A tailored training for your security team
Defend Against Modern Targeted Attacks (DAMTA)
Get ready for a 3-day knowledge intensive training that teaches you how to defend against the modern offensive techniques that red teams and targeted attackers use.
We’re not going to bother you with the default tools of penetration testers. And you should forget about the out-of-the-box rules in your SIEM that trigger endless false positives. But we are going to feed you with the latest knowledge, tools and techniques of modern targeted attacks that help you become a better defender.
Based on many years of Red Teaming and hands-on SOC/incident response experience, we share with you the essential concepts and techniques to better understand and defend against modern attacks. In this training no Nmap, Nessus, exploits and Metasploit. Instead we focus on Pyramid of Pain, Course of Action Matrix, Cobalt Strike, Golden Tickets, Kerberoasting, Domain Fronting and other topics that really matter. We have also prepared a massive online lab that represents true corporate IT environments, in which you will spend about half of your time diving into hands-on assignments on offensive and defensive actions.
Upcoming training events
The Defend Against Modern Targeted Attacks (DAMTA) training is scheduled for the following dates. Note that this training can also be hosted in-company. Contact us for more details.
Who should attend?
The training is optimally suited for:
- Defenders (i.e. Blue Teamers, SOC-specialists) who want to strengthen their skillset, learn directly from Red Teaming specialists, and get hands on experience with offensive and defensive tools in order to better defend against modern offensive methodologies, tools, and techniques.
- Security professionals interested in expanding their knowledge of modern attack techniques, Red Teaming and defend against it.
- Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
- Penetration testers and ethical hackers wanting to step into Red Teaming, or wanting to provide better recommendations to their clients on defensive measures.
- Technical auditors and security officers wanting to increase their hands-on experience and technical skills.
Key learning objectives
The training is focussed on several key elements:
- Learn how modern attacks work and how you can better defend against such attacks.
- Key theoretical concepts, e.g. kill chain, course of action matrix and pyramid of pain.
- Hands-on learning in a large lab environment, combined with theory.
- Latest and most effective hacking and detecting techniques.
- Hands-on learning combined with theory.
- Hands-on experience with various offensive tools combined with detection and investigation tools in a massive lab environment that resembles a true corporate network.
- Lab manual that helps the participants and makes it easy to follow.
- Knowledge packed training material for you to take home and revisit.
During the training, the participants have access to a personal lab environment that acts as a playground area. Having a lab is a key point of the training as we strongly believe it increases the ability to learn. The lab isn't just a vulnerable web app with a linux and windows server. No, this personal(!) environment is comparable to common enterprise networks. You can expect a large number of Windows and Linux servers, Active Directory domain with subdomains, Windows desktops, multiple services, user accounts and service accounts. Furthermore, common insecurities are configured on purpose.
Just as important is the central monitoring environments using open source and commercial tool, i.e. Redline, sysmon, WEF and ELK stack. You will use this to track and interpret attacks as they happen.
Every student also has a private offensive lab for the execution of several offensive actions. This process is supported by the using the mature and easy to use Cobalt Strike tooling.
Agenda and key topics
The following provides a rough outline, as the attack and defense landscape is constantly evolving topics are subject to change.
- Core theoretical concepts, e.g. SIEM, SOC, Pyramid of Pain, TTPs, MITRE ATT&CK, Intruder’s dilemma, attacker’s playground, assume compromise, Kill Chain, lateral movement.
- Lab 1 - Setup: setup access to your defensive lab, setup access to your offensive infrastructure, recon your target and develop an attack scenario.
- Theory of attack vectors, e.g. watering hole, phishing, the Microsoft Office attack vectors.
- Lab 2- Attacker lab: Build, edit and review weaponized documents.
- Theory of the attacker’s network infrastructure, e.g. C2, redirectors, low and slow principle, beacon traffic, Domain fronting, Cobalt Strike.
- Lab 3 – Attacker lab: Setup your attacking infrastructure and deploy malware.
- Theory of malware prevention and investigation, e.g. anti-virus, anti-spam evasion, C2 basics, drive-by downloads, HTA, Java and Jscript, application whitelisting, End-Point Detection & Response.
- Lab 4 – Defender lab: Forensics, investigation of a compromised workstation and malicious using Endpoint detection and response tooling, malware sandboxes, YARA.
- Theory of Privilege escalation & Lateral movement.
- Windows and Active Directory internals from the attacker's and defender's point of view. Key topics like Wdigest, NETNTLM vs NTLM hashing, Sharphound, WMI, Psexec, Remote PowerShell, Golden and Silver Tickets, SPNs, etc.
- Lab 5 - Attacker lab: Leverage initial access on workstation further into the lab. Use Cobalt Strike, PowerView, Mimikatz and several lesser known tools.
- Theory of Detection & Incident Response, e.g. log collection using Windows Event Forwarding, SIEM, shim caches, netflow, structure and templates for incident reporting, containment methods.
- Lab 6 – Defender lab: Detection, hunting and investigation. Using the lab's SIEM environment to unravel complex attacks.
- Theory Mitigation & Improvement: ASD top 35, important papers and defensive concepts from Microsoft, LAPS, AppLocker and non-Windows solutions.
- Lab 7 - Final technical deep dive – surprise topic.
We do require participants to have a technical IT background and a basic level of security knowledge. So you probably do not want to subscribe to this training if you are afraid of the command line, or never ever heard of Golden Ticket and Command and Control traffic. But the training is setup in such a way that it can welcome both novices and veterans.
There will be 3 trainers: Pieter Ceelen, Stan Hegt and Marc Smeets. Working at Outflank, they focus on Red Teaming operations and advanced penetration tests. The training is created based on their 10+ years of experience with offensive operations and advising their clients on defending against targeted attackers. They each bring their own unique expertise to this training, ranging from SOC operations, custom malware and infrastructure security.
Advanced security tests
Dedicated penetration testing on complex environments.
Strategic threat information
Learn about the latest attacker tactics, techniques and procedures applicable to your organization.