Intrusion Detection In-Depth

No Class on December 24 or 31.

Intrusion Detection In-Depth

Contents | Schedule | Additional Info
Venue Information
Instructor: David Mashburn
$3,950 $3,450 paid by Oct 22

If you have an inkling of awareness of security (even my elderly aunt knows about the perils of the Interweb!), you often hear the disconcerting news about another high-profile company getting compromised. The security landscape is continually changing from what was once only perimeter protection to a current exposure of always-connected and often-vulnerable. Along with this is a great demand for security savvy employees who can help to detect and prevent intrusions. That is our goal in the Intrusion Detection In-Depth course - to acquaint you with the core knowledge, tools, and techniques to prepare you to defend your networks.

This track spans a wide variety of topics from foundational material such as TCP/IP to detecting an intrusion, building in breadth and depth along the way. It's kind of like the "soup to nuts" or bits to bytes to packets to flow of traffic analysis.

Hands-on exercises supplement the course book material, allowing you to transfer the knowledge in your head to your keyboard using the Packetrix VMware distribution created by industry practitioner and SANS instructor Mike Poor. As the Packetrix name implies, the distribution contains many of the tricks of the trade to perform packet and traffic analysis. All exercises have two different approaches. A more basic one that assists you by giving hints for answering the questions. Students who feel that they would like more guidance can use this approach. The second approach provides no hints, permitting a student who may already know the material or who has quickly mastered new material a more challenging experience. Additionally, there is an "extra credit" stumper question for each exercise intended to challenge the most advanced student.

By week's end, your head should be overflowing with newly gained knowledge and skills; and your luggage should be swollen with course book material that didn't quite get absorbed into your brain during this intense week of learning. This track will enable you to "hit the ground running" once returning to a live environment.

This is a fast-paced track, and students are expected to have a basic working knowledge of TCP/IP (see www.sans.org/conference/tcpip_quiz.php ) in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection/prevention analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging hands-on exercises are specially designed to be valuable for all experience levels. The Packetrix VMware used in class is a Linux distribution so we strongly recommend that you spend some time before attending becoming familiar with a Linux environment that uses the command line for entry.

Sampling of Topics:

Fundamentals of traffic analysis

Overview TCP/IP concepts

Link layer
IP layer
Transport layer
Application layer

Examination of protocol layers from an attacker's perspective
Fundamentals of bits, bytes, binary and hex

Traffic analysis tools

Wireshark basics, display filters, and advanced topics
tcpdump and Berkeley Packet Filters
SiLK network flows

Theory and hands-on usage of Snort

Various modes of running Snort
Writing Snort rules
Dealing with false positives/negatives

Network Forensics

Indicators of issues
How to examine issues using multiple tools

Traffic correlation

Log traffic analysis
Using OSSEC

Hide

Course Syllabus

Expand All

Course Contents
SEC503.1: Fundamentals of Traffic Analysis: Part I
Overview Day 1 provides a refresher or introduction, depending on your background, to TCP/IP covering the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, an introduction to Wireshark, the IP layer, both IPv4 and IPv6 and packet fragmentation in both. We describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Six hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned. CPE/CMU Credits: 6 Topics Concepts of TCP/IP TCP/IP communications model Data encapsulation/de-encapsulation Discussion of bits, bytes, binary, and hex Introduction to Wireshark Navigating around Wireshark Examination of Wireshark statistics Stream reassembly Finding content in packets Network access/link layer Introduction to 802.x link layer Address Resolution Protocol ARP spoofing IP Layer IPv4 Examination of fields in theory and practice Checksums and their importance especially for an IDS/IPS Fragmentation IP header fields involved in fragmentation Composition of the fragments Fragmentation attacks IPv6 Examination of fields in theory and practice Comparison with IPv4 IPv6 addresses Neighbor Discovery Protocol Extension headers IPv6 in transition

