Active Defense and Cyber Deception

Instructor: John Strand

Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between. Return to top

Advanced Network Threat Hunting

Instructor: Chris Brenton

We will spend most of this class analyzing pcap files for command and control (C2) communications in order to identify malware back channels. It is assumed that the student will already understand the basics of network threat hunting, so we can immediately jump into applying that knowledge. The goal will be to create a threat hunting runbook that you can use within your own organization in order to identify systems that have been compromised. Return to top

Applied Purple Teaming

Instructors: Kent Ickler and Jordan Drysdale

Applied Purple Teaming (APT) will guide students through attack and defense methodology using the MITRE ATT&CK Framework and the Atomic Red Team tactics to produce a secure enterprise environment. The course covers secure network designs, OSINT-based reconnaissance, basic command and control (C2) operations, and modern defenses that stop or slow down current adversarial techniques. Network and Active Directory Best Practices will be leveraged as a framework for implementing network and domain protections to harden networks. Return to top

Modern WebApp PenTesting

Instructor: Brian King

Modern WebApp Pentesting is unique in its approach to testing webapps. Too many courses are built around the assumption that a webapp pentester’s skills should grow along a straight line, starting with something like the OWASP Top Ten and culminating in something like Attacking Web Cryptography. Real webapps don’t follow that same path, and neither should real webapp pentesters. Attacking Web Sockets is not more difficult than attacking HTTP traffic, it’s just different. Web APIs are not something you’re qualified to test only after you’ve put your time in on traditional webapps … they’re just different. Return to top

SOC-Class: Build and Operate Security Operation Centers

Instructor: Chris Crowley

This course provides a comprehensive picture of a Cyber Security Operations Center (CSOC or SOC). Discussion on the technology needed to run a SOC is handled in a vendor agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. Staff roles needed are enumerated. Informing and training staff through internal training and information sharing is addressed. The interaction between functional areas and data exchanged is detailed. Processes to coordinate the technology, the SOC staff, and the business are enumerated. Return to top

Security Defense and Detection TTX

Instructors: Amanda Berlin and Jeremy Mio

Security Defense and Detection TTX is a comprehensive 2-day tabletop exercise that involves the introduction to completion of security TTXs (tabletop exercises), IR playbooks, and after-action reports. The exercises are paired with hands-on attacks and labs that reinforce their purpose. The training as a whole is compatible with the world’s most popular RPG rules.

Security DDTTX is separated into two distinct days, with the first day covering general TTX practice and preparation for the specific day 2 full day TTX. The preparation phase will walk students through the creation of specific IR playbooks with hands-on labs used to enhance the contents. Return to top

Intermediate Software Defined Radio – Digital Communications

Instructor: Paul Clark

Learn to build digital radios with SDR and GNUradio! Solid understanding of this material better enables InfoSec professionals to put SDRs to work detecting, intercepting, and analyzing wireless vulnerabilities. This foundation is also useful for building digital transmitters to exploit RF vulnerabilities or to exfiltrate data. Return to top

Hacking Enterprises

Instructors: Will Hunt and Owen Shearing

This is an immersive hands-on course simulating a full-scale multi-faceted penetration test. Over the two days, we will fully compromise a simulated enterprise covering a multitude of TTP’s. The training uses modern operating systems and techniques, emphasizing the exploitation of configuration weaknesses rather than throwing traditional exploits. This means logical thinking and creativity will definitely be put to the test.

Students will access a cloud-based LAB configured with multiple networks, some easily accessible, others not so. Course material and exercise content has been designed to reflect real-world challenges, and students will perform numerous hands-on exercises including using OSINT skills to retrieve useful data, perform host/service enumeration and exploitation as well as perform phishing attacks against our live in-LAB users to gain access to new networks, bringing new challenges and in the process teaching new sets of skills in post-exploitation, network reconnaissance, lateral movement, and data exfiltration. Return to top

Initial Access Operations

Instructor: Chris Truncer

Most red team classes cover a wide range of topics such as reconnaissance, initial access, post-exploitation, and more. The volume of material covered limits the students’ ability to perform deep dive on one any individual topic. We’re changing that narrative with a course fully dedicated to “Initial Access Operations”. This class is designed to immerse you in a multitude of techniques that attackers (and red teams) use to gain initial access into the environment they are targeting. Return to top

Adversarial Attacks & Detection: Improving your Security Posture with Purple Teams

Instructors: Larry Spohn and Ben Ten

This course will focus on attacks used in the wild and how to create specific detections to identify early Indicators of Compromise (IoC). The students will set up an ELK (Elasticsearch, Log Stash, Kibana) instance and then run attacks on a lab system. The students will then create rules to detect the attack in ELK. The students will set up their ELK system for a final lab where a simulated attack will occur on their systems, and they will have to detect and defend against the attacks. This course will focus on the MITRE ATT&CK framework as well as several attacks that do not leverage a vulnerability. These attacks include weak credential harvest, lateral credential spray, SPN queries, and more. The students will have a better understanding of early IoCs and how to identify these threats within their environment, regardless of the initial attack vector. Return to top

Linux Forensics

Instructor: Hal Pomeranz

This two-day course is a quick start into the world of Linux forensics. Learn how to use memory forensics to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system. Return to top