyman operator and technical lead for the National Security Agency and a USCC cyber planner supporting Geographic Combatant Commanders. Additionally, he was a pioneer and leader of multiple classified technical projects and is a NSA Cyber Exploitation Corps graduate with numerous industry certifications.

Eric Bodkin has five years of experience conducting Computer Network Operations (CNO) and is a nine-year veteran of the Armed Forces. At root9B he specializes in advanced penetration testing, incident response, and forensic analysis for Fortune 500, Government and Military clients. Prior to joining root9B, Eric was a senior operator at the National Security Agency directing numerous cyber operations in support of Joint, National, and Intelligence Community requirements. Additionally, he was the project manager for a critical multinational cyber capability, served as a Technical Lead for NSA’s CNO operator training pipeline, and provided analysis and reporting on suspected malware samples discovered during operations. Eric has multiple industry certifications and a Bachelor’s Degree from the University of Southern Methodist in Dallas, TX.

Mr. Fleming is an accomplished intelligence professional with nearly 13 years of experience in cyber warfare acting as a Senior Army Information Operations Intelligence Professional and Senior Cyber Security Engineer.

Eric Fleming is currently the Director of Network Defense Operations (NDO) for root9B in Colorado Springs. As NDO Director, he directs complex, mission-critical projects that require integrating knowledge and resources across technical disciplines and functional boundaries. Eric applies a broad and deep understanding of technical concepts in conjunction with an understanding of the client's business to recommend strategy, advance technology and develop innovative solutions for defending networks against the most sophisticated adversaries.

Eric Fleming’s experience includes acting as Senior Army Journeyman CNO Operator, Technical Director, Lead Penetration Tester, Senior Software Developer and Lead Trainer. He has performed numerous assessments, security research, developed sophisticated exploits to the most challenging problems, and developed and trained advanced cyber security courses. Eric also worked on the Agency’s incidence response team where he reported suspected exploitation attempts, viruses, and unexplained anomalies affecting information systems using various forensic tools and techniques. 

Eric Starace is a native of Hudson, New York, with 25 years of experience within the Cryptologic, Intelligence and Cyber communities. He has specialized in Advanced Cyber Operations, tactics, and training, along with Red Team operations. His professional background spans numerous assignments across the Cyber and Cryptology community including senior positions within the Navy’s Intelligence and Cyber Communities

Eric was a Department of Defense certified Journeyman-level technician with expert skills in cyber operations across multiple disciplines. As a senior leader within the Navy’s cyber community, he has led large teams of analysts and operators to achieve National and Service related intelligence goals. He is the recipient of the Director of National Intelligences Exceptional Achievement Award among various Navy and Department of Defense Commendations.

Dates & Locations

September 25, 2017
 (
Honolulu, HI
)
October 9, 2017
 (
San Antonio, TX
)
November 6, 2017
 (
Columbia, MD
)
December 11, 2017
 (
San Antonio, TX
)
December 11, 2017
 (
New York City, NY
)
January 15, 2018
 (
Columbia, MD
)
February 20, 2018
 (
Annapolis Junction, MD
)
March 26, 2018
 (
San Antonio, TX
)
May 21, 2018
 (
Annapolis Junction, MD
)
July 23, 2018
 (
Colorado Springs, CO
)
July 30, 2018
 (
Augusta, GA
)
July 30, 2018
 (
Honolulu, HI
)
September 24, 2018
 (
San Antonio, TX
)
October 8, 2018
 (
Columbia, MD
)
December 10, 2018
 (
Colorado Springs, CO
)
December 17, 2018
 (
Honolulu, HI
)

This course will definitely be beneficial for my future career development.