Catch me if you can – Seeing the Red through the Blue Workshop

Instructors: Will Hunt and Owen Shearing

Workshop Duration: 120 minutes

Overview:
This workshop will help improve both red and blue skillsets through a series of hacks, where you as an
attendee will have to identify malicious activities on a series of targets.

The trainer (Red Team) will perform a series of attacks on the hosts within the in.security LAB, running
commands, tools and utilising techniques used in the field. You (the Blue Team) will then need to use
the in-LAB ELK stack to identify the malicious activities and raise the alarm! This will upskill both
attackers in understanding the various attack flows that could compromise their cover and defenders
in understanding how to detect them.

“The best defence is a good offence” applies as much in cyber as it does in sport. Understanding the
attack flow is important in consolidating knowledge, so you’ll get to see every attack the trainer
carries out before you’re set off to hunt down the evidence. This heightened mindset will then up
your game in the field to better detect the traces, logs and data that can give an attacker away.

This is what you can expect in the intensive 120 minute workshop:

Lab and Scenario Intro

• Connectivity and network overview
• Auditing Windows, Linux and network devices
• Intro to the ELK stack, Sysmon, logging, alerting and monitoring

PHASE #1
RED:
• Port/vulnerability scans
• Brute-force attacks

BLUE:
• Identify targeted and compromised user accounts

PHASE #2
RED:
• Sending emails with malicious content
• Landing a shell!

BLUE:
• Catching a Phish!

PHASE #3
RED:
• Credential theft
• Lateral movement and pivoting within the enterprise

BLUE:
• Identifying credential based attacks
• Identifying compromised hosts

PHASE #4
RED:
• Using Out of Band (OOB) channels
• Data exfiltration

BLUE:
• Identifying suspicious connections

Who Should Attend:
This workshop is suited to a variety of students, including:

• Blue/Red team members
• SOC analysts
• Penetration testers
• Security professionals
• IT Support, administrative and network personnel

Technical / Hardware / Software Requirements:

• Students will need a laptop with a web browser installed

Twitter:
@insecurity_ltd

Bios:
Will Hunt
Will (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded In.security Limited, a specialist cyber security company delivering high-end consultancy and training services. He’s delivered hacking courses at Black Hat USA/EU, Wild West Hackin’ Fest, NolaCon, 44CON and others, and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen Shearing
Owen (@rebootuser) is a co-founder of In.security Limited, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events and various conferences. He keeps projects at https://github.com/rebootuser.