This course will take place both In Person in Brussels and Live Online (using virtual software to stream live instructors). Course scheduled delivery hours will be 9:00AM to 5:00PM CET.
Limited In Person seating is available on a first-come, first-served basis. If you would like to attend In Person, select the "In Person ticket type" during registration.
Confirmed attendees will receive logistics information one week prior to the event.
You bought all the latest detection tools, but somehow still can't seem to detect mimikatz. IT is screaming about the resource consumption from the multitude of security tools on the endpoints, analysts are barely staying afloat in the oceans of data your toolsets have created, and the latest red team report detailed how response actions were ineffective again. If this sounds familiar for your organization, this is the course for you. We'll walk you through starting with a detection engineering strategy first and then focusing on methodologies to build robust alerting, with the end result of improving detection and response capabilities throughout security operations. This course will provide you the understanding and ability to build robust detections, starting with the why and going all the way to the technical implementation of detecting threat actor activity. You will learn how to apply the methodologies and technical approaches practiced, regardless of the security toolsets deployed in your organization.
In this course, you will:
Enterprise networks are under constant attack from adversaries of all skill levels and intentions. For many it feels that blue teamers are only facing a losing battle. The attacker "only needs to be successful once" to cause havoc; the blue team must prevent them every time, under every condition, at every step of the way. The goal of this course is to turn that statement on its head and provide you confidence through a new defensive mindset. Preventative solutions are designed to stop attacks before they start, but against an adversary with enough time and resources; all eventually will fail. Rather than making the primary effort of security operations attempting to prevent any attack from being successful, assume breaches could (and likely would) occur and focus on developing robust detections around activity in all stages of the attack cycle. A strategy that focuses on deep understanding of post-exploitation activity (privilege escalation, lateral spread, pivot, persistence) produces high-quality alerts, creating a minefield where the attacker "only needs to be detected once" for blue teamers to respond.
This course builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will learn use utilize free and/or open source data collection and analysis tools (such as Sysmon, Windows Event Logs, and ELK) to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create threat hunting hypotheses and build robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors.
This class is intended for defenders wanting to learn how to effectively Hunt in enterprise networks. Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.
Training will be taking place at the Hilton Brussels Grand Place in Brussels, Belgium.
How can I contact the organizer with any questions?
Please email firstname.lastname@example.org with any questions.
What's the refund policy?
Full refunds will be provided up to 7 days before the course start date.
Claim the event and start manage its content.I am the organizer