Clear advice with a hacker mindset

Tailored trainings for your security team

Defend Against Modern Targeted Attacks (DAMTA)

Get ready for a 3-day knowledge intensive training that teaches you how to defend against the modern offensive techniques that red teams and targeted attackers use.

We’re not going to bother you with tools such as nmap and Nessus, and you should forget about the out-of-the-box rules in your SIEM that trigger endless false positives on brute force attacks. We are going to feed you with the latest knowledge, tools and techniques that help you become a better defender.

Based on many years of Red Teaming and hands-on SOC/incident response experience, we share with the you the essential concepts and techniques to better understand and defend against modern attacks. We have also prepared a massive online lab that represents true corporate IT environments, in which you will spend about half of your time diving into hands-on assignments on offensive and defensive actions.

Since 2017 over 300 students across multiple industries have followed the DAMTA course.

Interested in this training? Take a look at our planned training dates here.

Who should attend?

The training is optimally suited for:

  • Defenders who want to strengthen their skillset and get hands on experience with offensive and defensive tools in order to better defend against modern offensive methodologies, tools, and techniques.
  • Penetration testers and ethical hackers wanting to provide better recommendations to their clients on defensive measures.
  • Security professionals interested in expanding their knowledge of modern attack techniques, Red Teaming and defend against it.
  • Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
  • Technical auditors wanting to increase their hands-on experience and technical skills.

Key learning objectives

The training is focussed on several key elements:

  • Learn how modern attacks work and how you can better defend against such attacks.
  • Key theoretical concepts, e.g. kill chain, course of action matrix, pyramid of pain, tiering security model, etc.
  • Hands-on learning in a large lab environment, combined with theory.
  • Latest and most effective hacking and detecting techniques.
  • Hands-on experience with various offensive tools combined with detection and investigation tools.
  • Lab manual that guides the participants through the labs and makes it easy to follow, regardless of participant’s skill level.
  • Knowledge packed training material for you to take home and revisit.

Lab environment

During the training, participants have access to a personal lab environment that acts as a playground area. Having a personal lab is a key differentiator compared to many other labs. This environment is comparable to common enterprise networks as it contains Windows and Linux servers, an Active Directory domain, Windows desktops, multiple services, user accounts and service accounts. Furthermore, commonly found insecurities are configured on purpose, as well as detective measures are in place, e.g. central monitoring environments using open source and commercial tools (e.g. IDS, Splunk/ELK stack). We have spent significant time making this lab as real as possible.

Agenda and key topics

The following provides a rough outline, as the attack and defense landscape is constantly evolving topics are subject to change.

Day 1

  • Introduction
  • Core theoretical concepts, e.g. SIEM, SOC, Pyramid of Pain, TTPs, MITRE ATT&CK, Intruder’s dilemma, attacker’s playground, assume compromise, Kill Chain, lateral movement.
  • Lab 1 - Introduction to your lab, both defensive as well as offensive infrastructure, recon your target and develop an attack scenario.
  • Theory of attack vectors, e.g. watering hole, phishing, the Microsoft Office attack vectors.
  • Lab 2 - Setup attacking infrastructure, build and deploy weaponized documents. Investigate artefacts left behind in the attack, e.g. Office TrustRecords, proxy logging, process spawning and process network activity.
  • Theory of the attacker’s network infrastructure, e.g. C2, redirectors, low and slow principle, beacon traffic, Domain fronting, Cobalt Strike.
  • Theory of malware prevention and investigation, e.g. anti-spam evasion, C2 basics, drive-by downloads, HTA, Java and Jscript, application whitelisting, End-Point Detection & Response. Theory on processes vs threads and how malware uses thread injection techniques.
  • Lab 3 – Attacker lab: Setup your attacking infrastructure and deploy malware.

Day 2

  • Theory of Privilege escalation, UAC, AV and EDR tooling, Attack Surface Reduction, Application Whitelisting, PowerShell, and lateral movement.
  • Lab 4 - Leverage initial access on workstation for local privilege escalation, UAC bypass and persistence. Use Cobalt Strike, PowerUp, PowerView, Mimikatz and several lesser known tools. Detect and investigate artefacts left behind by such tools, e.g. service creation, registry modifications.
  • Lab 5 – Basic introduction into forensics using Redline and CyberChef.
  • Theory Windows and Active Directory internals from the attacker’s and defender’s point of view. Key topics like LSASS process, SSO and DPAPI.
  • Lab 6 – Password dumping, LSASS modifications and security token takeover, including accompanying monitoring artefacts.
  • Theory of Active Directory, internal reconnaissance, BloodHound, modern security features against lateral movement.
  • Lab 7 – Getting hands dirty with BloodHound and other recon methods. Detecting such recon attempts.
  • Theory of network-based attacks, SMB insecurities, relaying, etc.
  • Theory of Kerberos and detecting Kerberos attacks like Golden and Silver tickets, Kerberoasting, (un)constrained delegation, SPNs and ACLs in AD context.

