Defend Against Modern Targeted Attacks (DAMTA) A tailored training for your security team by Outflank in cooperation with Cqure.
Get ready for a 3-day knowledge intensive training that teaches you how to defend against the modern offensive techniques that red teams and targeted attackers use.
We’re not going to bother you with the default tools of penetration testers. And you should forget about the out-of-the-box rules in your SIEM that trigger endless false positives. But we are going to feed you with the latest knowledge, tools and techniques of modern targeted attacks that help you become a better defender.
Based on many years of Red Teaming and hands-on SOC/incident response experience, we share with the you the essential concepts and techniques to better understand and defend against modern attacks. In this training no Nmap, Nessus, exploits and Metasploit. Instead we focus on Pyramid of Pain, Course of Action Matrix, Cobalt Strike, Golden Tickets, Kerberoasting, Domain Fronting and other topics that really matter. We have also prepared a massive online lab that represents true corporate IT environments, in which you will spend about half of your time diving into hands-on assignments on offensive and defensive actions.
The video below has been shot during the edition in June 2018.
Attending this event?
For this event you can subscribe. Please fill out this subscription form to notify us of your attendance. Your subscription will be confirmed via email.
Who should attend?
The training is optimally suited for:
- Defenders (i.e. Blue Teamers, SOC-specialists) who want to strengthen their skillset, learn directly from Red Teaming specialists, and get hands on experience with offensive and defensive tools in order to better defend against modern offensive methodologies, tools, and techniques.
- Security professionals interested in expanding their knowledge of modern attack techniques, Red Teaming and defend against it.
- Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
- Penetration testers and ethical hackers wanting to step into Red Teaming, or wanting to provide better recommendations to their clients on defensive measures.
- Technical auditors and security officers wanting to increase their hands-on experience and technical skills.
We do require participants to have a technical IT background and a basic level of security knowledge. So you probably do not want to subscribe to this training if you are afraid of the command line, or never ever heard of Golden Ticket and Command and Control traffic. But the training is setup in such a way that it can welcome both novices and veterans.
Key learning objectives
The training is focussed on several key elements:
- Learn how modern attacks work and how you can better defend against such attacks.
- Understanding and being able to use key theoretical concepts, e.g. Kill Chain, Course of Action Matrix and Pyramid of Pain.
- Latest and most effective hacking and detecting techniques.
- Hands-on learning combined with theory.
- Hands-on experience with various offensive tools combined with detection and investigation tools in a massive lab environment that resembles a true corporate network.
- Lab manual that helps the participants and makes it easy to follow.
- Knowledge packed training material for you to take home and revisit.
During the training, the participants have access to a personal lab environment that acts as a playground area. Having a lab is a key point of the training as we strongly believe it increases the ability to learn. The lab isn't just a vulnerable web app with a linux and windows server. No, this personal(!) environment is comparable to common enterprise networks. You can expect a large number of Windows and Linux servers, Active Directory domain with subdomains, Windows desktops, multiple services, user accounts and service accounts. Furthermore, common insecurities are configured on purpose. Just as important is the central monitoring environments using open source and commercial tool, i.e. Redline, sysmon, WEF and ELK stack. You will use this to track and interpret attacks as they happen. Every student also has a private offensive lab for the execution of several offensive actions. This process is supported by the using the mature and easy to use Cobalt Strike tooling.
Agenda and key topics
- Core theoretical concepts, e.g. SIEM, SOC, Pyramid of Pain, TTPs, MITRE ATT&CK, Intruder’s dilemma, attacker’s playground, assume compromise, Kill Chain, lateral movement.
- Lab 1 - Setup: setup access to your defensive lab, setup access to your offensive infrastructure, recon your target and develop an attack scenario.
- Theory of attack vectors, e.g. watering hole, phishing, the Microsoft Office attack vectors.
- Lab 2- Attacker lab: Build, edit and review weaponized documents.
- Theory of the attacker’s network infrastructure, e.g. C2, redirectors, low and slow principle, beacon traffic, Domain fronting, Cobalt Strike.
