SANS Sec503: Intrusion Detection In-Depth      

 SEC503.1: Network Monitoring and Analysis: Part I

Concepts of TCP/IP

•             Why is it necessary to understand packet headers and data?

•             The TCP/IP communications model

•             Data encapsulation/de-encapsulation

•             Bits, bytes, binary, and hex

Introduction to Wireshark

•             Navigating around Wireshark

•             Wireshark profiles

•             Examination of Wireshark statistics options

•             Stream reassembly

•             Finding content in packets

Network Access/Link Layer: Layer 2

•             Introduction to the link layer

•             Addressing resolution protocol

•             Layer 2 attacks and defenses

IP Layer: Layer 3

•             IPv4

o             Examination of fields in theory and practice

o             Checksums and their importance, especially for network monitoring and evasion

o             Fragmentation: IP header fields involved in fragmentation, composition of the fragments, modern fragmentation attacks

UNIX Command Line Processing

•             Processing packets efficiently

•             Parsing and aggregating data to answer questions and research a network

•             Using regular expressions for faster analysis

•             SEC503.2: Network Monitoring and Analysis: Part II

Wireshark Display Filters

•             Examination of some of the many ways that Wireshark facilitates creating display filters

•             Composition of display filters

Writing BPF Filters

•             The ubiquity of BPF and utility of filters

•             Format of BPF filters

•             Use of bit masking

TCP

•             Examination of fields in theory and practice

•             Packet dissection

•             Checksums

•             Normal and abnormal TCP stimulus and response

•             Importance of TCP reassembly for IDS/IPS

UDP

• Examination of fields in theory and practice
• UDP stimulus and response

ICMP

• Examination of fields in theory and practice
• When ICMP messages should not be sent
• Use in mapping and reconnaissance
• Normal ICMP
• Malicious ICMP

IP6

• Fundamentals
• Improvements over IP6
• Multicast protocols and how they are leveraged by IP6
• IP6 threats

Real-world application: Researching a network

• Who are the top talkers?
• What are people connecting to?
• What services are running on our network?
• What kind of east-west traffic is present?

• SEC503.3: Signature-Based Threat Detection and Response

Scapy

Packet crafting and analysis using Scapy

Writing packets to the network or a pcap file

Reading packets from the network or from a pcap file

Practical Scapy uses for network analysis and network defenders

Advanced Wireshark

•             Exporting web and other supported objects

•             Extracting arbitrary application content

•             Wireshark investigation of an incident

•             Practical Wireshark uses for analyzing SMB protocol activity

•             Tshark

Introduction to Snort/Suricata

•             Configuration of the tools and basic logging

•             Writing simple rules

•             Using common options

Effective Snort/Suricata

•             More advanced content on writing truly efficient rules for very large networks

•             Understanding how to write flexible rules that are not easily bypassed or evaded

•             Snort/Suricata "Choose Your Own Adventure" approach to all hands-on activities

•             Progressive examination of an evolving exploit, incrementally improving a rule to detect all forms of the attack

•             Application of Snort/Suricata to application layer protocols

DNS

•             DNS architecture and function

•             DNSSEC

•             Modern advances in DNS, such as EDNS (Extended DNS)

•             Malicious DNS, including cache poisoning

•             Creating rules to identify DNS threat activities

 

Microsoft Protocols

•             SMB/CIFS

•             Detection challenges

•             Practical Wireshark application

Modern HTTP

•             Protocol format

•             Why and how this protocol is evolving

•             Detection challenges

•             Changes with HTTP2 and HTTP3

How to Research a Protocol

•             Using QUIC as a case study

•             Comparison of GQUIC vs. IETF QUIC

Real-world Application: Identifying Traffic of Interest

•             Finding anomalous application data within large packet repositories

•             Extraction of relevant records

•             Application research and analysis

•             SEC503.4: Building Zero-Day Threat Detection Systems

Network Architecture

•             Instrumenting the network for traffic collection

•             Network monitoring and threat detection deployment strategies

•             Hardware to capture traffic

Introduction to Network Monitoring at Scale

•             Function of a network monitoring tools

•             The analyst's role in detection

 

•             Analysis flow process

Zeek

•             Introduction to Zeek

•             Zeek operational modes

•             Zeek output logs and how to use them

•             Practical threat analysis and threat modeling

•             Zeek scripting

•             Using Zeek to monitor and correlate related behaviors

IDS/IPS Evasion Theory

•             Theory and implications of evasions at different protocol layers

•             Sampling of evasions

•             Necessity for target-based detection

•             Zero-day monitoring evasions

•             SEC503.5: Large-Scale Threat Detection, Forensics, and Analytics

Topics

Using Network Flow Records

•             NetFlow and IPFIX metadata analysis

•             Using SiLK to find events of interest

•             Identification of lateral movement via NetFlow data

•             Building custom NetFlow queries

Threat Hunting and Visualization

•             Various approaches to performing network threat hunting at enterprise scale in networks

•             Exercises involving approaches to visualizing network behaviors to identify anomalies

•             Applications of data science to streamline security operations and perform threat hunting

•             Experimenting with an AI-based system to identify network protocol anomalies on a defended network

Introduction to Network Forensic Analysis

•             Theory of network forensics analysis

•             Phases of exploitation

•             Data-driven analysis versus alert-driven analysis

•             Hypothesis-driven visualization

•             SEC503.6: Advanced Network Monitoring and Threat Detection Capstone

 

• آشنایی با سیستم عاملهای ویندوز و لینوکس • آشنایی با شبکه های کامپیوتری • آشنایی با اصول اولیه و پایه امنیت

با این درک عمیق از نحوه عملکرد پروتکل‌های شبکه، ما توجه خود را به مهم‌ترین و پرکاربردترین ابزارهای خودکار شناسایی و کاهش تهدید در کسب و کار معطوف می‌کنیم. شما یاد خواهید گرفت که چگونه با این ابزارها قابلیت های تشخیص کارآمد را توسعه دهید، و متوجه خواهید شد که قوانین موجود چه می کنند و تشخیص می دهید که آیا آنها مفید هستند یا خیر. نتیجه این است که شما این دوره را با درک روشنی از نحوه ابزارسازی شبکه خود و انجام شکار دقیق تهدیدات، تجزیه و تحلیل حوادث، کالبدشکافی شبکه و بازسازی تهدیدها خواهید کرد. 

  چیزی که SEC503 را مهم می کند این است که ما شما را مجبور می کنیم مهارت های تفکر انتقادی خود را توسعه دهید و آنها را در این اصول عمیق به کار ببرید. این منجر به درک بسیار عمیق تری از تقریباً هر فناوری امنیتی مورد استفاده امروزی می شود. حفظ امنیت شبکه شما در محیط تهدید امروزی چالش برانگیزتر از همیشه است، به خصوص که شما خدمات بیشتری را به فضای ابری منتقل می کنید. چشم انداز امنیتی به طور مداوم از چیزی که زمانی فقط حفاظت محیطی بود به محافظت از سیستم در معرض و متحرک که تقریباً همیشه متصل و گاهی آسیب پذیر هستند تغییر می کند