$106.59

CrikeyCon VI Training - Hunting for Evil using opensource!

Event Information

Share this event

Date and Time

Location

Location

Teltra Building, L4, Room 4.22

275 George Street

Brisbane, QLD 4000

Australia

View Map

Refund Policy

Refund Policy

No Refunds

Event description

Description

CrikeyCon VI Training - Hunting for Evil using opensource! (1 Day)

Overview

This workshop explores Endpoint Detection and Response (EDR) tools to improve an organization's forensic readiness and detection capabilities. We use Velociraptor as an example of a free and open source EDR solution, but most features are also available in other commercial solutions, so the lessons learned from this workshop will be applicable to other platforms.

At a high level we cover:

  • EDR deployment at scale.
  • Collecting basic host information.
  • Interactively inspecting end points in response to specific investigations.
  • Hunting across the entire deployment for specific indicators.
  • Collecting telemetry data on a continuous basis for historical analysis.

This workshop goes through a typical deployment of Velociraptor server and client. We will concentrate on Windows. After a tour of the GUI we will delve into Velociraptor Artifacts - simple YAML files encapsulating queries to run on the end point. The artifacts may be edited and refined within the GUI itself, and can be modified to detect or respond to new and emerging threats.

We will then examine how to hunt using those artifacts, working through a number of typical scenarios. Next we examine Velociraptor's continuous monitoring capabilities; We will develop and deploy a set of Artifacts to continuously collect important high value events, such as event logs, DNS queries and process execution logs. We examine how these logs are maintained on the server and how they can be post processed, e.g. to discover historical events which only become evident after new threat data emerged (for example we learn to search historical DNS lookup logs for a known C&C URL).

We then examine how to set up automated alerting and escalation to respond in real time to endpoint events. For example, send an email escalation when any of the endpoints contacts the bad C&C, immediately capturing a memory dump at the same time to preserve forensic evidence.

Since the workshop is hands on, we will emulate some of the common attack techniques as described by MITRE’s Att&ck framework, and develop Velociraptor artifacts specifically to detect these. Delegates gain first hand experience of what current threats look like on the endpoint and how modern EDR technology can be used to detect such events.

Software Requirements

Windows in a VM or installed on the system.

Admin rights are a plus - some exercises don't work without them.

Hardware Requirements

Laptop or access to a cloud VM.

Trainer biography

Mike has over 18 years of experience in applying and developing novel incident response and digital forensics tools and techniques. Dr Cohen graduated from the University of Queensland with a Bachelor of Engineering in the field of Electrical and Electronic Engineering. In 2002, he was awarded a PhD in the field of Physical Sciences from the Australian National University. Dr Cohen has previously worked in the Australian Department of Defence as an information security specialist providing advice on policy compliance, code review and system hardening. He also worked in the field of digital forensics at the Australian Federal Police specialising in network and memory forensics.

In 2010 Dr Cohen joined Google, where he led the GRR development team to create a world class endpoint monitoring tool for incident response and remote forensic analysis. While at Google, he founded and spearheaded the Rekall project – an advanced memory forensic framework. More recently, Dr Cohen has worked in Google’s Cloud Platform division specializing in cloud Identity and Access Management (IAM).

In 2018 Dr Cohen founded Velocidex Innovations. Velocidex Innovations specializes in helping organisations develop, deploy and manage open source security and incident response tools.

Wanna play, can't pay?

Through the generosity of our trainers, CrikeyCon offers free places on all training courses delivered as part of the conference.

Please email info@crikeycon.com if you have a compelling case for being considered for a free or subsidised spot on CrikeyCon Training.

Share with friends

Date and Time

Location

Teltra Building, L4, Room 4.22

275 George Street

Brisbane, QLD 4000

Australia

View Map

Refund Policy

No Refunds

Save This Event

Event Saved