3 Days Left to Save $400 on SANS Albuquerque 2014

Security East 2013

New Orleans, LA | Wed Jan 16 - Wed Jan 23, 2013

SEC503: Intrusion Detection In-Depth

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This challenging track methodically progresses from understanding the theory of TCP/IP, examining packets, using Snort to analyze traffic, becoming familiar with the tools and techniques for traffic and intrusion analysis, to reinforcing what you've learned with a hands-on challenge of investigating an incident. Students should be able to "hit the ground running" once returning to a live environment where traffic analysis it required.

This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection/prevention analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with tcpdump before coming to class.

TCP/IP

  • Tcpdump Overview and TCP/IP concepts
  • ICMP
  • Fragmentation
  • Stimulus - Response
  • Microsoft Protocols
  • Domain Name System (DNS)
  • IPv6

Hands-On tcpdump Analysis

  • Mechanics of running tcpdump
  • General network traffic analysis

Hands-On Snort Usage

  • Various modes of running Snort
  • Writing Snort rules

Intrusion Analysis

  • Intrusion Detection Architecture
  • Intrusion Detection/Prevention Analysis

Course Syllabus
Course Contents InstructorsSchedule
  SEC503.1: TCP/IP for Intrusion Detection Mike Poor Wed Jan 16th, 2013
9:00 AM - 5:00 PM
Overview

Students will be able to translate native hexadecimal at the IP, transport layers, and some protocols such as DNS. The material presented in this day will give students the knowledge and understanding of TCP/IP and free tools, like tcpdump to assist them in troubleshooting all types of networking complaints from routing problems to firewall and critical server issues.

CPE/CMU Credits: 6

Topics

Refresher of TCP/IP

  • Including tcpdump, hexadecimal, TCP/IP Communication model

TCP/IP Communication Model

  • TCP, UDP, and ICMP

IP Fragmentation

  • How it works
  • Initial fragment and protocol information
  • Additional fragments and offset
  • Malicious fragmentation

Internet Control Message Protocol (ICMP)

  • ICMP Theory
  • Mapping using ICMP
  • Normal ICMP behavior
  • Malicious ICMP traffic

Stimulus and Response

  • Expected behavior for normal activity
  • Normal but unconventional stimulus-response
  • Behaviors and categories of abnormal stimulus-response

Microsoft Protocols

  • SMB/CIFS
  • DCE/RPC

Domain Name System (DNS)

  • Client and server interaction
  • Server to server interaction
  • Primary and secondary servers
  • Transport Protocol Used (TCP/UDP)
  • Intelligence gathering tools
  • DNS: The dark side
  • Cache poisoning

IPv6

  • Concepts
  • Addresses, headers, extension headers
  • Fragmentation
  • Tunnels

 
  SEC503.2: Network Traffic Analysis using Tcpdump - Part 1 Mike Poor Thu Jan 17th, 2013
9:00 AM - 5:00 PM
Overview

In this two-day module, students will learn how to interpret header fields and values in a packet. We will build on that skill to learn traffic analysis with lab exercises to reinforce the theory. Tcpdump is the tool of choice selected to demonstrate the theory and is used in hands-on exercises. The intent of these days is to provide the foundation to enable the analyst perform packet/traffic interpretation.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Introduction to Tcpdump

  • How Tcpdump can be used to analyze traffic

Writing Tcpdump filters

  • Mastering subtleties of writing
  • Deciphering output from Tcpdump

Tcpdump filters

  • Bit-masking for looking at fields that do not fall on byte boundaries

Examining Datagram fields with Tcpdump

  • Functions of fields in the IP Datagram
  • Normal values for these fields
  • Why and how these fields are crafted to have abnormal values
  • Network Mapping, OS Fingerprinting, evasion, and covert messages

Analysis of Tcpdump output

  • Beginning analysis: classification of traffic
  • Client attacks
  • Real-world examples of Tcpdump output and analysis

Advanced analysis

  • Four-way handshake
  • DNS pointer evasion
  • Reset Attack?
  • Fragmentation attack?

Application protocols and detection

  • Understanding and analyzing HTTP attacks
  • Understanding and analyzing SMTP attacks
  • Understanding and analyzing DNS attacks

 
  SEC503.3: Network Traffic Analysis using Tcpdump - Part 2 Mike Poor Fri Jan 18th, 2013
9:00 AM - 5:00 PM
Overview

In this two-day module, students will learn how to interpret header fields and values in a packet. We will build on that skill to learn traffic analysis with lab exercises to reinforce the theory. Tcpdump is the tool of choice selected to demonstrate the theory and is used in hands-on exercises. The intent of these days is to provide the foundation to enable the analyst perform packet/traffic interpretation.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Introduction to Tcpdump

  • How Tcpdump can be used to analyze traffic

Writing Tcpdump filters

  • Mastering subtleties of writing
  • Deciphering output from Tcpdump

Tcpdump filters

  • Bit-masking for looking at fields that do not fall on byte boundaries

Examining Datagram fields with Tcpdump

  • Functions of fields in the IP Datagram
  • Normal values for these fields
  • Why and how these fields are crafted to have abnormal values
  • Network Mapping, OS Fingerprinting, evasion, and covert messages

Analysis of Tcpdump output

  • Beginning analysis: classification of traffic
  • Client attacks
  • Real-world examples of Tcpdump output and analysis

Advanced analysis

  • Four-way handshake
  • DNS pointer evasion
  • Reset Attack?
  • Fragmentation attack?

