Cyber Threats Detection & Mitigation (CTDM)

Course Overview

Cyber threats are increasing at an alarming rate every year and the ability for organizations to defend against full-scale, distributed attacks quickly and effectively has become much more difficult. An Intrusion Detection system affords security administrators the ability to automate the process of identifying attacks amongst the thousands of TCP and UDP conversations on their network provided the IDS’ signatures are well written.

Taught by leaders in network defense who work in the computer security industry, this course demonstrates how to defend large-scale network infrastructure by building and maintaining intrusion detection systems and mastering advanced signature writing techniques. With Intrusion Detection Systems (IDS) and trained network security auditors, organizations have a reliable means to prioritize and isolate the most critical threats in real time.

5 days
    • IDS Types and Features
    • Sensor Placement
    • Sensor Configuration
    • Signature Writing Basics
    • IDS Evasion Techniques
    • TCP and UDP Conversation
    • Reassembly
    • Signature Tuning
    • Sensor Tuning
    • Event Filtering and Post Detection Event Analysis
    • Attacks on IDS Sensors and Mitigation Techniques
  • DAY 1:


    • Types and Methodology
    • Incident Response
      • DOS, DDOS, Malware, Unauthorized Access
    • Incident Response Team Exercise

    Common Threats

    • Cyber Crime
    • Social Engineering Malware Installation
    • Exploit Servers & Driveby Downloads
    • Randsomware Types
    • DNS Highjacking
    • Data Exfiltration Walk-Through

    Intrusion Detection Systems

    • HIDS vs NIDS
    • True and False Positivies
    • Active and Passive Response Types
    • Sensor Placement
    • Distributed IDS
    • Detection Types and Methodology
      • Rules/Signatures, Protocol Anomoly,
      • Traffic Anomoly, Heurstics
    • Rule Writing Best Practices
    • IDS Shortcomings and Vulnerabilities

    Introduction to SNORT

    • Snort Components
      • Decoder, Pre-Processors,
      • Detection Engine, Alerting and Logging
    • Key Files and Paths
    • Protocol Support
    • Outuput Formats
    • Output Plugins

    DAY 2:

    SNORT Configuration and Variables

    • Rule Types
      • Pre-Processor, Rule Subscriptions, Local Rules,Shared Object (SO) Rules
    • Signature ID Allocation and Reservations
    • Rule Header Fields
      • Action, Protocol, Source, Destination, Direction Indicator
    • Rule Actions
      • Active, Passive and Post Detection
    • Defining and Using Variables
      • ipvar and portvar

    SNORT Output

    • Formats
      • Unified, Unified2, Packet Log, TCPDump, Fast and Full Alerts
    • Adding Output types

    Outputs Plugins

    • Barnyard and Barnyard2
    • Squil
    • Snorby
    • Squert
    • MySQL

    Signature Writing

    • Basic Syntax and Guidelines

    SNORT Rule Options 

    • Msg
    • Reference and the reference.config File
    • Rev Usage and Change Control
    • Classtype and the classification.config File
    • Priority usage and Incidence Response
    • Content
      • ASCII vs Binary Content
    • Content Modification nocase

    DAY 3:

    The Detect Offset Pointer (DOE)

    • Payload Decoding and Processing
    • Start Postition and Movement of the doe

    DOE Content Modifers

    • Depth
    • Offset
    • Distance
    • Within

    DOE Rule Options

    • Byte_jump
    • sdataat
    • Byte_test

    SNORT Packet Header Rule Options

    • IP Header Options
      • fragbits, fragoffset, ttl, tos, id, ipopts, ip_proto, sameip
    • TCP Header Options
      • ack, seq, window, flags
    • ICMP Header Options
      • itype, icode, icmp_id, icmp_seq
    • Dsize


    • Snort Pre-Processors
      • Stream5, Flow, HTTP_Inspect (and others as time permits)
    • Stream5 Rule Options
      • flow, stream_size
    • HTTP_Inspect Rule Options
      • uricontent, http_header, http_method, http_stat_code, http_cookie, urilen

    DAY 4:

    Post Detection

    • Post Detection Rule Options
      • logto, session, resp, react, count, replace
    • Using Tag to follow a Malicious Actor
    • Using detection_filter and event_filter to tune signatures

    Effective Rule Writing

    • Content and Fast Pattern Matching
    • Vulnerability versus Exploitation Rules
    • Reversing Imported Rules

    PERL Compatible Regulare Expressions

    • PCRE Metacharacters
    • Snort Specific PCRE
    • PCRE Rule Option Parameters and Usage

    Tracking State Across Sessions Using Flowbits


    • Flowbits Rule Option Parameters and Usage

    Group Exercise

    Using all tools and techniques learned in class, students will record and analyze an OS discovery scan. Using the captured packets, they will work in teams to write and tune signatures to detect the scanning tool. This exercise was designed to prepare students for the final practical on Friday.

    DAY 5:

    Student Practical Demonstration

    Students are given several packet captures containing a variety of scanning and explotation techniques. They are tasked with identifying the significant elements of the attack and translating them in to IDS signatures. Finally, they are tasked with tuning those signatures to reduce false-postives and limit excessive events.

  • This course is over 60% hands-on. Students will:

    • Setup and Configure an IDS to match a network topology map
    • Define Network Variables
    • Configure Output Statements
    • Write over 30 Signatures
    • Analyze and Write Signatures based attack patterns
    • Tune signatures to reduce false positives and false negatives
    • Reverse Engineering Existing and Downloaded rules
    • A Firm understanding of TCP/IP
    • Network + or Equivalent Knowledge or Background
    • Both the Network Traffic Analysis and Malicious Network Traffic Analysis courses are recommended prior to attending
    • Incident Responders who need to understand and react to IDS alerts
    • Network Defenders seeking to automate threat detection
    • Security Managers who desire to improve their defensive model
    • IDS administrators who wish to improve their signature writing skills
    • Security Operations Center Staff seeking to automate traffic analysis
    • Penetration Testers looking to reduce their network visibility