Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses
Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today’s threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries through a purple team strategy.
Course Key Learnnings:
- Leveraging MITRE ATT&CK as a “common language” in the organization
- Building your own Cuckoo sandbox solution to analyze payloads
- Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
- Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
- Stopping 0-day exploits using ExploitGuard and application whitelisting
- Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
- Detecting and preventing malware persistence
- Leveraging the Elastic stack as a central log analysis solution
- Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
- Blocking and detecting command and control through network traffic analysis
- Leveraging threat intelligence to improve your security posture
Business Takeaways
- Understand how recent high-profile attacks were delivered and how they could have been stopped
- Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks
Course Content:
Module1:Introduction and Reconnaissance
Overview
Our six-part journey starts with an analysis of recent attacks through in-depth case studies. We will explain what’s happening in real situations and introduce the Cyber Kill Chain and MITRE ATT&CK framework as a structured approach to describing adversary tactics and techniques. We will also explain what purple teaming is, typical tools associated with it, and how it can be best organized in your organization. In order to understand how attacks work, students will also compromise our virtual organization “SYNCTECHLABS” during section one exercises.
Exercises
- One click is all it takes…
- Hardening our domain using SCT and STIG
- Kibana, ATT&CK Navigator, and FlightSim
- Automated reconnaissance using SpiderFoot
Topics
- Course Outline and Lab Setup
- Course objectives and lab environment
- What’s happening out there?
- Introducing SYNCTECHLABS
- Exercise: One click is all it takes…
- Adversary Emulation and the Purple Team
- Introducing the extended Kill Chain
- What is the purple team?
- MITRE ATT&CK framework and “purple tools”
- Key controls for prevention and detection
- Exercise: Hardening our domain using SCT and STIG
- Building a detection stack
- Exercise: Kibana, ATT&CK Navigator, and FlightSim
- Reconnaissance
- Reconnaissance – Getting to know the target
- Exercise: Automated reconnaissance using SpiderFoot
Module2: Payload Delivery and Execution
Overview
Section 2 will cover how the attacker attempts to deliver and execute payloads in the organization. We will first cover adversary techniques (e.g., creation of malicious executables and scripts), then focus on how both payload delivery (e.g., phishing mails) and execution (e.g., double-clicking of the attachment) can be hindered. We will also introduce YARA as a common payload description language and SIGMA as a vendor-agnostic use-case description language.
Exercises
- Stopping NTLMv2 sniffing and relay attacks in Windows
- Building a Sandbox using Cuckoo and YARA
- Configuring AppLocker
- Controlling script execution in the enterprise
- Detection with Script Block Logging, Sysmon, and SIGMA
- Preventing payload execution using ProcFilter
Topics
- Common Delivery Mechanisms
- Hindering Payload Delivery
- Removable media and network (NAC, MDM, etc.) controls
- Exercise: Stopping NTLMv2 sniffing and relay attacks in Windows
- Mail controls, web proxies, and malware sandboxing
- YARA – A common payload description language
- Exercise: Building a Sandbox using Cuckoo and YARA
- Preventing Payload Execution
- Initial execution – Application whitelisting
- Exercise: Configuring AppLocker
- Initial execution – Visual Basic, JS, HTA, and PowerShell
- Exercise: Controlling script execution in the enterprise
- Initial execution – How to detect?
- Exercise: Detection with Script Block Logging, Sysmon, and SIGMA
- Operationalizing YARA rules – Introducing ProcFilter
- Exercise: Preventing payload execution using ProcFilter
Module3: Exploitation, Persistence, and Command and Control
Overview
Section 3 will first explain how exploitation can be prevented or detected. We will show how security should be an integral part of the software development lifecycle and how this can help prevent the creation of vulnerable software. We will also explain how patch management fits in the overall picture.
Next, we will zoom in on exploit mitigation techniques, both at compile-time (e.g., ControlFlowGuard) and at run-time (ExploitGuard). We will provide an in-depth explanation of what the different exploit mitigation techniques (attempt to) cover and how effective they are. We’ll then turn to a discussion of typical persistence strategies and how they can be detected using Autoruns and OSQuery. Finally, we will illustrate how command and control channels are being set up and what controls are available to the defender for detection and prevention.
