About the course
SEC503: Intrusion Detection In-Depth Waitlist
Mon, February 11 - Sat, February 16, 2019
Contents | Additional Info
Instructor: Nik Alleyne
Cost: 6,275 EUR
The concepts learned in 503 helped me bridge a gap in knowledge of what we need to better protect our organization.
Greg Thys, Mary Greeley Med Ctr
The materials were excellent! Well done, best materials I have used in years!
Joe Hernandez, Key Bank
Reports of prominent organizations being hacked and suffering irreparable reputational damage have become all too common. How can you prevent your company from becoming the next victim of a major cyber attack?
Preserving the security of your site in today's threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks with insight and awareness. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.
Mark Twain said, "It is easier to fool people than to convince them that they've been fooled." Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic and too many untrained analysts accept that feedback as the absolute truth. This course emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the analyst must have access and the ability to examine the alerts to give them meaning and context. You will learn to investigate and reconstruct activity to deem if it is noteworthy or a false indication.
SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.
A VM is provided with tools of the trade. It is supplemented with demonstration "pcaps," which are files that contain network traffic. This allows you to follow along on your laptop with the class material and demonstrations. The pcaps also provide a good library of network traffic to use when reviewing the material, especially for certification.
SEC503 is most appropriate for students who monitor and defend their network like security analysts, although others may benefit from the course as well. Students range from seasoned analysts to novices with some TCP/IP background. Please note that the VMware image used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.
Course Syllabus and Course Contents
Day 1/2: Fundamentals of Traffic Analysis
- Why should you capture and be able to analyze packets
- Understanding bits, bytes, binary, and hexadecimal
- TCP/IP concepts
- Using tcpdump and Wireshark and their filtering techniques
- Link layer, IPv4, IPv6, and fragmentation
- Transport layers TCP, UDP, and ICMP
Day 3: Application Protocols
- Microsoft protocols
- IDS evasions
Day 4: Network Monitoring: Snort and Bro
- Running, installing, configuring, and customizing Snort
- Writing Snort rules
- Running, installing, configuring, and customizing Bro
- Writing Bro scripts and signatures, and raising Bro notices
Day 5: Network Traffic Forensics
- Hands-on experience analyzing incident scenarios
- Using SiLK as an open source network flow records to expose network behavior anomalies
- Understanding and detecting covert channels
- Analyzing large pcap files
Day 6: NetWars IDS Version
- Collaborate with fellow students to compete in a NetWars IDS-specific challenge
You Will Learn:
- How to analyze traffic traversing your site to avoid becoming another "Hacked!" headline
- How to place, customize, and tune your IDS/IPS for maximum detection
- Hands-on detection, analysis, and network forensic investigation with a variety of open source tools
- TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection
SEC503.1: Fundamentals of Traffic Analysis: Part I
SEC503.2: Fundamentals of Traffic Analysis: Part II
SEC503.3: Application Protocols and Traffic Analysis
SEC503.4: Network Monitoring: Snort and Bro
SEC503.5: Network Traffic Forensics
SEC503.6: NetWars: IDS Version
Who should attend:
- Intrusion detection (all levels), system, and security analysts
- Analysts will be introduced to or become more proficient in the use of traffic analysis tools for signs of intrusions.
- Network engineers /administrators
- Network engineers/administrators will understand the importance of optimal placement of IDS sensors and how the use of network forensics such as log data and network flow data can enhance the capability to identify intrusions.
- Hands-on security managers
- Hands-on security managers will understand the complexities of intrusion detection and assist analysts by providing them with the resources necessary for success.
Students must have at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP and Hex Quizzes.
Familiarity and comfort with the use of Linux commands such as cd, sudo, pwd, ls, more, less
What you will receive
- Course book with each day's material
- Workbook with hands-on exercises and questions
- DVD with the Packetrix Linux VMware image
- TCP/IP pamphlet cheat sheet
- MP3 audio files of the complete course lecture
You will be able to:
- Configure and run open source Snort and write Snort signatures
- Configure and run open source Bro to provide a hybrid traffic analysis framework
- Understand TCP/IP component layers to identify normal and abnormal traffic
- Use open source traffic analysis tools to identify signs of an intrusion
- Comprehend the need to employ network forensics to investigate traffic to identify a possible intrusion
- Use Wireshark to carve out suspicious file attachments
- Write tcpdump filters to selectively examine a particular traffic trait
- Craft packets with Scapy
- Use the open source network flow tool SiLK to find network behavior anomalies
- Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire
Hands On Training
The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional "Extra Credit" question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:
Day 1: Hands-On: Introduction to wireshark
Day 2: Hands-On: Writing tcpdump filters
Day 3: Hands-On: IDS/IPS evasion theory
Day 4: Hands-On: Snort rules
Day 5: Hands-On: Analysis of three separate incident scenarios
Day 6: Hands-On: The entire day is spent engaged in the NetWars: IDS Version challenge
Press and Reviews
"This course provides a good basis of knowledge and presents important tools which will be at the core of any intrusion analysis." - Thomas Kelly, DIA
"This course is valuable for anyone interested in IDS. The instructor's knowledge and willingness to help you understand the material is unlike any other training I have been to. Great course and instructor." - Dannie Arnold, U.S. Army
"Course was designed around real-world intrusions and is highly needed for network security administrators and/or analysts."- Hector Araiza, U.S. Air Force
What to take next
Courses that lead in to SEC503:
- SEC501: Advanced Security Essentials - Enterprise Defender
Courses that are prerequisites for SEC503:
- SEC401: Security Essentials (for a basic understanding of terms and theory)
Courses that are good follow-ups to SEC503:
- SEC511: Continuous Monitoring and Security Operations
FOR572: Advanced Network Forensics and Analysis
- SEC546: IPv6 Essentials
When I was invited to be a member of a computer incident response team in the late 1990s (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in. With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.
- Judy Novak
|Start date||Location / delivery|
|23 Sep 2019||London|