September Chapter Meeting - Applied Purple Teaming (APT) Infrastructure, Threat Optics, and Continuo

When:  Sep 17, 2020 from 11:00 AM to 5:00 PM (MT)

Applied Purple Teaming (APT) Infrastructure, Threat Optics, and Continuous Improvement

11:00am - 12:00p - Lab setup and configuration.

12:00p - 5:00p - hands on or follow along training.  (note there will be breaks within this time, hence the longer timeframe)  Four CPE hours will be available.

You’ve heard this story before. Bad actor walks into a network and pillages the place in swift action. CIO asks: “Where did we go wrong?” SysAdmin replies “our password, remote access, workstation restriction, and lack of application whitelisting policies. Oh, and our SIEM didn’t notify us. We just weren’t ready for that attack.”

The 4-hour class will include fast-paced instruction on Windows auditing, logging, monitoring, and Sysmon. The student will be provided (upon request in registration) an individual lab environment on Azure deployed via Terraform.  The student will build their own Purple Team lab in 4 hours (or less!).

Alternatively:
  • A more experienced student can build this on their own computer, versus the Azure setup
  • Not feeling up to the "hands on" challenge?  You can still attend and follow along for the CPE

Students will learn how to:
  • • Implement Sysmon with a modular configuration
  • • Configure and launch meaningful audit policies
  • • Deploy the WEF / WEC model of event collection
  • • Install and configure WinLogBeat
  • • Review an installation of the Hunting ELK (HELK) Docker-based Elastic server
  • • Catch some basic command line execution
  • • Bonus: Build a Continuous Improvement Purple Team Environment
  • • Bonus: Run an entire APT Lifecycle
Students will have an opportunity to attack their own in-class Active Directory environment with Red Team tactics, implement Blue Team “defensery”, and manage an environment designed to prevent, slow, identify and highlight attacks. Additionally, the course will guide students through configuring no-nonsense attack identification and alerting that is essential to an effective SOC operation.  In a live environment, students will have the opportunity to demonstrate a secured enterprise by utilizing the MITE ATT&CK Framework, Red Team tactics and Blue Team defenses to identify, slow, and stop attacks.  Learn better Windows logging and endpoint optics in this short training and live-fire test range with two seasoned instructors!

There are four registration options:

  1. Member will build own lab (*no cost*) on their own equipment/ not doing hands on.
  2. Member desires to use a pre-built virtual lab ($20 Cost) in Azure
  3. Non-Member will  build own lab ($35 Cost) on their own equipment/ not doing hands on.
  4. Non-Member desires to use a pre-built virtual lab ($55 Cost) in Azure

Defensive Origins LLC

Professional Training Services https://defensiveorigins.com

Jordan Drydale - Jordan@defensiveorigins.com

Jordan was around for the inception of Napster and the explosion of P2P networks. This drove his fascination with network systems and led him toward a career in IT. Jordan’s first gig in the industry included supporting Latin American networking customers for Hewlett Packard’s network support division. After five years of support, engineering, training, and stress, Jordan became a wireless escalations team lead and multi-vendor certified problem solver. With kids in tow, Jordan headed back toward the Dakotas to be nearer extended family and friends where he learned Citrix, VMware, VDI, supported Cisco gear, implemented profile management solutions, deployed remote networks at scale, and ensured performance across infrastructure. Before becoming a penetration tester, Jordan supported multiple (50+) domains as part of an MSSP’s rock star team. Solutions included HP Networking, FortiGate/ FortiManager/ FortiWeb/ FortiAnalyzer et al., Cisco ASA, HP DL/GL/ML, Dell, VMware, NetApp, and the list goes on. Since 2015, Jordan has been a penetration tester with the Black Hills InfoSec team.

Kent Ickler - Kent@defenseiveorigins.com

Kent Ickler started his Information Technology career working for an Internet Service Provider supporting the MidWest’s broadband initiatives of the early 2000s. His interest in technology and business operations drove his career to working for multiple Fortune 500 companies and equipping their organizational leadership with business analytical data that would support their technology initiatives.  With his continued interest in Business Operations, Kent completed his postgraduate education in Business Management. With an understanding of Information Technology, System Administration, Accounting, and Business Law, Kent has helped businesses leverage technology for competitive advantage while balancing the risks associated with today’s dynamic network environments. Kent has been with Black Hills Information Security for three years in security and administration roles.

Location

Online Instructions:
Url: http://cvent.me/XkMP0z
Login: Provided upon completed registration day of event to the e-mail you provide in registering.

Contact

Donald Mapes
303 819 4393
don.mapes@rubinbrown.com