A uniquely TrainedSecurity Force

HUNT Certification - Windows

HUNT Certification - Windows

Course Description

HUNT OPERATIONS AND WINDOWS END-POINT DATA COLLECTION & ANALYSIS

The first of three courses in root9B’s HUNT Certification program is designed to train cybersecurity professionals to actively defend critical Windows systems. The course exposes students to a “Think like the Adversary” mindset in order to actively detect sophisticated and tailored adversary attacks. This course establishes the foundation upon which the root9B HUNT Certification is based; preparing cybersecurity professionals to HUNT for evidence of adversary presence within their network that was previously not detected by automated enterprise security devices and software.

Rather than just reacting to network attacks, students will learn methods to remotely interrogate systems and analyze data to proactively identify systems targeted by an adversary. Students will exercise the identification of malicious code, evidence of adversary presence, and lateral movement within a network. Throughout the program, instructors will share their experience in cybersecurity, operations, and tool development. This will provide students an appreciation of the challenges they face in countering the cyber adversary.

The HUNT[WINDOWS] course starts with a discussion on the concepts of real-time detection and identification of adversary attacks. Students will be exposed to advanced Windows operating system concepts, with an emphasis on adversary file manipulation and persistence techniques used to bypass cybersecurity systems and infrastructure. Follow-on training courses in root9B’s HUNT (Active Adversary Pursuit) series will focus on Linux- and Network- based methodologies and operations.

INTENDED AUDIENCE

This class is intended for individuals with intermediate to advanced knowledge of information systems and systems security. Some experience with command line tools is desired but not mandatory.

STUDENT PREREQUISITES

  • Basic understanding of computers

COURSE MATERIALS PROVIDED

  • Lecture slides in PDF format
  • Exercise materials (e.g. files, VMs, etc.)
  • Course reference material (e.g. Books)

WINDOWS CERTIFICATION COURSE OUTLINE

MODULE 1 - INTRODUCTION TO HUNT [WINDOWS]

  • Definition of HUNT
  • HUNT vs IR vs Forensics
  • HUNT Platform
  • HUNT Methodologies
    • System Baseline
    • Collect
    • Normalize
    • Visualize
    • Analyze
    • Report
    • Reassess
  • HUNT Team Composition

MODULE 2 - UNDERSTANDING THE ADVERSARY

  • Motivators
  • Case Studies
  • Attribution and Analysis Models
  • Indicators of Compromise (IOC)

MODULE 3 -HUNT METHODOLOGIES

  • HUNT TTPs
  • System Baselining
    • Holistic Approach (Users, Systems, usage, etc.)
    • Network Enumeration
      • Passive Network Enumeration
      • Active Network Enumeration

MODULE 4 - DATA COLLECTION

  • Passive vs Active
  • Data Sets
    • Alerts
    • Raw Data
    • Metadata
  • Data Sources
    • Documentation & Diagrams
    • Host Data
      • Windows Architecture – Kernel Subsystems
      • Requirements
        • Windows Authentication Mechanisms
        • Windows Remote Access and Remote Process Execution
      • Windows Remote System Collection Techniques
      • Remote System Interrogation
        • Boot Process and BootKits
        • File Obfuscation
        • Windows Features and Dual Use Technology
        • Registry/DLL/Driver Persistence Techniques
        • Windows Process Management
        • Windows Memory Management
        • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 5 - DATA NORMALIZATION

  • Preparing for SIEM database ingestion

MODULE 6 - DATA VISUALIZATION

  • Data Visualization
    • Multi-node data
    • SIEM data representations

MODULE 7 - DATA ANALYSIS

  • Tactical Differential Analysis
    • Host Data
      • Boot Process and BootKits
      • File Obfuscation
      • Windows Features and Dual Use Technology
      • Registry/DLL/Driver Persistence Techniques
      • Windows Process Management
      • Windows Memory Management
      • System Service Dispatch Tables
    • Network Data
      • Network Connections
      • DNS
      • ARP

MODULE 8 - REPORTING

  • Alerting
  • After Action Report

MODULE 9 - INTEGRATING THREAT INTELLIGENCE

  • Driving HUNT Operations
    • Tipping & cueing
  • Intelligence Sharing
    • Indicators of Compromise (IOC)
      • STIX/TAXII/CyBox
      • MAEC
      • YARA

