Bejtlich Teaching at Black Hat Trainings 8-9 Dec 2014
This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware.
The first discounted registration deadline is 11:59 pm EDT October 31st. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EST December 5th. You can register here.
I recently topped the 1,000 student count for my cumulative years of teaching my own material at Black Hat. Since starting my current Black Hat teaching run in 2007, I've completely replaced each course every other year. In 2007-2008 I taught TCP/IP Weapons School version 1. In 2009-2010 I taught TCP/IP Weapons School version 2. In 2011-2012 I taught TCP/IP Weapons School version 3. In 2013-2014 I taught Network Security Monitoring 101.
I have no plans to design a new course for 2015 and beyond. If you want to see me teach Network Security Monitoring and related subjects, Black Hat is your best option.
Please sign up soon, for two reasons. First, if not enough people sign up early, Black Hat might cancel the class. Second, if many people sign up, you risk losing a seat. With so many classes taught at this venue, the conference lacks the large rooms necessary to support big classes.
Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class.
OVERVIEW
Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.
CLASS OUTLINE
Day One
0900-1030
· Introduction
· Enterprise Security Cycle
· State of South Carolina case study
· Difference between NSM and Continuous Monitoring
· Blocking, filtering, and denying mechanisms
· Why does NSM work?
· When NSM won’t work
· Is NSM legal?
· How does one protect privacy during NSM operations?
· NSM data types
· Where can I buy NSM?
1030-1045
· Break
1045-1230
· SPAN ports and taps
· Making visibility decisions
· Traffic flow
· Lab 1: Visibility in ten sample networks
· Security Onion introduction
· Stand-alone vs server plus sensors
· Core Security Onion tools
· Lab 2: Security Onion installation
1230-1400
· Lunch
1400-1600
· Guided review of Capinfos, Tcpdump, Tshark, and Argus
· Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus
1600-1615
· Break
1615-1800
· Guided review of Wireshark, Bro, and Snort
· Lab 4: Using Wireshark, Bro, and Snort
· Using Tcpreplay with NSM consoles
· Guided review of process management, key directories, and disk usage
· Lab 5: Process management, key directories, and disk usage
Day Two
0900-1030
· Computer incident detection and response process
· Intrusion Kill Chain
· Incident categories
· CIRT roles
· Communication
· Containment techniques
· Waves and campaigns
· Remediation
· Server-side attack pattern
· Client-side attack pattern
1030-1045
· Break
1045-1230
· Guided review of Sguil
· Lab 6: Using Sguil
· Guided review of ELSA
· Lab 7: Using ELSA
1230-1400
· Lunch
1400-1600
· Lab 8. Intrusion Part 1 Forensic Analysis
· Lab 9. Intrusion Part 1 Console Analysis
1600-1615
· Break
1615-1800
· Lab 10. Intrusion Part 2 Forensic Analysis
· Lab 11. Intrusion Part 2 Console Analysis
REQUIREMENTS
Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.
WHAT STUDENTS NEED TO BRING
NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on the hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 or 10 is preferred); VMware Player (minimum version 5 -- older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.
Students SHOULD test the open source Security Onion (http://securityonion.blogspot.com) NSM distro prior to class. The students should try booting the latest version of the 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure their laptops can run a 64 bit virtual machine. For help with this requirement, see the VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944). Students MUST have the BIOS password for their laptop in the event that they need to enable virtualization support in class. Students MUST also have administrator-level access to their laptop to install software, in the event they need to reconfigure their laptop in class.
WHAT STUDENTS WILL RECEIVE
Students will receive a paper class handbook with printed slides, a lab workbook, and the teacher’s guide for the lab questions. Students will also receive a DVD with a recent version of the Security Onion NSM distribution.
TRAINERS
Richard Bejtlich is Chief Security Strategist at FireEye, and was Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. He is a nonresident senior fellow at the Brookings Institution, a board member at the Open Information Security Foundation, and an advisor to Threat Stack, Sqrrl, and Critical Stack. He is also a Master/Doctor of Philosophy in War Studies Researcher at King's College London. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. His fourth book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.
Tweet
Comments