Day 3

  • Lab 8 – Chaining attacks together in the lab. Detections of each step of the attack.
  • Theory of Detection & Incident Response, e.g. log collection using Windows Event Forwarding, SIEM, use case management, structure and templates for incident reporting, containment methods.
  • Cloud and Hybrid security, Azure Identity Protection, Azure ATP.
  • Group discussions and case studies on core defensive topics.
  • Theory Mitigation & Improvement: important papers and defensive concepts from Microsoft, LAPS, AppLocker and non-Windows solutions.

Pre-required knowledge for attendees

We do require participants to have a technical IT background and a basic level of security knowledge. So, you probably do not want to subscribe to this training if you are afraid of the command line, or never ever heard of Golden Ticket and Command and Control traffic. But the training is setup in such a way that it can welcome both novices and veterans. There are extra lab assignments for students that want to go the extra mile.

Your trainers

The training is hosted by a selection of three of our team members. Working at the Dutch company Outflank, they focus on Red Teaming operations and advanced penetration tests. The training is created based on their 10+ years of experience with offensive operations and advising their clients on defending against targeted attackers. They each bring their own unique expertise to this training, ranging from SOC operations, custom malware and infrastructure security.

Quotes from previous participants

  • "The Outflank DAMTA training prepared me to better deal with motivated threat actors. The combination of theory, technical detail and hands-on labs enables you to detect hackers in your Windows domain that would otherwise go unseen. Let’s prepare, reduce the attack surface and prevent breaches!"
    (Gerben Spronk, independent IT security analyst)
  • "Even as a less-technical guy this training was easy to keep up with. A lot of hands-on labs combined with related theory. The trainers known what they are talking about and give you a lot of insights how a hacker operates in a corporate network and how you can defend against that. Great takeaways! Overall great training and highly recommend for IT security experts!”"
    (Stefan van de Werken, security officer IJsselgemeenten)
  • "Ever thought a trainer could tell you how someone can hack a Stroopwafel-factory company in just 3 days? Outflank pulled it off during this knowledge intensive training, making it even possible for you go back to your own company with the ability to do it yourself and having the knowledge on how to change your monitoring to start detecting it. And with the flair and fun it's presented, you'll definitely be looking for the next training they will (hopefully) be offering."
    (Someone in the Dutch financial industry)
  • "Awesome training with high quality content. I recommend this training to anyone who likes to know how attackers will enter your organization and corporate network. Besides the theoretical information presented by highly experience trainers, a lab environment is available to put every theory into practice. This allows you to get more familiar with the topics and apply them more easily in your own organization."
    (Anonymous security researcher)
  • "Great, fun and above all informative training. Both the theoretical part as well as the lab were above expectations. Would absolutely recommend."
    (Rick Luijendijk, system administrator IJsselgemeenten)
  • "Good eyeopener into hacker/attacker mindset. Lots of information and recommendations with good hands-on labs. Let's you rethink your own architecture and current security settings/design."
    (I.J. van den Ouden Network Architect)
  • "A must for everyone working in a security environment. Great teachers with incredible knowledge."
    (Marcel – Rabobank SecOps)
  • "Really good training full of challenging content, awesome lab exercises. Must follow this training!"
    (Jeffrey de Krou at Detailresult Services / System Engineer)
  • "Amazing training with a lot of useful recommendations. It gave me a better insight on the perspective of a hacker and how Windows authentication works. I always wanted to play with tools like Cobalt strike and now I did. Pretty cool to see how easy owning a complete infrastructure could be if there is no protection. I think this training is a must for every Windows server admin and IT-security employee."
    (Rik Gouw - Technical security officer at Hogeschool Rotterdam)

Are you interested in this training?

Reach out to us

Other services

We provide you with the best experts and aim for the highest quality.

Advanced security tests

Dedicated penetration testing on complex environments.

Strategic threat information

Learn about the latest attacker tactics, techniques and procedures applicable to your organization.

Need help right away?
Call our emergency number

+31 20 2618996

Or send us an email and we'll get back to you as soon as possible