How to spot and defend against adversaries movements in your network
MITTRE ATT&CK HandsOn Training
Once the attacker infiltrate to the network they have various goals and targets. Attack can be initiated by phishing or attacker can simply use social engineering technique and gain user credentials. Having stolen credentials there is small step to became domain admin. In situation like this where no exploit is used, and valid credentials play primary role in initial phase of attack SOC have hard time to distinguish from normal traffic. With legit credentials attacker can and will move laterally. During the attack “credential dance” will be used as that is common pattern how to move laterally.
In this training we will focus on detections of these movements and techniques. We will use Bloodhound to detect possible movement path. And we will use this knowledge to improve our detections patterns. This training is 90% blue team and 10% red team and 80% technical where time will be spent in lab. After this training you will have knowledge how to detect attacker sneakily moving through the company systems.
Table of contents
Day 1
- Event ID’s – what is important to know
- What must be logged
- Where to get logs
- Which tools to use
- Lab 1.1 – Event ID’s foundation
- Logging standard
- What we really need to log
- Attack types – commonly used types of attacks
- What is used by adversaries
- Which attacks you should test regularly
- Lateral movement - foundation
- Lab 1.2 – User session tracking
- Bloodhound
- Lab 2.1 Bloodhound foundation
- Lab 2.2 Bloodhound for defenders
Day 2
- ATT&CK Mapping
- How to work with the matrix
- Practical usages of ATT&CK
- Common misused tools
- Lolbin & Lolbas
- Detection for leaked accounts
- Lab 3.1 – Tracking for newly created account
- How to investigate
- Lab 3.2 – Tracking for misused account
- Password basics
- Password hygiene
- Lab 4.1 – Password cracking
- Domain password auditing
- Lab 4.2 – Password auditing
Key takeaways
Understanding what needs to be monitored
Understanding adversaries movement
Be confident with ATT&CK matrix
Understanding why is important to know the environment
Proficient with password auditing
Target audience
- Security manager
- Chief security analyst
- Security Operator
- Security Specialist
- Security Analyst
Requirements
- Laptop with 60GB of free space, local administrator rights and ability to start VirtualBox or Vmware.
Maximum number of participants is 20.
Workshop will be taught in slovak.
Lukáš Ciasnoha
CSIRT Team Lead | NN Group
Lukas Ciasnoha has been working in the field of IT security for almost 15 years. He held the position of security administrator for first eBook CZ platform, position of Security Architect in the Accenture consultancy company where majority of time was spent on project for financial sector in biggest EU bank.
Since 2015, he has held the position of Chief Security Analyst for the NN group where recently moved to CSIRT unit. In 5 years, with his 18 - member International team, he has managed to improve SocOperations from compliancy centric SOC to “real security” SOC. Recently was part of big migration project where new SIEM was implemented and ATT&CK was main of the tool for security use cases migration.
Juraj Přibyl
Security Operation Center Manager | NN Group
Juraj Přibyl sa v oblasti IT bezpečnosti pohybuje už bezmála 13 rokov. Zastával pozície Špecialistu na informačnú bezpečnosť v skupine Slovak Telekom, od roku 2010 pracoval na pozícii CISO v oblasti finančného a bankového sektoru v Českej republike a neskor bol ako CISO zodpovedný za celý CEE región. Od roku 2015 zastáva vedúcu pozíciu SOC manažéra pre skupinu NN. Za 5 rokov sa mu s jeho bezmála 35 členným multikultúrnym tímom podarilo na zelenej lúke vybudovať v Prahe globálny SOC, ktorý sa stará o bezpečnosť 12 krajín po celom svete a je jedným z najväčších in-house SOCov v našom regióne.