- Lab 3 – Attacker lab: Setup your attacking infrastructure and deploy malware.
- Theory of malware prevention and investigation, e.g. anti-virus, anti-spam evasion, C2 basics, drive-by downloads, HTA, Java and Jscript, application whitelisting, End-Point Detection & Response.
- Lab 4 – Defender lab: Forensics, investigation of a compromised workstation and malicious using Endpoint detection and response tooling, malware sandboxes, YARA.
- Theory of Privilege escalation & Lateral movement.
- Windows and Active Directory internals from the attacker's and defender's point of view. Key topics like Wdigest, NETNTLM vs NTLM hashing, Sharphound, WMI, Psexec, Remote PowerShell, Golden and Silver Tickets, SPNs, etc.
- Lab 5 - Attacker lab: Leverage initial access on workstation further into the lab. Use Cobalt Strike, PowerView, Mimikatz and several lesser known tools.
- Theory of Detection & Incident Response, e.g. log collection using Windows Event Forwarding, SIEM, shim caches, netflow, structure and templates for incident reporting, containment methods.
- Lab 6 – Defender lab: Detection, hunting and investigation. Using the lab's SIEM environment to unravel complex attacks.
- Theory Mitigation & Improvement: ASD top 35, important papers and defensive concepts from Microsoft, LAPS, AppLocker and non-Windows solutions.
- Lab 7 - Final technical deep dive – surprise topic.
Location, price and dates
Atlas Arena Complex
Building Azië - 5th floor
1101 BA Amsterdam
Phone: +3120 5 677 980
Price and dates
During these days you will be served drinks and lunch, and we organise a dinner after the first day of training. At this dinner you get the chance to meet your trainers and your co-attendees in an informal setting. At the end of the training you will receive a certificate of participation. All this together will cost you € 2250,- excluding tax, per person.
The course material is written in English. The training can be given in either Dutch or English. If one more attendees make this request, the training will be full in English, so please let us know if you'd like to attend this training in English. You need to bring your own laptop to the training which is capable of running an RDP. This is possible on either Windows, MacOS or Linux.
A selection of reactions from previous participants:
- “Excellent training, excellent and complementary skill sets brought to the table by the trainers!”
- “Very refreshing to learn from an offensive point of view. Thanks so much!”
- “Simply superb!! An excellent exercise to see things from the perspective of an attacker and use the methods and tools. Also, to attack not a single server but to gain entrance to a complex network, this made it much more real and rewarding!”
- “Nice team, good presentations, presenters clearly control the material.”
- “Good improvement plans for your own organization, both short and longer term”
- “Lots of useful information about incident lifecycle management in security incidents!”
The training is given by 3 of the following trainers: Pieter Ceelen, Stan Hegt, Jarno van de Moosdijk and Marc Smeets. All working at Outflank, they focus on Red Teaming operations and advanced penetration tests. The training is based on their many years of experience with offensive operations and advising their clients. They each have their own expertise in this training. You can read more about the trainers in the profiles at the bottom of the page.
We hope to have informed you suffieciently, but if any questions remain or arise or you simply just want some extra information about this training or the possibility to host this training at your company, we love to help you. You can reach out to Dennis Nuijens of Cqure for questions and other information. He can be reached via +31 (0) 6 588 12 977 or firstname.lastname@example.org
Attend this training?
This event requiers you to subscribe as it is paid. Fill in the subscription form and we will confirm your attendance via email.
Where it all began I am not sure how old I was, I guess between 8 and 10, I got my hands on an MSX with an old school tape-deck (no floppy drives). After some time, I started reading some books..
Where it all began I am terrible at playing computer games. At the age of 10, I was attracted by a completely different side of computers than most of my friends. I was pulled into the world of..
Where it all began After jobs at various computer shops, an online gaming adventure got quite serious: ending up playing Unreal Tournament capture the flag on a high level. Being frustrated by ..
Where it all began Computers got my attention when I was about 10 years old. It started with games, but quickly all those weird commands you had to enter before the game got my attention. Not h..