SEC503.2: Fundamentals of Traffic Analysis: Part II
Overview Day 2 continues where Day1 ended in understanding TCP/IP. Two essential tools - Wireshark and tcpdump are explored to give you the skills to analyze your own traffic. The focus of these tools on Day 2 is filtering traffic of interest in Wireshark using display filters and in tcpdump using Berkeley Packet Filters. We proceed with our exploration of the TCP/IP layers covering TCP, UDP, and ICMP. Once again, we describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned. Note: This course is available to Security 503 participants only. CPE/CMU Credits: 6 Topics Wireshark display filters Examination of some of the many ways that Wireshark facilitates creating display filters Composition of display filters Writing tcpdump filters Format of tcpdump filters The use of bit masking TCP Examination of fields in theory and practice Packet dissection Checksums Normal and abnormal TCP stimulus and response Importance of TCP reassembly for IDS/IPS UDP Examination of fields in theory and practice UDP stimulus and response ICMP Examination of fields in theory and practice When ICMP messages should not be sent Use in mapping and reconnaissance Normal ICMP Malicious ICMP

SEC503.3: Application Protocols and Traffic Analysis
Overview Day 3 culminates the examination of TCP/IP with an exploration of the application protocol layer. The concentration is on some of the most widely used, and sometimes vulnerable, crucial application protocols - HTTP, SMTP, DNS, and Microsoft communications. Our focus is on traffic analysis, a key skill in intrusion detection. We'll take a brief foray into packet crafting and nmap remote OS identification so that you can analyze and recognize telltale signs of each. Packet crafting is a handy skill for an analyst to possess, especially for testing IDS/IPS rules. IDS/IPS evasions are the bane of the analyst so the theory and possible implications of evasions at different protocol layers are examined. The day concludes with examination and analysis of some real world traffic captures. Once again, we describe the applications not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned. Note: This course is available to Security 503 participants only. CPE/CMU Credits: 6 Topics Advanced Wireshark Exporting web objects Extracting SMTP attachment content Sample Wireshark investigation of an incident Tshark Detection methods for application protocols Pattern matching, protocol decode, and anomaly detection Detection challenges Microsoft Protocols SMB/CIFS MSRPC Detection challenges HTTP Protocol format Sample of attacks Detection challenges SMTP Protocol format Sample of attacks Detection challenges DNS The vital role it plays in the Internet The resolution process Caching DNSSEC Malicious DNS Cache poisoning Packet crafting and nmap OS identification Why packet crafting is done Some of the tools used How nmap performs remote OS identification Signs of remotes OS identification IDS/IPS evasion theory Theory and implications of evasions at different protocol layers Sampling of evasions Necessity for target-based detection Real world traffic analysis Client attacks DDoS attacks Four-way handshake TCP reset attack Malformed DNS DoS

SEC503.4: Intrusion Detection Snort Style
Overview The fundamental knowledge gained from the first three days provides a fluid progression into one of the most popular days - Intrusion Detection: Snort Style. Snort is a widely deployed open source IDS/IPS that has been a standard in the industry for over a decade. Knowing how to configure, tune and use it are indispensable skills. Some of the day's topics are how to run Snort, its modes of operations, configuration options, deployment types, dealing with false positives and negatives, writing rules and using different Snort GUIs and sensor management. Hands-on exercises allow you to run Snort in different modes and give you the opportunity to write an advanced Snort rule and test it. Note: This course is available to Security 503 participants only. CPE/CMU Credits: 6 Topics Introduction Installation Getting started with Snort Modes of operation Sniffer mode IDS mode Deployment options Writing Snort rules Rule anatomy Rule syntax Rule options Rule keywords Configuring Snort as an IDS Configuration file options Using variables Preprocessor configuration Output configuration options Miscellaneous Dealing with false positives and false negatives Writing efficient rules Examining a Buffer Overflow and writing a Snort rule to detect it Snort GUIs and analysis