Application protocols and detection

  • Understanding and analyzing HTTP attacks
  • Understanding and analyzing SMTP attacks
  • Understanding and analyzing DNS attacks

 
  SEC503.4: Intrusion Detection Snort Style Mike Poor Sat Jan 19th, 2013
9:00 AM - 5:00 PM
Overview

Install, configure, and use the powerful and versatile freeware intrusion detection system - Snort. In addition, learn to customize Snort for many special uses. Hands-on exercises that will challenge both the novice and seasoned Snort user are included so that students will feel confident in their ability to effectively utilize Snort for their site's specific needs when they get back to the office.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Introduction

  • Installation
  • Getting started with Snort

Modes of operation

  • Sniffer mode
  • IDS mode
  • Deployment options

Writing Snort rules

  • Rule anatomy
  • Rule syntax
  • Rule options
  • Rule keywords

Configuring Snort as an IDS

  • Configuration file options
  • Using variables
  • Preprocessor configuration
  • Output configuration options

Miscellaneous

  • Dealing with false positives and false negatives
  • Writing efficient rules
  • Examining a Buffer Overflow and writing a Snort rule to detect it
  • Snort GUIs and analysis

 
  SEC503.5: Intrusion Analysis Mike Poor Sun Jan 20th, 2013
9:00 AM - 5:00 PM
Overview

This day starts to bring together the knowledge gained on previous days to help you become a combat ready analyst. You'll learn how to assess and prioritize the events generated by an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS), including how to correlate events across multiple platforms and operating environments. You'll participate in analyzing network traffic, including performing network traffic forensic analysis.

Note:This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Analyst Toolkit: Examine some libpcap-based tools to assist with specific tasks for traffic analysis

  • Ngrep, tcpflow, p0f, Chaosreader, tcpreplay, NetWitness

Wireshark: Extensive coverage of use of Wireshark for the following:

  • Navigation and features
  • Capturing Packets
  • Use of display filters for traffic selection/display
  • Understanding use of Wireshark to examine an attack
  • Exporting web objects
  • Use of miscellaneous features

Wireshark: SiLK: Open Source Network Flow

  • Introduction of Concept of Network Flow
  • Understand the uses for flow

SiLK: Network Traffic Forensics

  • Learn what it is
  • Become aware of indicators of network issues
  • Learn to Investigate Incidents
  • Exploited host
  • Phishing attack

Network Architecture for Monitoring

  • Become familiar with hardware used with and for monitoring
  • Understand the uses for flow

Correlation

  • Understand different methods of correlation of network data

 
  SEC503.6: IDS Challenge Mike Poor Mon Jan 21st, 2013
9:00 AM - 5:00 PM
Overview

This day is the culmination and consummation of all the previous days where you use your knowledge for a hands-on exercise to investigate an actual attack. This is a guided approach of discovering the network architecture, profiling traffic, identifying attacks, analyzing possible compromises, characterizing the enemy, tracking the hacker's activities, and correlation.

This engaging activity allows you to work with a team or individually to reinforce what you've learned and challenge you to think analytically.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required

For Security 503: Intrusion Detection In-Depth you will need to install the required software on your laptop for the hands-on exercises that will be done in class. A Linux VMware image is supplied for class exercises. Familiarity and comfort with entering commands via the command line will facilitate your experience with the hands-on exercises.

Before coming to the course, you will need to perform the following actions:

  • Review the following laptop requirements to make sure your laptop is suitable for the course.
  • Download and install the free VMware player for Windows or Linux (RPM or tarball) from the VMware site or VMware Fusion for Mac or have your own copy of the VMware workstation preinstalled (version 5.5x minimum or 6.x for Vista).

Note: The VMware image supplied for the course is used to do all of the Security 503 exercises. The VMware image CD will be supplied during the course.

Mandatory Laptop Hardware Requirements:

  • x-86 compatible 1.5 Ghz CPU Minimum or higher is preferred for better performance
  • DVD Drive (not CDROM Drive)
  • 1 GB RAM minimum or higher (2 GB preferred)
  • Ethernet adapter (optional)
  • 512 MB RAM to VMware, 1 GB recommended
  • 12 Gigabyte available hard drive space
  • Windows XP/Vista/7, Mac OS X, and Linux any types
  • Any Service Pack level is acceptable for your Windows XP/Vista/Win 7
  • Windows and Linux software will require an unzip utility for VMware image
  • Required Software: VMware player or workstation for Windows or Linux or VMware Fusion for Mac OS X

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Intrusion detection analysts (all levels)
  • Network engineers
  • System, security, and network administrators
  • Hands-on security managers
 
  Prerequisites

Students must possess at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP & Hex Quizzes here.

 

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990's (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in.

With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak