I'm pleased to announce that I will be teaching at Black Hat West Coast Trainings 9-10 December 2013 in Seattle, Washington. This is a brand new class, only offered thus far in Las Vegas in July 2013. I posted Feedback from Network Security Monitoring 101 Classes last month as a sample of the student feedback I received.
Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class.
Please note that discounted registration ends 11:59 pm EDT October 24th. You can register here. I have only one session available in Seattle and fewer seats than in Las Vegas, so please plan accordingly. Thank you.
Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.
· Enterprise Security Cycle
· State of South Carolina case study
· Difference between NSM and Continuous Monitoring
· Blocking, filtering, and denying mechanisms
· Why does NSM work?
· When NSM won’t work
· Is NSM legal?
· How does one protect privacy during NSM operations?
· NSM data types
· Where can I buy NSM?
· SPAN ports and taps
· Making visibility decisions
· Traffic flow
· Lab 1: Visibility in ten sample networks
· Security Onion introduction
· Stand-alone vs server plus sensors
· Core Security Onion tools
· Lab 2: Security Onion installation
· Guided review of Capinfos, Tcpdump, Tshark, and Argus
· Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus
· Guided review of Wireshark, Bro, and Snort
· Lab 4: Using Wireshark, Bro, and Snort
· Using Tcpreplay with NSM consoles
· Guided review of process management, key directories, and disk usage
· Lab 5: Process management, key directories, and disk usage
· Computer incident detection and response process
· Intrusion Kill Chain
· Incident categories
· CIRT roles
· Containment techniques
· Waves and campaigns
· Server-side attack pattern
· Client-side attack pattern
· Guided review of Sguil
· Lab 6: Using Sguil
· Guided review of ELSA
· Lab 7: Using ELSA
· Lab 8. Intrusion Part 1 Forensic Analysis
· Lab 9. Intrusion Part 1 Console Analysis
· Lab 10. Intrusion Part 2 Forensic Analysis
· Lab 11. Intrusion Part 2 Console Analysis
Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.
WHAT STUDENTS NEED TO BRING
NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on the hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 is preferred); VMware Player (minimum version 5 -- older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.
Students SHOULD test the open source Security Onion (http://securityonion.blogspot.com) NSM distro prior to class. The students should try booting the latest version of the 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure their laptops can run a 64 bit virtual machine. For help with this requirement, see the VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944). Students MUST have the BIOS password for their laptop in the event that they need to enable virtualization support in class. Students MUST also have administrator-level access to their laptop to install software, in the event they need to reconfigure their laptop in class.
WHAT STUDENTS WILL RECEIVE
Students will receive a paper class handbook with printed slides, a lab workbook, and the teacher’s guide for the lab questions. Students will also receive a DVD with a recent version of the Security Onion NSM distribution.
Richard Bejtlich is Chief Security Officer at MANDIANT. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Prior to GE, he operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." His latest book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.