ＨｉｄｅＺｅｒｏＯｎｅ

It’s time to master your data. This course will teach you how to use the Elasticsearch, Logstash, and Kibana (ELK) to build your own IDS console, investigation platform, or security analysis lab. You must master your data If you want to catch bad guys and find evil. But, how can you do that? That’s where the ELK stack comes in. ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course, it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.

Syllabus

• Elasticsearch: How data is stored and indexed. Working with JSON documents.
• Logstash: How to collect and manipulate structured and unstructured data.
• Kibana: Techniques for searching data and building useful visualizations and dashboards.
• Beats: Use the agent to ship data from endpoints and servers to your ELK systems.
• HTTP Proxy Logs
• File-Based Logs (Unix, auth, and application logs)
• Windows Events & Sysmon Data
• NetFlow Data
• IDS Alerts
• Dealing with any CSV file you’re handed
• Parsing unstructured logs, no matter how weird they are

Applied Network Defense | ELK for Security Analysis

Most security analysis and detection tools support matching with regular expressions because of limitations in their own feature set. This means that if you can write regular expressions, you can search with infinite precision. This applies to IDS engines, SIEMs, and even command line tools like grep.

The phrase “searching for a needle in a haystack” is overused, but it’s a serious component of what security analysts do. A large part of our success is contingent on being able to search through large repositories of data and match things that meet very specific criteria.

Demystifying Regular Expressions will help you do exactly that.

Syllabus

• The most common uses of regular expressions and how to apply them in places you weren’t even aware of.
• The process of iteratively building and testing regular expressions for things you want to match.
• Techniques for overcoming common gotchas like dealing with whitespace
• How to Evaluate the efficiency of expressions by the number of steps it takes to match.
• A definitive guide to escaping so you’ll know when and how to do it
• How quantifiers can be used to match specific numbers of data occurrences
• How to use capture groups to reference specific matched content and perform additional operations on it
• Complex behavioral structures like lookarounds and conditionals
• The use of modifiers to match case-sensitive, enable free-spacing, or match in single line mode

Applied Network Defense | Demystifying Regular Expressions

Intrusion Detection Honeypots is the foundational guide to building, deploying, and monitoring honeypots — security resources whose value lies in being probed and attacked. These fake systems, services, and tokens lure attackers in, enticing them to interact. Unbeknownst to the attacker, those interactions generate logs that alert you to their presence and educate you about their tradecraft. Intrusion Detection Honeypots teaches you how to: – Use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps.

syllabus

• Leverage honey services that mimic HTTP, SSH, and RDP.
• Hide honey tokens amongst legitimate documents, files, and folders.
• Entice attackers to use fake credentials that give them away.
• Create honey commands, honey tables, honey broadcasts, and other unique detection tools that leverage deception.
• Monitor honeypots for interaction and investigate the logs they generate.

Chris Sanders | Intrusion Detection Honeypots: Detection through Deception

Building Intrusion Detection Honeypots will teach you how to build, deploy, and monitor honeypots designed to catch intruders on your network. You’ll use free and open source tools to work through over a dozen different honeypot techniques, starting from the initial concept and working to your first alert. Building Intrusion Detection Honeypots is the seminal course on strategic honeypot deployment for network defenders who want to leverage deception to find attackers on their network and slow them down.

syllabus

• What makes an intrusion detection honeypot different from research honeypots.
• How to leverage the four characteristics of honeypots for the defender’s benefit: deception, interactivity, discoverability, and monitoring.
• How to think deceptively with an overview of deception from a psychological perspective.
• How to use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps.
• Tools and techniques for building service honeypots for commonly attacked services like HTTP, SSH, and RDP.
• How to hide honey tokens amongst legitimate documents, files, and folder.
• To entice attackers to use fake credentials that give them away.
• Techniques for embedding honey credentials in services and memory so that attackers will find and attempt to use them.
• How to build deception-based defenses against common attacks like Kerberoasting and LLMNR spoofing.
• Monitoring strategies for capturing honeypot interaction and investigating the logs they generate.

Applied Network Defense | Building Intrusion Detection Honeypots

Detection Engineering with Sigma will teach you how to write and tune Sigma rules to find evil in logs using real-world examples that take you through the detection engineering process. We’ll dissect real Sigma detection rules focused on finding a variety of malicious activity in diverse log sources. Once you have a good handle on these components, you’ll start writing and tuning your own rules in a series of case studies. In some case studies, I’ll describe a detection gap and you’ll write a rule on your own before I show you how I tackled the problem myself. In other scenarios, you’ll write or modify a rule on your own and submit it to me for feedback. In this course, you are never alone! I will be with you 100% of the way to help you understand the structure of Sigma rules, how to get from idea to finished rule, and best practices for writing resilient rules.

Syllabus

• The detection engineering process from initial detection gap identification to deploying your rule.
• The structure of Sigma rules, including the difference between lists and maps, how condition expressions work, and all the essential metadata that’ll be useful for investigating alerts it generates.
• How to use the SOC Prime Sigma UI plugin for Kibana to develop rules with a graphical editor.
• Sigmac usage to convert rules to popular investigation and detection tool formats like Splunk, ELK, and others.
• How to write resilient rules that find more evil, stand the test of time, and cause headaches for adversaries.
• How to write your own detection rules using familiar log sources like Windows Events, Zeek Logs, Sysmon Logs, AWS CloudTrail logs, and more.
• Guidelines and best practices for developing Sigma rules you can share with third parties, including the public Sigma rule repository.
• The principles of detection as code with a tutorial on managing your custom ruleset with Git.
• Tips and tricks for using Sigma and its tools on the command line.
• How to leverage popular Sigma integrations like Security Onion Playbook.

Applied Network Defense | Detection Engineering with Sigma