
توضیح دوره تحلیل حملات با SIEM
در این دوره افراد با ساختار و معماری SIEM آشنا می شوند و با تجزیه تحلیل داده هایی که به عنوان ورودی به SIEMهای ارسال می گردند و SIEMهای مختلف مانند Splunk , EIK , Tripwiveبررسی می شوند.
برای اطلاعات بیشتر در زمینه برگزاری دوره SEC555 با کارشناسان نورانت تماس حاصل فرمایید.
پیش نیاز دوره
- هکر قانونمند
- بازرس قانونی جرایم رایانه ای
- مانیتورینگ و پالایش ترافیک شبکه
مخاطبین دوره
- تجزیه و تحلیل Log
- کارشناسان SOC
سرفصل دوره
Section1: SIEM Architecture
- State of the SOC/SIEM
- Industry statistics
- Industry problems
- Log Monitoring
- Assets
- Windows/Linux
- Network devices
- Security devices
- Data gathering strategies
- Pre-planning
- Logging architecture
- Log inconsistencies
- Log collection and normalization
- Log retention strategies
- Correlation and gaining context
- Reporting and analytics
- Alerting
- SIEM platforms
- Commercial solutions
- Home-grown solutions
- Planning a SIEM
- Ingestion control
- What to collect
- Mission
- SIEM Architecture
- Ingestion techniques and nodes
- Acceptance and manipulation for value
- Augmentation of logs for detection
- Data queuing and resiliency
- Storage and speed
- Analytical reporting
- Visualizations
- Detection Dashboards
Section 2: Service Profiling with SIEM
- Detection methods and relevance to log analysis
- Attacker patterns
- Attacker behaviors
- Abnormalities
- Analyzing common application logs that generate tremendous amounts of data
- DNS
- Finding new domains being accessed
- Pulling in addition information such as domain age
- Finding randomly named domains
- Discover domain shadowing techniques
- Identifying recon
- Find DNS C2 channels
- HTTP
- Use large datasets to find attacks
- Identify bot traffic hiding in the clear
- Discover requests that users do not make
- Find ways to filter out legitimate noise
- Use attacker randomness against them
- Identify automated activity vs user activity
- Filter approved web clients vs unauthorized
- Find HTTP C2 channels
- HTTPS
- Alter information for large scale analysis
- Analyze certificate fields to identify attack vectors
- Track certificate validity
- Apply techniques that overlap with standard HTTP
- Find HTTPS C2 channels
- SMTP
- Identify where unauthorized email is coming from
- Find compromised mail services
- Fuzzy matching likely phishing domains
- Data exfiltration detection
- Apply threat intelligence to generic network logs
- Active Dashboards and Visualizations
- Correlate network datasets
- Build frequency analysis tables
- Establish network baseline activity
Section 3: Advanced Endpoint Analytics
- Endpoint logs
- Understanding value
- Methods of collection
- Agents
- Agentless
- Scripting
- Adding additional logging
- EMET
- Sysmon
- Group Policy
- Windows filtering and tuning
- Analyze critical events based on attacker patterns
- Finding signs of exploitation
- Find signs of internal reconnaissance
- Finding persistence
- Privilege escalation
- Establishing a foothold
- Cleaning up tracks
- Host-based firewall logs
- Discover internal pivoting
- Identify unauthorized listening executables
- See scan activity
- Credential theft and reuse
- Multiple failed logons
- Unauthorized account use
- Monitor PowerShell
- Configure PowerShell logging
- Identify obfuscation
- Identify modern attacks
Section 4: Baselining and User Behavior Monitoring
- Identify authorized and unauthorized assets
- Active asset discovery
- Scanners
- Network Access Control
- Passive asset discovery
- DHCP
- Network listeners such as p0f, bro, and prads
- NetFlow
- Switch CAM tables
- Combining asset inventory into a master list
- Adding contextual information
- Vulnerability data
- Authenticated device vs unauthenticated device
- Identify authorized and unauthorized software
- Source collection
- Asset inventory systems
- Patching management
- Whitelisting solutions
- Process monitoring
- Discovering unauthorized software
- Baseline data
- Network data (from netflow, firewalls, etc)
- Use outbound flows to discover unauthorized use or assets
- Compare expected inbound/outbound protocol
- Find persistence and beaconing
- Utilize geolocation and reverse dns lookups
- Establish device-to-device relationships
- Identify lateral movement
- Configure outbound communication thresholds
- Monitor logons based on patterns
- Time-based
- Concurrency of logons
- # logons by user
- # logons by source device
- Multiple geo locations
- Endpoint baseline monitoring
- Configure enterprise wide baseline collection
- Large scale persistence monitoring
- Finding abnormal local user accounts
- Discover dual-homed devices
Section 5: Tactical SIEM Detection and Post-Mortem Analysis
- Centralize NIDS and HIDS alerts
- Analyze endpoint security logs
- Provide alternative analysis methods
- Configure tagging to facilitate better reporting
- Augment intrusion detection alerts
- Extract CVE, OSVDB, etc for further context
- Pull in rule info and other info such as geo
- Analyze vulnerability information
- Setup vulnerability reports
- Correlate CVE, OSVDB, and other unique IDs with IDS alerts
- Prioritize IDS alerts based on vulnerability context
- Correlate malware sandbox logs with other systems to identify victims across enterprise
- Monitor Firewall Activity
- Identify scanning activity on inbound denies
- Apply auto response based on alerts
- Find unexpected outbound traffic
- Find unexpected outbound traffic
- Baseline allow/denies to identify unexpected changes
- Apply techniques to filter out noise in denied traffic
- SIEM tripwires
- Configure systems to generate early log alerts after compromise
- Identify file and folder scan activity
- Identify user token stealing
- Operationalize virtual honeypots with central logging
- Allow phone home tracking
- Post mortem analysis
- Re-analyze network traffic
- Identify malicious domains and IPs
- Look for beaconing activity
- Identify unusual time-based activity
- Use threat intel to reassess previous data fields such as user-agents
- Utilize hashes in log to constantly re-evaluate for known bad files
درخواست مشاوره
برای کسب اطلاعات بیشتر درباره این دوره درخواست مشاوره خود را ارسال کنید و یا با ما در تماس باشید.
درخواست مشاورهدوره های مرتبط
تشخیص نفوذ در عمق
دوره مانیتورینگ و پالایش ترافیک شبکه به افراد توانایی تجزیه و تحلیل ترافیک شبکه و شناسایی ترافیک غیر مجاز را براساس استفاده از IDPS می دهد. افراد در دوره مانیتورینگ و پالایش ترافیک شبکه با مفهوم و پیکربندی نرم افزار snort آشنا می شوند و نصب و پیکربندی HIP
پیکربندی فایروال تحت وب
در دوره پیکربندی فایروال تحت وب که 3 روز برگزار میشود، می آموزید چگونه قابلیت های رایج FortiWeb را پیکربندی و مدیریت کنید.
دوره امنیت لینوکس
در دوره امنیت لینوکس افراد با ایمن سازی سیستم عامل لینوکس و یونیکس آشنا می شوند.
1,800,000 تومان
مدرسین
