Advanced Detection Engineering in the Enterprise

Description

Building resilient and automated detection capabilities requires a detailed understanding of attackers and their known or expected behavior. By thinking like an attacker, understanding the different techniques and procedures used by attackers and what indicators can be extracted, better detection capabilities can be developed.

This process is called Detection Engineering and it is a crucial aspect to be truly effective at discovering attackers in your network.

Our training focuses on the entire methodology of the detection engineering cycle. We guide participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion. Maintenance, testing and improvement is part of proper engineering as well as documentation. What to do when an alert triggers is as important to describe as what you are trying to detect in the first place.

Interactive training

The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises, in which the students execute all attacks themselves in a dedicated lab environment. These exercises are extensively documented in our lab guide and provide the option to get hints and (partial) solutions where needed. This allows the students to get familiar with the detection engineering methodology and prepare them to start implementing this practice at their organizations. In the training we mix theory, discussion and lots of hands-on exercises in our training lab. Students will receive:

• Reference materials.
• Training slides.
• Step-by-step digital lab guide.
• Access to their own lab environment.
• All tools and scripts used in the training.

Who should take the training

Our training is intended for medior and senior level detection engineers / threat hunters / red teamers. The methodology will also enable anyone with a hands-on role in security to learn more to improve the security posture of a company.

The following topics will be covered in the training:

Detection Engineering Methodology

• Introduction
• Detection Engineering principles
• Testing, Maintenance and Improvement
• Automation

Endpoint

• Initial Access
• Command and Control use and detection
• Credential Dumping
• Lateral Movement

Active Directory and server-side attacks

• Kerberos attacks
• Active Directory Certificate Services (ADCS)

Cloud Infrastructure

• Microsoft Entra ID (f.k.a. Azure Active Directory) abuse and misconfigurations
• Azure KeyVault and Storage Accounts
• Azure Virtual Machine attacks

The training covers a full, realistic attacker scenario in an enterprise environment: from the endpoint, through the Active Directory and into the cloud environment. This training is led by experienced instructors that teach students to:

• Understand how to research an attacker technique used in corporate environments.
• Build resilient detections that are harder to evade by an attacker.
• Validate their detections to make sure they keep functioning as intended.

FalconForce successfully facilitated this training at both well-known security conferences, such as Black Hat US, as well as at various private organizations in different sectors.

Key Learning Objectives

Understand how to research an attacker technique used in corporate environments. Build resilient detections that are harder to evade by an attacker. Validate your detections to make sure they keep functioning as intended.

Who Should Attend?

Medior-senior detection engineers. Medior-senior threat hunters. Medior-senior red team operators, to understand the blue side and write better reports.

Prerequisite Knowledge

Students should be familiar with Windows endpoints, Active Directory, and Azure cloud, basic PowerShell experience is a plus. Furthermore, at least some experience Azure Sentinel and its query language (Kusto) is required. Recommended study material to prepare will be supplied to the students several weeks in advance.

Hardware Requirements

A laptop. To connect to our training lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the internet on port 3389 TCP.

Bio