Course Details
Duration: 5 days; / 35 hours; Instructor-led/ remote online training
Audience
- Cybersecurity Analysts
- SOC Analysts
- Threat Intel Analysts
- Network and Security Administrators, Network and Security Engineers, Network Defense Analyst, Network Defense Technicians, Network Security Specialist, Network Security Operator, and any security professional handling network security operations
- Entry-level cybersecurity professionals
- Professionals newly recruited into a SOC / TI team without prior experience
Prerequisites
The growth and sophistication of cyber-attacks against enterprises and individuals have rendered traditional cybersecurity measures virtually obsolete. The headlines are seemingly endless; companies continue to get compromised, while those responsible for securing corporate networks fall on their swords. Cybercriminals – smart, highly organized, and driven by financial motivations and/or strongly-held personal beliefs – only need to find a single vulnerability to exploit. On the other side, those endeavouring to protect assets need to set up flawless defenses. It’s impossible to defend against every possible exploit and threat vector.
Methodology
This program will be conducted with interactive lectures, PowerPoint presentation, discussion and practical exercise.
Course Objectives
- Gain in-depth knowledge of security threats, attacks, vulnerabilities, attacker’s behaviors, cyber kill chain.
- Understand the MITRE ATT&CK Framework and Able to identify attacker techniques, tactics, and procedures (TTP) to investigate on indicators of compromise (IOCs) and provide automated / manual responses to eliminate the attack/incident.
- Able to understand the concepts of Threat Intelligence and gain in-depth knowledge on how to integrate Threat Intelligence with the SIEM, SOAR, EDR and other SOC technologies to reduce the Mean time to Detect (MTTD) and Mean time to Respond (MTTR)
- Able to Understand and learn how to setup a Threat Intelligence Framework and platform for your organization and consume community and commercial feeds to understand attacks and defend your organization from future attacks.
- Gain in-depth knowledge on Malware Information Sharing Platform (MISP) and learn to setup a working instance with configurations and integrations that can be used immediately in your organisation.
- Gain knowledge of Incident Response Methodology, processes and in-depth knowledge on how to integrate Threat Intelligence processes with Incident Response processes using HIVE and learn how to automate them as a single workflow.
Outlines
Module 1: Introduction to Threat Intelligence
- Objective: Gain in-depth knowledge of Threat Intelligence, types, life cycle, different sources of intelligence feeds, and threat intelligence frameworks
- Outcome: Attendees will learn in-detail about Threat Intelligence and its ecosystem.
- Understanding Threats, Threat Modeling and Risk
- What is Threat Intelligence
- Need for Threat Intelligence
- Benefits of Threat Intelligence
- Types of Threat Intelligence
- Threat Intelligence Life Cycle
- Sources of Threat Intelligence
- Technologies contributing to Threat Intelligence ( SIEM, EDR, Log Sources )
- Threat Intelligence & SOC
- Incident Response & Threat Intelligence
- Applications of Threat Intelligence
- Threat Intelligence Frameworks ( CIF, MISP, TAXII)
- Role of Threat Intelligence Analyst & Threat Hunters
Module 2: Technical Deep Dive on Latest Attacks
- Objective: Understand all the latest attacks with its IOCs. Understand the MITRE ATT&CK Framework and able to identify attacker techniques, tactics, and procedures (TTP) to investigate on indicators of compromise (IOCs) and provide automated / manual responses to eliminate the attack/incident.
- Outcome: Attendees will learn in-detail about latest attacks and its IOCs with 9 Hands-on labs. Attendees will learn MITRE ATT&CK Framework, will be able to identify attacker techniques, tactics, and procedures (TTP), and investigate on IOCs and provide automated / manual responses to eliminate the attack/incident
- What is Security, Vulnerabilities & O-Days, Attack life Cycle, Different Attack Vectors
- Threats Vs. Risks, Why Perimeter defenses are failing? Why Anti-Virus is not enough?
