CANSECWEST 2021 DOJO
Hunting the Adversary
Applying Cyber Threat Intelligence
Instructor: John Bambenek
May 24 - 27, 2021
John Bambenek
John Bambenek is President of Bambenek Labs and a handler with the SANS Internet Storm Centre. He has over 20 years experience in Information Security and leads several International investigative efforts tracking cybercriminals - some of which have lead to high profile arrests and legal action. He currently tracks neonazi fundraising via cryptocurrency and publishes that online to twitter and has other monitoring solutions for cryptocurrency activity. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He has produced some of the largest bodies of open-source intelligence, used by thousands of entities across the world.
Course Schedule
May 24 - 27, 2021
Course Abstract
Traditional security defence tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus. Meanwhile, dedicated attackers are attempting intrusions over months and years while going undetected to steal valuable information, trade secrets and financial information. Defence techniques that leverage information about attackers and their techniques, however, provide the ability to greatly enhance the security of an organization.
Modern defences can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attackers and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.
Course Pre-requisites
Basic scripting (bash or python)
Understanding of reverse engineering malware and sandboxing,
Understanding of networking and DNS.
Course Learning Objectives
Critical Thinking, ACH and Threat Intelligence Models
Intelligence Sharing Mechanisms
Open Source Intelligence Gathering, Tools and Sources
The Collective Intelligence Framework
Malware Information Sharing Platform
Yara Primer for Threat Intelligence
Malware Surveillance Techniques
Creating and Deriving Intelligence Data
Identifying Adversarial Weaknesses and Disruption Operations
Defensive and Offensive Deception Techniques
Who Should Attend
Investigators, network defenders, incident responders and anyone interested in how to use intelligence to get ahead of the adversary.
Course Agenda
Critical Thinking, ACH and Threat Intelligence Models
Intelligence Sharing Mechanisms
Open Source Intelligence Gathering, Tools and Sources
The Collective Intelligence Framework
Malware Information Sharing Platform
Yara Primer for Threat Intelligence
Malware Surveillance Techniques
Creating and Deriving Intelligence Data
Identifying Adversarial Weaknesses and Disruption Operations
Defensive and Offensive Deception Techniques
Hardware Requirements
A notebook capable of running virtual machines.
Enough hard disk space to run VM
Software Requirements
VirtualBox and Linux image with python3
Included Course Materials
Course materials in PDFs
All required additional files: source code, documentation, installation binaries