SANS SEC699: Advanced Purple Teaming – Adversary Emulation & Detection Engineering

این آموزش پیشرفته تیم بنفش، شرکت کنندگان را در دنیای شبیه سازی دشمن غوطه ور می کند تا دفاع در برابر نقض داده ها را تقویت کند. دانش‌آموزان با کاوش در قلمرو بازیگران تهدید زندگی واقعی، تجربیات عملی را در یک محیط سازمانی پویا تجربه می‌کنند، بر هنر تشخیص و تقلید از تکنیک‌های متخاصم تسلط پیدا می‌کنند. شصت درصد از زمان کلاس در آزمایشگاه‌ها صرف می‌شود و فعالیت‌های کلاس عبارتند از:

• بخش دوره ای در مورد استراتژی های اتوماسیون معمولی مانند Ansible، Docker و Terraform، که می تواند برای استقرار یک محیط سازمانی چند دامنه ای برای شبیه سازی دشمن با فشار دادن یک دکمه استفاده شود.
• ایجاد یک فرآیند مناسب و همچنین ابزار و برنامه ریزی برای تیم سازی بنفش.
• ساختن طرح های شبیه سازی دشمن که از عوامل تهدید کننده زندگی واقعی مانند APT-28، APT-34 و Turla تقلید می کند و از ابزارهایی مانند Covenant و Caldera برای اجرای برنامه ها استفاده می کند.
• تکنیک های عمیق مانند حملات Kerberos Delegation، Attack Surface Reduction/Applocker bypass، EDR bypass، AMSI، process injection و COM Object Hi-jacking.
• بررسی مهندسی تشخیص و حذف سنجی برای شناسایی تکنیک های فوق.

 نویسندگان دوره Erik Van Buggenhout (نویسنده اصلی SEC599) و Jean-Francois Maes (نویسنده اصلی SEC565) هر دو کارشناسان امنیتی GIAC دارای گواهینامه و همچنین  متخصصین با تجربه هستند که درک عمیقی از نحوه عملکرد حملات سایبری از طریق فعالیت های تیم قرمز و آبی دارند. در SANS SEC699، آن‌ها این مجموعه مهارت‌ها را ترکیب می‌کنند تا روش‌های تقلید دشمن برای پیشگیری و تشخیص نقض داده‌ها را به دانش‌آموزان آموزش دهند.

Date: 2021
Price: $8,525 USD
Publisher: SANS
By: James Shewmaker, Erik Van Buggenhout, Jean-François Maes Jean-François Maes
Format: eBook PDF + Videos
Website: Link

What You Will Learn

This cutting-edge purple team training immerses participants in the world of adversary emulation to fortify defenses against data breaches. Delving into the realm of real-life threat actors, students undergo hands-on experiences within a dynamic enterprise setting, mastering the art of detection and emulation of adversarial techniques.Sixty percent of class time is spent on labs, and class activities include:

• A course section on typical automation strategies such as Ansible, Docker, and Terraform, which can be used to deploy a multi-domain enterprise environment for adversary emulation at the press of a button.
• Building a proper process as well as tooling and planning for purple teaming.
• Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34, and Turla, using tools such as Covenant and Caldera to execute the plans.
• In-depth techniques such as Kerberos Delegation attacks, Attack Surface Reduction/Applocker bypasses, EDR bypasses, AMSI, process injection, and COM Object Hi-jacking.
• Detection engineering and delemetry review to detect the above techniques.
• A dynamic capstone where your adversary emulation skills are put to the test.

SEC699 is a natural follow-up to SEC599. Course authors Erik Van Buggenhout (lead author of SEC599) and Jean-Francois Maes (lead author of SEC565) are both certified GIAC Security Experts as well as experienced practitioners with a deep understanding of how cyber attacks work through both red and blue team activities. In SEC699, they combine these skill sets to teach students adversary emulation methods for data breach prevention and detection.

The SEC699 journey is structured as follows:

• In section one, we will lay the foundations that are required to perform successful adversary emulation and purple teaming. As this is an advanced course, we will go in-depth on several tools that we’ll be using and learn how to further extend existing tools.
• Sections two through four will be heavily hands-on with a focus on advanced techniques and their defenses (particularly detection strategies). Section two focuses on Initial Access techniques, section three covers Lateral Movement and Privilege Escalation, while section four deals with Persistence.
• Finally, in section five, we will build an emulation plan for a variety of threat actors. These emulation plans will be executed both manually using popular C2 frameworks and automatically using BAS (Breach Attack Simulation) tools.

Business Takeaways

• Build realistic adversary emulation plans to better protect your organization
• Deliver advanced attacks, including application whitelisting bypasses, cross-forest attacks (abusing delegation), and stealth persistence strategies
• Building SIGMA rules to detect advanced adversary techniques

What You Will Receive

• A SEC699 course VM that includes necessary scripts and dependencies that are used to spin up a detection lab on-demand

Syllabus

SEC699.1: Introduction & Key Tools
SEC699.2: Initial Intrusion Strategies Emulation & Detection
SEC699.3: Privilege Escalation & Lateral Movement Emulation & Detection
SEC699.4: Persistence Emulation & Detection
SEC699.5: Emulation Plans (Extended Access To CTF Range)