Ethical Hacking Network Intrusion Investigations and Forensic Analysis

This class will provide the students with a unique perspective on network intrusion investigations and analysis.

Students will begin the course by compromising a system (“ethical hacking”) leveraging techniques that have been seen in the wild by attackers.

Once in, they will walk through the stages of an intrusion, from compromise to entrenchment, and exfiltration of data.

The course then takes a unique spin in that students will review the captured network traffic looking for artifacts of their compromise, combing through packet captures to see the footprint that they, as the attacker, have left.

Not stopping there, students will then learn the principles of an incident response, leveraging the tools of the trade to collect volatile data as well as forensic imaging of a compromised host.

Finally, class attendees with complete the course by performing forensic analysis of the acquired artifacts, rounding out the lifecycle of an intrusion investigation.

Upon successfully completing the course, students will be able to:

  • Scan and exploit a remote target
  • Identify network traffic and log entries related to scanning and exploitation
  • Use automated tools to perform exploitation
  • Perform a Vulnerability Analysis
  • Analyze a Network Intrusion
  • Utilize hacker Methodologies and Anti-Forensic techniques

Course Outline

  • Day 1 Windows network intrusions overview
    • Windows Networks
    • Overview of Windows networking
    • Variety of operating systems
    • Versions of Windows
    • Servers, (Windows, Linux, email, web, file, print)
    • Security Architecture
    • SIEM
    • Mobile inclusion
    • Network devices and their logs
    • What devices are in the path from infection to Internet
    • So called witness devices
    • Syslog
    • What is syslog?
    • How can it be useful?
    • Scope of visibility
    • What can you see on your network?
    • Shadow IT?
    • Where are the holes in your visibility?
    • Security Posture
    • Current security posture of most organizations
    • OTS solutions
    • Security as a product
    • Security Personnel
    • OTS products vs services
    • SIEMs
    • Choices on the market
    • What they do
    • What they don’t do
    • IDS/IPS
    • Pros and Cons
    • Open source vs commercial
    • HIDS/SIDS
    • Pros and Cons
    • Open source vs commercial
    • Attackers, their objectives and their tools
    • Objectives of attackers
    • What are they after and why
    • Types of attackers
    • Methodologies
    • Profiling
    • Signature
    • Groups
    • Where to look for signatures
    • Tools
    • Metasploit
    • Backtrack
    • Custom tools
    • IT security staff
    • Training good and bad
    • Incident Response
    • What compromises an IR?
    • Trusted Tools
    • Tipping off the attackers
    • Communication channels (out of band)
    • Analysis
    • Tools
    • Methods
    • Frequent locations and data sets.
  • Day 2 Attacker tools, methods and tactics
    • Types of attacks
    • Overview of malware
    • Frequency of malware with intrusions
    • Vectors of attack
    • Social media
    • Spear Phishing
    • Whale Phishing
    • Credential theft
    • Types of attackers
    • Hobbyists
    • Criminals
    • State Sponsored
    • Tools
    • Backtrack & Metasploit
    • Custom crafted
    • Unique malware
    • Exploitation
    • What do they look for and why?
    • Entrenchment techniques
    • How and why do they entrench
    • Labs
  • Day 3 Incident Response
    • Notification of an incident
    • How do incidents get reported?
    • Help Desk
    • SIEM
    • Educated users
    • Trend analysis
    • Baselining
    • Trusted Tool set
    • How to create one
    • What tools to include
    • OS types within your network
    • Live response capability
    • Volatile Data Collection
    • Order of volatility
    • RAM
    • Pagefile
    • Hiberfile
    • Non-Volatile data collection
    • What to collection
    • How to collect it
    • Why do you collect it
    • Virtualization concerns
    • Virtualized environments
    • Encryption
    • Bitlocker
    • Rights and permissions
    • What can the CIRT team do?
    • How to elevate permissions
    • Network traffic analysis
    • Using Wireshark
    • Using Network Miner
    • Labs
  • Day 4 Media Analysis (Forensics)
    • Windows Systems overview
    • File systems
    • Operating Systems
    • Logs
    • Forensic Framework
    • EnCase
    • FTK
    • SIFT
    • CERT
    • RAPTOR
    • Windows Registry Analysis
    • Reg Ripper
    • Mitec
    • AD Reg Viewer
    • Python/MRU
    • Event Logs
    • Event log parser
    • Unallocated Space/Data Carving
    • PhotoRec
    • Tracking User activity
    • Compromised account tracking
    • Labs
  • Day 5 Putting it all
    • Series of hands on exercises