SEC503.5: Network Traffic Forensics and Monitoring
Overview On the penultimate day, you'll become familiar with other tools in the "analyst toolkit" to enhance your analysis skills and give you alternative perspectives of traffic. The open source network flow tool SiLK is introduced. It offers the capability to summarize network flows to assist in anomaly detection and retrospective analysis, especially at sites where the volume is so prohibitively large that full packet captures cannot be retained for very long, if at all. The topic of network forensics is examined to show you how to investigate an incident using multiple approaches including log analysis. Finally, you can see how your forensic data can be correlated and analyzed by open source tools, with a concentration on the OSSEC that acts as a host-based IDS and Security Information and Event Manager (SIEM). Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned. Note: This course is available to Security 503 participants only. CPE/CMU Credits: 6 Topics Analyst toolkit ngrep, tcpflow, p0f, Chaosreader, tcpreplay, NetWitness SiLK Introduction of concept of network flow Understand the uses for flow Network Forensics Learn what it is Become aware of indicators of network issues Learn to investigate incidents using some sample traffic of: Exploited host Phishing attack Network architecture for monitoring Become familiar with hardware used with and for monitoring Correlation of indicators Examination of log files OSSEC Understand different methods of correlation

SEC503.6: IDS Challenge
Overview The week culminates with a fun hands-on Challenge where you find and analyze traffic to a vulnerable honeynet host using many of the same tools you mastered during the week. Students can work alone or in groups with or without workbook guidance. This is a great way to end the week since it reinforces what you've learned by challenging you to think analytically, gives you a sense of accomplishment, and strengthens your confidence to employ what you've learned in the Intrusion Detection In-Depth track in a real world environment. Note: This course is available to Security 503 participants only. CPE/CMU Credits: 6

Schedule	Instructor

Tue Nov 19th, 2013 6:30 PM - 8:30 PM	David Mashburn
Tue Nov 26th, 2013 6:30 PM - 8:30 PM	David Mashburn
Tue Dec 3rd, 2013 6:30 PM - 8:30 PM	David Mashburn
Tue Dec 10th, 2013 6:30 PM - 8:30 PM	David Mashburn
Tue Dec 17th, 2013 6:30 PM - 8:30 PM	David Mashburn
Tue Jan 7th, 2014 6:30 PM - 8:30 PM	David Mashburn
Tue Jan 14th, 2014 6:30 PM - 8:30 PM	David Mashburn
Tue Jan 21st, 2014 6:30 PM - 8:30 PM	David Mashburn
Tue Jan 28th, 2014 6:30 PM - 8:30 PM	David Mashburn
Tue Feb 4th, 2014 6:30 PM - 8:30 PM	David Mashburn
Additional Information

Laptop Required
LAPTOP REQUIRED IMPORTANT - BRING YOUR OWN LAPTOP You will need to run a Linux VMware image, supplied at the conference, on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises. VMware VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free at www.vmware.com. Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from www.vmware.com. VMware will send you a time-limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player. Macintosh users must have VMware Fusion 3 or later installed on your system prior to coming to class. It is available for a free 30-day trial copy at www.vmware.com/products.fusion/overview.html. Mandatory Laptop Hardware Requirements x86- or x64-compatible 1.5 GHz CPU minimum or higher DVD Drive (not a CD drive) 2 Gigabyte RAM minimum with 4 GB or higher recommended 12 Gigabyte available hard drive space Windows XP/Vista/7/8, Mac OS X, and Linux any types Any Service Pack level is acceptable for your Windows XP/Vista/Win 7/8 Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised. By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun. If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend
Intrusion detection analysts (all levels) Network engineers System, security, and network administrators Hands-on security managers

Prerequisites
Students must possess at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP & Hex Quizzes at www.sans.org/conference/tcpip_quiz.php.

You Will Be Able To
Identify the security solutions that are most important for protecting your perimeter Understand attacks that affect security for the network Understand the complexities of IP and how to identify malicious packets Understand the risks and impacts related to cloud Computing and security solutions to manage the risks Understand the process for properly securing your perimeter Identify and understand how to protect against application and database risks Use tools to evaluate the packets on your network and identify legitimate and illegitimate traffic

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990's (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in.

With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak

Pricing

Paid by Oct 22	Paid by Nov 5	Paid after Nov 5	Options
$3,450	$3,700	$3,950	GCIA Certification $579 OnDemand $449
Cancel Date: Nov 5, 2013

Venue Information

Courtyard Marriott Rockville
2500 Research Boulevard
Rockville, MD US

Mentor SEC503 Session

Intrusion Detection In-Depth

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Author Statement

Venue Information

Share

Latest Whitepapers

Latest Tweets @SANSInstitute

Contact Us