Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses

Provided by

Enquire about this course

About the course

Instructor: Erik Van Buggenhout
6,275 EUR 6,025 EUR paid by Jun 26

GDAT Certification
Affiliate Pricing
36 CPEs
Laptop Required

You just got hired to help our virtual organization "SyncTechLabs" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service...We're not even sure where to start!"

Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will provide an in-depth understanding of how current adversaries operate and arm you with the knowledge and expertise you need to detect and respond to today's threats.

SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.

Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked "But how do I prevent this type of attack?" With more than 20 labs plus a full-day "Defend-The-Flag" exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.

Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" in our Day 1 exercises.

Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:

How red and blue teams can improve collaboration, forming a true purple team;
How current advanced adversaries are breaching our defenses;
Security controls structured around the Kill Chain, including:
Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
Leveraging YARA rules to detect malicious payloads on disk and in memory
Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
Detecting malware persistence using OSQuery
Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
Detecting lateral movement through Sysmon and Windows event monitoring
Blocking and detecting command and control through network traffic analysis
Managing, sharing and operationalizing threat intelligence using MISP
Hunting for compromise in the network by leveraging Loki

In designing the course and its exercises, the authors went the extra mile to ensure that attendees "build" something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.

SEC599 will finish with a bang. During the "Defend-the-Flag" challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?

Course Syllabus

SEC599.1: Knowing the Adversary, Knowing Yourself
SEC599.2: Averting Payload Delivery
SEC599.3: Preventing Exploitation
SEC599.4: Avoiding Installation, Foiling Command and Control, and Thwarting Lateral Movement
SEC599.5: Thwarting Exfiltration, Cyber Deception, and Incident Response
SEC599.6: Advanced Persistent Threat Defender Capstone


Start date Location / delivery
23 Jul 2019 Berlin, Germany

Related article

As we become more reliant on digital technologies, the cyber security industry has grown in order to protect organisations against online attacks. ...