- تاریخ برگزاری: 1403/09/08
- مدت زمان دوره: 40 ساعت
- روزهای برگزاری: پنجشنبه
- ساعات برگزاری: 8 الی 12
- نام استاد:
- قیمت: تومان
- هزینه دوره مجازی:
SANS Sec503: Intrusion Detection In-Depth
SEC503.1: Network Monitoring and Analysis: Part I
Concepts of TCP/IP
• Why is it necessary to understand packet headers and data?
• The TCP/IP communications model
• Data encapsulation/de-encapsulation
• Bits, bytes, binary, and hex
Introduction to Wireshark
• Navigating around Wireshark
• Wireshark profiles
• Examination of Wireshark statistics options
• Stream reassembly
• Finding content in packets
Network Access/Link Layer: Layer 2
• Introduction to the link layer
• Addressing resolution protocol
• Layer 2 attacks and defenses
IP Layer: Layer 3
• IPv4
o Examination of fields in theory and practice
o Checksums and their importance, especially for network monitoring and evasion
o Fragmentation: IP header fields involved in fragmentation, composition of the fragments, modern fragmentation attacks
UNIX Command Line Processing
• Processing packets efficiently
• Parsing and aggregating data to answer questions and research a network
• Using regular expressions for faster analysis
• SEC503.2: Network Monitoring and Analysis: Part II
Wireshark Display Filters
• Examination of some of the many ways that Wireshark facilitates creating display filters
• Composition of display filters
Writing BPF Filters
• The ubiquity of BPF and utility of filters
• Format of BPF filters
• Use of bit masking
TCP
• Examination of fields in theory and practice
• Packet dissection
• Checksums
• Normal and abnormal TCP stimulus and response
• Importance of TCP reassembly for IDS/IPS
UDP
ICMP
IP6
Real-world application: Researching a network
Scapy
Packet crafting and analysis using Scapy
Writing packets to the network or a pcap file
Reading packets from the network or from a pcap file
Practical Scapy uses for network analysis and network defenders
Advanced Wireshark
• Exporting web and other supported objects
• Extracting arbitrary application content
• Wireshark investigation of an incident
• Practical Wireshark uses for analyzing SMB protocol activity
• Tshark
Introduction to Snort/Suricata
• Configuration of the tools and basic logging
• Writing simple rules
• Using common options
Effective Snort/Suricata
• More advanced content on writing truly efficient rules for very large networks
• Understanding how to write flexible rules that are not easily bypassed or evaded
• Snort/Suricata "Choose Your Own Adventure" approach to all hands-on activities
• Progressive examination of an evolving exploit, incrementally improving a rule to detect all forms of the attack
• Application of Snort/Suricata to application layer protocols
DNS
• DNS architecture and function
• DNSSEC
• Modern advances in DNS, such as EDNS (Extended DNS)
• Malicious DNS, including cache poisoning
• Creating rules to identify DNS threat activities
Microsoft Protocols
• SMB/CIFS
• Detection challenges
• Practical Wireshark application
Modern HTTP
• Protocol format
• Why and how this protocol is evolving
• Detection challenges
• Changes with HTTP2 and HTTP3
How to Research a Protocol
• Using QUIC as a case study
• Comparison of GQUIC vs. IETF QUIC
Real-world Application: Identifying Traffic of Interest
• Finding anomalous application data within large packet repositories
• Extraction of relevant records
• Application research and analysis
• SEC503.4: Building Zero-Day Threat Detection Systems
Network Architecture
• Instrumenting the network for traffic collection
• Network monitoring and threat detection deployment strategies
• Hardware to capture traffic
Introduction to Network Monitoring at Scale
• Function of a network monitoring tools
• The analyst's role in detection
• Analysis flow process
Zeek
• Introduction to Zeek
• Zeek operational modes
• Zeek output logs and how to use them
• Practical threat analysis and threat modeling
• Zeek scripting
• Using Zeek to monitor and correlate related behaviors
IDS/IPS Evasion Theory
• Theory and implications of evasions at different protocol layers
• Sampling of evasions
• Necessity for target-based detection
• Zero-day monitoring evasions
• SEC503.5: Large-Scale Threat Detection, Forensics, and Analytics
Topics
Using Network Flow Records
• NetFlow and IPFIX metadata analysis
• Using SiLK to find events of interest
• Identification of lateral movement via NetFlow data
• Building custom NetFlow queries
Threat Hunting and Visualization
• Various approaches to performing network threat hunting at enterprise scale in networks
• Exercises involving approaches to visualizing network behaviors to identify anomalies
• Applications of data science to streamline security operations and perform threat hunting
• Experimenting with an AI-based system to identify network protocol anomalies on a defended network
Introduction to Network Forensic Analysis
• Theory of network forensics analysis
• Phases of exploitation
• Data-driven analysis versus alert-driven analysis
• Hypothesis-driven visualization
• SEC503.6: Advanced Network Monitoring and Threat Detection Capstone
با این درک عمیق از نحوه عملکرد پروتکلهای شبکه، ما توجه خود را به مهمترین و پرکاربردترین ابزارهای خودکار شناسایی و کاهش تهدید در کسب و کار معطوف میکنیم. شما یاد خواهید گرفت که چگونه با این ابزارها قابلیت های تشخیص کارآمد را توسعه دهید، و متوجه خواهید شد که قوانین موجود چه می کنند و تشخیص می دهید که آیا آنها مفید هستند یا خیر. نتیجه این است که شما این دوره را با درک روشنی از نحوه ابزارسازی شبکه خود و انجام شکار دقیق تهدیدات، تجزیه و تحلیل حوادث، کالبدشکافی شبکه و بازسازی تهدیدها خواهید کرد.
چیزی که SEC503 را مهم می کند این است که ما شما را مجبور می کنیم مهارت های تفکر انتقادی خود را توسعه دهید و آنها را در این اصول عمیق به کار ببرید. این منجر به درک بسیار عمیق تری از تقریباً هر فناوری امنیتی مورد استفاده امروزی می شود. حفظ امنیت شبکه شما در محیط تهدید امروزی چالش برانگیزتر از همیشه است، به خصوص که شما خدمات بیشتری را به فضای ابری منتقل می کنید. چشم انداز امنیتی به طور مداوم از چیزی که زمانی فقط حفاظت محیطی بود به محافظت از سیستم در معرض و متحرک که تقریباً همیشه متصل و گاهی آسیب پذیر هستند تغییر می کند