Incident Response Package
Incident Response Package You’ve been hacked, or even only suspect you’ve been hacked. Now what? Labs in this category guide you through approaches to addressing and managing the aftermath of an attack or security breach. You’ll get to experience actual …
Incident Response Package
You’ve been hacked, or even only suspect you’ve been hacked. Now what?
Labs in this category guide you through approaches to addressing and managing the aftermath of an attack or security breach. You’ll get to experience actual attacks, within a controlled environment, so that the first time you see ransomware isn’t on your critical systems.
The labs in this category focus on the technical aspects of incident response, mitigation, and recovery, versus site-specific organizational policies or procedures.
Specific prerequisites vary by lab, but generally include basic knowledge of TCP/IP networking and network setup principles, and familiarity with the Unix/Linux command line.
17 hours, self-paced. Pause and continue at any time.
17 CPEs awarded on successful completion.
DoS Attacks and Defenses
This lab teaches three different Denial of Service (DoS) attacks and techniques to mitigate them:
- A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
- A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work, and
- A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.
Protocol Analysis I: Wireshark Basics
Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you’re seeing is “normal” or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
Protocol Analysis II: Extracting Data from Network Traffic
Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you’re interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.
Analyzing Potential Malware
Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.
Packet Capture Analysis and Manipulation
Get valuable experience extracting data from network packet captures! Students will use Wireshark® to analyze network packet traces containing normal network traffic and active attacks. Detailed information will be extracted from the traces by examining packets and by using Wireshark’s built-in analysis and PCAP-manipulation tools.
Intrusion Analysis using Network Traffic
Examine packet captures from actual intrusions and dive deeper into how attackers operate! Students will learn the details of protocols such as SMB and SSH by examining network traffic captures in Wireshark®, then will proceed to build network packets “by hand” in order to tunnel secret data in normal-looking traffic. Finally, students will learn the details of “web shell” payloads commonly used by attackers.
Advanced Analysis of Malicious Network Traffic
Continue your exploration into malware’s behavior on the network! Students will analyze network captures containing real, malicious network traffic, both by hand and using tools such as Security Onion and Sguil. Both malware spreading methods and command and control operations will be explored. In addition, students will create web shell payloads of their own to see how they operate from the inside.