Intrusion Detection In-Depth Training

Intrusion Detection In-Depth Training

Introduction:

Intrusion Detection In-Depth Training Course Hands-on

Intrusion Detection In-Depth Training delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to configure and master different open-source tools like tcpdump, Wireshark, Snort, Bro, and many more. Daily hands-on exercises suitable for all experience levels reinforce the Intrusion Detection Training In-Depth course book material so that you can transfer knowledge to execution. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material. In addition, most exercises include an “extra credit” stumper question intended to challenge even the most advanced student.

Intrusion Detection Training is most appropriate for students who are or will become intrusion detection/prevention or security analysts, although others may benefit from the course as well. Students range all the way from seasoned analysts to novices with some TCP/IP background, but to keep pace with the Intrusion Detection Training In-Depth class students are expected to have at least a basic working knowledge of TCP/IP. Please note that the Packetrix VMware used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core Unix commands, before coming to class.

Our goal in Intrusion Detection Training In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment

Intrusion Detection In-Depth TrainingRelated Courses:

Duration:5 days

Skills Gained:

• How to analyze traffic traversing your site to avoid becoming another “Hacked!” headline
• How to place, customize, and tune your IDS/IPS for maximum detection
• Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools
• TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
• The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection

Customize It:

With onsite Training, courses can be scheduled on a date that is convenient for you, and because they can be scheduled at your location, you don’t incur travel costs and students won’t be away from home. Onsite classes can also be tailored to meet your needs. You might shorten a 5-day class into a 3-day class, or combine portions of several related courses into a single course, or have the instructor vary the emphasis of topics depending on your staff’s and site’s requirements.

Course Content:

1. Fundamentals of Traffic Analysis: Part I

Concepts of TCP/IP
TCP/IP communications model
Data encapsulation/de-encapsulation
Discussion of bits, bytes, binary, and hex
Introduction to Wireshark
Navigating around Wireshark
Examination of Wireshark statistics
Stream reassembly
Finding content in packets
Network Access/Link Layer: Layer 2
Introduction to 802.x link layer
Address resolution protocol
ARP spoofing
IP Layer: Layer 3
IPv4
Examination of fields in theory and practice
Checksums and their importance, especially for an IDS/IPS
Fragmentation: IP header fields involved in fragmentation, composition of the fragments, fragmentation attacks
IPv6
Comparison with IPv4
IPv6 addresses
Neighbor discovery protocol
Extension headers
IPv6 in transition

2: Fundamentals of Traffic Analysis: Part II

Wireshark Display Filters
Examination of some of the many ways that Wireshark facilitates creating display filters
Composition of display filters
Writing tcpdump Filters
Format of tcpdump filters
Use of bit masking
TCP
Examination of fields in theory and practice
Packet dissection
Checksums
Normal and abnormal TCP stimulus and response
Importance of TCP reassembly for IDS/IPS
UDP
Examination of fields in theory and practice
UDP stimulus and response
ICMP
Examination of fields in theory and practice
When ICMP messages should not be sent
Use in mapping and reconnaissance
Normal ICMP
Malicious ICMP\

SEC503.3: Application Protocols and Traffic Analysis

Advanced Wireshark
Exporting web objects
Extracting SMTP attachment content
Sample Wireshark investigation of an incident
Tshark
Detection Methods for Application Protocols
Pattern matching, protocol decode, and anomaly detection
Detection challenges
Microsoft Protocols
SMB/CIFS
MSRPC
Detection challenges
HTTP
Protocol format
Sample of attacks
Detection challenges
SMTP
Protocol format
Sample of attacks
Detection challenges
DNS
Its vital role in the Internet
The resolution process
Caching
DNSSEC
Malicious DNS, including Cache poisoning
IDS/IPS Evasion Theory
Theory and implications of evasions at different protocol layers
Sampling of evasions
Necessity for target-based detection
Real-World Traffic Analysis
Client attacks
DDoS attacks
Four-way handshake
TCP reset attack
Malformed DNS DoS

4. Open-Source IDS: Snort and Bro

Operational Lifecycle of Open-Source IDS
Planning, installation, configuration, running, customization, auditing, refinement, and updating
Introduction
Function of an IDS
The analyst’s role in detection
Flow process for Snort and Bro
Similarities and differences between Snort and Bro
Snort
Introduction to Snort
Planning, including deployment scenarios
Running
Modes of operation: sniffer, packet logger, NIDS
Plug-ins
Customization
Writing Snort rules
Refining
Solutions for dealing with false negatives and positives
Writing a rule for a vulnerability
Tips for writing efficient rules
Bro
Introduction to Bro
Planning
Operational modes
Standalone on a single host
Cluster on multiple hosts/cores
Running
BroControl to manage Bro
Running in standalone mode
Running in cluster mode
Customization
Understanding and deploying Bro’s policy neutral features
Bro scripting
Signatures
Comparing Snort and Bro to Analyze Same Traffic
Examination of output from each – Snort alerts and Bro logs
Tips for performing Bro log correlation
Customizing Bro to add a new signature and raise a notice about malicious traffic

5. Network Traffic Forensics and Monitoring

Analyst Toolkit
Ngrep, tcpflow, p0f, Chaosreader, tcpreplay
SiLK
Introduction of concept of network flow
Understand the uses for flow
Packet Crafting
Using Scapy to craft, read/write from to pcaps, alter, and send packets
Command and Control (C2)
Discussion of two common C2 methods, Tor and dnscat2
Introduce theory behind the methods
Examine traffic generated by them
Learn detection strategies
Network Forensics
Learn what it is
Become aware of indicators of network issues
Learn to investigate incidents using some sample traffic of:
Exploited host
Phishing attack
Network Architecture for Monitoring
Become familiar with hardware used with and for monitoring
Correlation of Indicators
Examination of log files
OSSEC
Understand different methods of correlation

6. IDS Challenge

The week culminates with a fun hands-on challenge where you find and analyze traffic to a vulnerable honeynet host using many of the same tools you mastered during the week. Students can work alone or in groups with or without workbook guidance. This is a great way to end the week because it reinforces what you’ve learned by challenging you to think analytically, gives you a sense of accomplishment, and strengthens your confidence to employ what you’ve learned in in a real-world environment.

Whether you are looking for general information or have a specific question, we want to help

Request More Information

Time Frame: 0-3 Months4-12 Months

No Comments Yet.

Leave a comment