- Introduction to Cyber Kill Chain
- Indicators of Compromise (IOC) & IOC Sources (OTX, MISP)
- Business Email Compromise (BEC) (Lab) with Indicators of Compromise
- Ransomware (Lab) with Indicators of Compromise
- Advanced Persistent Threat (Lab) with Indicators of Compromise
- File-less Malwares (Lab) with Indicators of Compromise
- Mobile Malwares (Lab) with Indicators of Compromise
- Web Data Breach (Lab) with Indicators of Compromise
- Malvertising (Lab) with Indicators of Compromise
- Social Media based attacks (Lab) with Indicators of Compromise
- Password based attacks (Password Stuffing, Account Takeover, Phishing, etc) (Lab)
- What is MITRE ATT&CK Framework ?
- Tactics, Techniques and Procedures (TTP)
- Threat Actors
- ATT&CK Navigator
- The ThreatHunter-Playbook
- Atomic Red Team Library
- Threat-Based Adversary Emulation with ATT&CK
- Behavioral-based analytic detection using ATT&CK
- Mapping to ATT&CK from Raw Data – Lab.
- Storing and analyzing ATT&CK-mapped intel
Module 3: Setting up Threat Intel Framework
- Objective: Understand Threat Intel Framework, Threat Intel Open source Feeds, Dark web feeds, Public Feed, Yara & EDR Feeds, and Commercial Feeds
- Outcome: Attendees will learn Threat Intel Framework and all technical details of Open source, Dark web, public, yara, edr, and commercial threat intelligence feeds
- Enterprise Threat Landscape Mapping
- Scope & Plan Threat Intel Program
- Setup Threat Intel Team
- Threat Intelligence Feeds, Sources & Data Collections
- Open source Threat Intel Collections (OSINT and more)
- Dark Web Threat Intel Collections
- SIEM / Log Sources Threat Intel Collections
- Pubic Web data Threat Intel Collections ( Maltego, OSTrICa, and more)
- Threat Intel collections with YARA
- EDR Threat Intel Collections
- Incorporating Threat Intel into Incident Response
- Threat Intel & Actionable Contextual Data
- Commercial Threat Intel Feed Providers ( RecordedFuture, BlueLiv, etc. )
- Commercial Threat Intel Platforms ( Anamoli, DigitalShadows, etc. )
Module 4: Malware Information Sharing Platform (MISP)
- Objective: Gain in-depth knowledge on Malware Information Sharing Platform (MISP) and learn to setup a working instance with configurations and integrations that can be used immediately in your organisation
- Outcome: Attendees will be able to setup Malware Information Sharing Platform (MISP) with configurations and feed integrations that can be used immediately in organisation
- MISP Project Overview
- MISP Features & Use cases
- Events, Objects and Attributes in MISP
- MISP Data model & Core data structure
- MISP – Creating and populating events
- MISP – Distribution and Topology
- Information Sharing and Taxonomies
- MISP Galaxy
- MISP Object Templates
- MISP Deployment and Integrations
- Normalizing OSINT and other community & Private Feeds
- SIEM and MISP Integration
- Incident Response and threat hunting using MISP
- Viper and MISP
- MISP Administration
- MISP feeds – A simple and secure approach to generate, select and collect intelligence
- MISP and Decaying of Indicators
- Workflow of a security analyst using Viper as a management console for malware analysis
Module 5: Cybersecurity Incident Response
- Objective: Gain knowledge of Incident Response Methodology, processes and in-depth knowledge on how to integrate Threat Intelligence processes with Incident Response processes using HIVE and learn how to automate them as a single workflow
- Outcome: Attendees will be able to setup HIVE and integrate it with MISP and setup an automated & integrated work flow for malware analysis.
- Introduction to Incident Response
- Incident Response & Handling Methodology
- MISP & HIVE Integrations
- HIVE Implementation
- Malware Analysis Use case using MISP & HIVE