Exercises
- Exploit mitigation using Compile-Time Controls
- Exploit mitigation using ExploitGuard
- Catching persistence using Autoruns and OSQuery
- Detecting command and control channels using Suricata, JA3 and RITA
Topics
- Protecting Applications from Exploitation
- Software development lifecycle (SDL) and threat modeling
- Patch management
- Exploit mitigation techniques
- Exercise: Exploit mitigation using Compile-Time Controls
- Exploit mitigation techniques – ExploitGuard, EMET, and others
- Exercise: Exploit mitigation using ExploitGuard
- Avoiding Installation
- Typical persistence strategies
- How do adversaries achieve persistence?
- Exercise: Catching persistence using Autoruns and OSQuery
- Foiling Command and Control
- Detecting command and control channels
Module4: Lateral Movement
Overview
Section 4 will focus on how adversaries move laterally throughout an environment. A key focus will be on Active Directory (AD) structures and protocols (local credential stealing, NTLMv2, Kerberosm, etc.). We will discuss common attack strategies, including Windows privilege escalation, UAC bypasses, (Over-) Pass-the-Hash, Kerberoasting, Silver Tickets, and others. We’ll also cover how BloodHound can be used to develop attack paths through the AD environment. Finally, we will discuss how lateral movement can be identified in the environment and how cyber deception can be used to catch intruders red-handed!
Exercises
- Implementing LAPS
- Local Windows privilege escalation techniques
- Hardening Windows against credential compromise
- Mapping attack paths using BloodHound
- Kerberos attack strategies
- Detecting lateral movement in AD
Topics
- Protecting Administrative Access
- Active Directory security concepts
- Principle of least privilege and UAC
- Exercise: Implementing LAPS
- Privilege escalation techniques in Windows
- Exercise: Local Windows privilege escalation techniques
- Key Attack Strategies against AD
- Abusing local admin privileges to steal more credentials
- Exercise: Hardening Windows against credential compromise
- Bloodhound – Mapping out AD attack paths
- Exercise: Mapping attack paths using BloodHound
- Kerberos attacks: Kerberoasting, Silver tickets, Over-PtH
- Exercise: Kerberos attack strategies
- How Can We Detect Lateral Movement?
- Key logs to detect lateral movement in AD
- Deception – Tricking the adversary
- Exercise: Detecting lateral movement in AD
Modyule5: : Action on Objectives, Threat Hunting, and Incident Response
Overview
Section five focuses on stopping the adversary during the final stages of the attack:
- How does the adversary obtain “domain dominance” status? This includes the use of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync and DCShadow.
- How can data exfiltration be detected and stopped?
- How can threat intelligence aid defenders in the Cyber Kill Chain?
- How can defenders perform effective incident response?
As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.
Exercises
- Domain dominance
- Detecting data exfiltration
- Leveraging threat intelligence with MISP and Loki
- Hunting your environment using OSQuery
- Finding malware using Volatility and YarGen
Topics
- Domain Dominance
- Dominating the AD – Basic strategies
- Golden Ticket, Skeleton Key, DCSync, and DCShadow
- Detecting domain dominance
- Exercise: Domain dominance
- Data Exfiltration
- Common exfiltration strategies
- Exercise: Detecting data exfiltration
- Leveraging Threat Intelligence
- Defining threat intelligence
- Exercise: Leveraging threat intelligence with MISP and Loki
- Threat Hunting and Incident Response
- Proactive threat hunting strategies
- Exercise: Hunting your environment using OSQuery
- Incident response process
- Exercise: Finding malware using Volatility and YarGen
Module6: APT Defender Capstone
Overview
The course culminates in a team-based Defend-the-Flag competition. Section six is a full chapter of hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls promoted all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.
Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME’s are available to support every OnDemand student’s experience.
Topics
- Applying Previously Covered Security Controls In-depth
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Action on Objectives
Prerequisites
- Experience with Linux and Windows from the command line (including PowerShell)
- Familiarity with Windows Active Directory concepts
- A baseline understanding of cyber security topics
- A solid understanding of TCP/IP and networking concepts
International Student Fee: 850 US$
Job Interview Preparation (Soft Skills Questions & Answers)
- Tough Open-Ended Job Interview Questions
- What to Wear for Best Job Interview Attire
- Job Interview Question- What are You Passionate About?
- How to Prepare for a Job Promotion Interview
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
- Join Internships and Referral Program (click for details)
- Work as Freelancer or Full-Time Employee (click for details)
Flexible Class Options
- Week End Classes For Professionals SAT | SUN
- Corporate Group Trainings Available
- Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
Security Automation for Offense, Defense, and Cloud
Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection
Blue Team Fundamentals: Security Operations and Analysis
Advanced Security Essentials – Enterprise Defender
Securing Windows and PowerShell Automation
Security Automation with PowerShell