MODULE 10 - HUNT CULMINATION EXERCISE

PRICE: $4,600

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Instructors

Eric Bodkin has five years of experience conducting Computer Network Operations (CNO) and is a nine-year veteran of the Armed Forces. At root9B he specializes in advanced penetration testing, incident response, and forensic analysis for Fortune 500, Government and Military clients. Prior to joining root9B, Eric was a senior operator at the National Security Agency directing numerous cyber operations in support of Joint, National, and Intelligence Community requirements. Additionally, he was the project manager for a critical multinational cyber capability, served as a Technical Lead for NSA’s CNO operator training pipeline, and provided analysis and reporting on suspected malware samples discovered during operations. Eric has multiple industry certifications and a Bachelor’s Degree from the University of Southern Methodist in Dallas, TX.

Matthew Weeks has extensive experience in network cyber operations, as well as cyber research and software development. He currently leads root9B’s research and development arm. Previously, he was the Officer In Charge of the US Air Force’s Intrusion Forensics and Reverse Engineering lab, a lead network defense tactician, and led the creation of the Air Force’s Defensive Counter Cyber forces, tactics, and mission. As a researcher, he has uncovered vulnerabilities found to have affected millions of networks. As a developer, he has placed in the top- ‐tier internationally in programming competitions and was the developer behind a significant portion of the Metasploit framework, the world’s most widely used vulnerability assessment suite. His work has been featured on CNN and in numerous national publications.

Mike Morris has over 13 years of experience in intelligence operations, specializing in advanced Offensive and Defensive Cyber operations, tactics and tool development, and associated training curriculum development. He has developed the program of record for Advanced Cyber Tactics, enhancing defensive and offensive maneuvers, and recommends which operators are authorized to perform both Defensive Hunting and Offensive operations for the Department of Defense. Mike is the Chief Architect behind the design and integration of root9B’s Active Adversarial Pursuit platform, and has been an integral member for shifting the nations prospective on cybersecurity. Presidents Bush and Obama personally recognized Mike for separate Cyber efforts and for his contributions to the “most comprehensive and effective cyber operation in the history of the Department of Defense.”

Willie is a senior intelligence professional with 23 years of experience in Computer Network Operations (CNO) and Systems Engineering.  He has over 13 years of experience in multiple disciplines in Hunt Operations, established in both National intelligence and commercial sectors. Mr. Rosado is an experienced cyber analyst and has led numerous Red Team, Hunt, penetration tests and participated on vulnerability assessments. He has also generated alternative system concepts and designs for new remote Hunt capability. As a Hunt SME he has designed operationally oriented training/exercise scenarios that describe the interactions between systems and users to support Defense Cyber Operations (DCO). The resulting threads greatly enhance Hunt tactics and procedures for the discovery of threats to DoD Information Networks (DoDIN). Mr. Rosado is a highly credentialed individual with certifications in GIAC Certified Intrusion Analyst, IAD/RDO Network Operations Senior Analyst, CISSP, Certified Reverse Engineering Analyst, CCNA, Cross Technology Certified NetAnalyst. He has earned a BS in Computer Information Technology, University of Maryland University College, 2012 and Associates in Applied Science on Electronic Engineering Technology, Pensacola State College, 1999.

Dates & Locations

September 25, 2017
 (
San Antonio, TX
)
October 23, 2017
 (
Columbia, MD
)
November 27, 2017
 (
San Antonio, TX
)
November 27, 2017
 (
New York City, NY
)
January 8, 2018
 (
Columbia, MD
)
February 5, 2018
 (
Annapolis Junction, MD
)
March 12, 2018
 (
San Antonio, TX
)
May 7, 2018
 (
Annapolis Junction, MD
)
July 9, 2018
 (
Colorado Springs, CO
)
July 16, 2018
 (
Augusta, GA
)
July 16, 2018
 (
Honolulu, HI
)
September 10, 2018
 (
San Antonio, TX
)
September 24, 2018
 (
Columbia, MD
)
November 26, 2018
 (
Colorado Springs, CO
)
December 3, 2018
 (
Honolulu, HI
)

Recommend it to all of the Cyber Protection Teams to attend.