Adversary Detection & Incident Response - Network Defense Range Essentials

Network defense requires good judgement. Good judgement doesn't come from PowerPoint slides and text books. It requires experience. But if live production environments are too risky to practice on, how do you train? The Recon Network Defense Range offers participants real experience in a live network. In this course, we give students hands-on experience with the most significant threat groups and attacker techniques. Our live enterprise network enables students to hunt within a complex, multi-user environment. On the first day, students will receive a walk through of the simulation environment, investigative methodology and processes, and a myriad of digital forensics and incident response tools that will come in handy throughout the course and on the job. Several open source tools introduced in the course will provide host- and network-based visibility to user and system operations. Each student will also receive access to an incident tracking and collaboration platform that they can use throughout the course. Once students are setup for success, we will transition to hunting and responding to incidents throughout the environment. As the enterprise network is known to be compromised, there is a potential for pre-existing, ongoing, and upcoming attacks. The remainder of the course will be a blend of adversary hunting, investigative build-out, and interactive class dissections of observed activity. We will pause throughout the course to examine adversary activity and provide students a unique "behind-the-curtain" look at attack orchestration. This is a two-fold approach: students without attack experience will gain an understanding of how attackers operate and advanced students will be able to compare their findings against the actual attack. We will provide technical insight into vulnerabilities and weaknesses exploited during the attack and discuss defense implementations. Day-1 includes attacks that focus on providing students an understanding on detecting base techniques within the ATT&CK matrix. These will typically focus on attacker goals, such as credential access, lateral movement, or data exfiltration. Day-2 will focus on detection of combined, advanced adversary tactics such as those from nation-state (China/Russia/Iran/North Korea), financially-motivated (FIN & Spiders), and disruptive/destructive groups. By the end of the NDR Essentials, students will have a solid foundation for threat hunting and incident response. They will leave the course with practiced detection capabilities, tools for incident tracking, collaboration and enrichment, and a new approach to hunt for evil in their networks.