Enterprise Intrusion Analysis (SC-375)

Please note that Oracle courses running at London training centres are subject to a 10% surcharge.

Overview

The Enterprise Intrusion Analysis course provides students with the skills needed to discover and analyze enterprise intrusions in a UNIX environment.  

Prerequisites

• Demonstrate basic UNIX system and network administration skills
• Demonstrate a basic understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) networking
• Demonstrate an intermediate understanding of network services: DNS, DHCP, SMTP, HTTP, and firewalls 

Delegates will learn how to

• Detect an enterprise system intrusion
• Analyze a compromised system for crucial information: attack time, attacker location, attcker modifications to the system
• Corrolate multiple log files from different parts of the enterprise to determine attacker usage
• Conduct an audit of file systems to determine attacker modifications
• Describe modern attacker methodology with proof of concept examples  

Course outline

Module 1 – Enterprise Footprinting

• Describe the principals of least privilege and disclosure
• Describe how attackers use active fingerprinting using port scans, DNS and ICMP
• Describe how attackers use passive fingerprinting using search engines
• Describe how attackers enumerate services by collecting banner messages and protocol information
• Describe how attackers use social engineering methods to gather information about an enterprise

Module 2 – Unauthorized System Access

• Describe how attackers gain unauthorized access through user accounts
• Describe how attackers gain unauthorized access through software flaws
• Explain the attacker methodology for locating vulnerable enterprise services and creating exploits
• Describe a buffer overflow
• Descirbe privilege escalation
• Describe a Trojan horse as a means to escalate priviliges

Module 3 – Securing root Access

• Describe how attackers secure root access through backdoors on a system
• Describe the following back doors: SUID shell, bound shell, and trusted hosts
• Describe a file system root kit
• Demonstrate how a file system root kit hides files, processes, and connections
• Describe a kernel root kit
• Demonstrate how a kernel rootkit captures all system activity

Module 4 – Encrypting and Hiding Data on a System

• Review encryption technology
• Describe how attackers use cryptography to encrypt files
• Demonstrate encryption using GnuPGP and OpenSSL
• Describe digital steganography
• Demonstrate how attackers hide files within files using digital steganography
• Describe how attackers hide data withing unexpected parts of the file system
• Demonstrate how attackers hide a file in file system metadata
• Demonstrate how attackers use the loopback file system and extended attributes to hide data

Module 5 – Enterprise Log Analysis

• Identify the different types of enterprise services: like DNS, DHCP, SMTP, HTTP, and Firewalls
• Identify available log files for enterprise services
• Describe the relevant intrusion information in each log file
• Examine enterprise log files to locate suspicious activity
• Corrolate information from multiple log files to determine an intrusion

Module 6 – Unauthorized System Access Intrusion Analysis

• Identify default system access log files in the /var directory structure
• Identify optional Basic Security Module (BSM) and system accounting log files
• Describe log file formats and tools available to read the formats
• Describe the relevant information in each log file
• Corrolate information from multiple log files to determine unauthorized system access
• Demonstrate how attackers modify log files to hide their presence on a system

Module 7 – File System Intrusion Analysis

• Define systems and utility trust
• Locate backdoors on a UNIX System: alternate root accounts, bound shells, SUID shells, trusted host files
• Locate file system root kits on a UNIX System
• Discover hidden directories, replaced system commands, remote command utilities, and network sniffers
• Describe automated file system analysis tools
• Implement the rkhunter, chkrootkit, and Solaris Fingerprint Database to locate root kits

Module 8 – System Memory Analysis

• Describe the important types of intrusion data that resides in memory
• Describe techniques to capture volatile memory data to a file system
• Introduce memory analysis tools mdb and gdb
• Demonstrate how to recovery data from memory using the mdb and gdb tools

Module 9 – Incident Investigation Methodologies

• Identify different types of intrusion scenarios
• Apply a methodology based on an intrusion scenario
• Collect the appropriate data (log files, file systems, and memory images) based on the intrusion scenario