Real-Time Tools and Methodologies for Discovering and Reacting to Network Intrusion Attempts
An essential component in any comprehensive enterprise security program is the ability to detect when your networks or systems are being probed or attacked, or have been compromised in some manner. Intrusion detection systems give you this critical monitoring capability.
In this up-close, 72 hour class look at intrusion detection systems (IDS), you’ll get a firm grip on everything from the leading IDS systems and attack signatures to creating a Threat Management Procedure. You will learn about the different types of intrusion detection systems, how they operate, how they should be managed, how and where they should be deployed, who the players are, and whether IDS is something that should be outsourced or kept in-house. After installing multiple IDS solutions, you will benefit from a demonstration of hacker attack methodologies and see for yourself how IDS can help to detect them. You will explore new directions in the IDS arena that promise to make intrusion detection systems easier to manage and a more effective part of your information security strategy. Through a wide array of exciting hands-on exercises you will not only install and configure IDS systems but you will observe first-hand many hacker “attacks” and exploits and how they appear to IDS systems. Implementation exercises will include of a representative sample of the latest IDS tools will include a combination of both freeware and commercial IDS tools. You will have the opportunity to create real attack scenarios to see how and learn from the best how to detect, read, react, and defend your network against from serious attacks.
|Contact Hours:||27 hr Lecture 35 hr labs|
|Prerequisites:||Understanding of TCP/IP Protocols|
|Credits:||50 CPE / 3 CEU|
|Method of Delivery:||Residential (100% face-to-face) or Hybrid|
|Method of Evaluation:||95 % attendance 2. 100 % completion of Lab|
|Grading:||Pass = Attendance+ labs & quizzes Fail > 95% Attendance|
Sample Job Titles:
IA Operational Engineer
IA Security Officer
IS Manager/ IS Specialist
IS Security Engineer
IS Systems Security Manager
Platform Specialist/ Security Administrator
Security Analyst/ Security Control Assessor
This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
- Students will be able to write a system security policy, Students will be able to describe and write various risk analysis methods.
- Students will be able to evaluate and categorize risk 1) with respect to technology; 2) with respect to individuals, and 3) in the enterprise, and recommend appropriate responses.
- Students will be able to compare the advantages and disadvantages of various risk assessment methodologies.* Students will be able to select the optimal methodology based on needs, advantages and disadvantages.
Who Should Attend: CIOs with responsibility for Computer Security, Network Administrators, Information Security Architects, Auditors, Consultants, and all others concerned with network perimeter security.
Learning Objectives different types of intrusion detection systems, how they operate, how they should be managed, how and where they should be deployed, who the players are, and whether IDS is something that should be outsourced or kept in-house. After installing multiple IDS solutions, you will benefit from a demonstration of hacker attack methodologies and see for yourself how IDS can help to detect them.
Text Materials: labs, SU Pen Testing Materials, resource CD’s and attack handouts.
Machines a Dual Core 4M Ram, 350 Gig drives, running MS OS, linux, and VMWare Workstation
Tools for class: Whois, Google Hacking, Nslookup, Sam Spade, Traceroute, NMap, HTTrack, Superscan,
Class Lesson Plan: 39 Lecture / 33 Labs
Lesson 1: Role and Operating Characteristics of IDS - 2 hr Lecture 1 hr labs
- Identifying major IDS functions
- Defining the role of IDS related to firewalls and other network perimeter security safeguards
Choosing an Intrusion Detection System - 2 hr Lecture 2 hr labs
- Host-based vs. network-based IDS
- Key attributes for positioning IDS in the network
- Determining who administers the IDS
Lesson 2: IDS Architecture - 2 hr Lecture 2 hr labs
- Integrating IDS and firewalls
- Management consoles
- IDS in the weeds
Lesson 3: IDS Operation - 2 hr Lecture 3 hr labs
- Definition of anomalous traffic
- Minimizing false positives
- Correlation with other SMTP sources
- Multiple security management consoles
- Hands-on exercises: installing and configuring a sample of prominent IDS products (SNORT, Cisco Secure Intrusion Detection, ISS Real Secure, and Enterasys Dragon IDS)
Threat Management: Reacting to the Attack - 2 hr Lecture 2 hr labs
- Best practices for defining responsibility
- Establishing a law enforcement contact
- The role of an overall IDS coordinator
Lesson 4: The Role of IDS in Threat Management - 2 hr Lecture 2 hr labs
- Using IDS as forensic gathering tool
- Early warning systems
- Escalation procedures
- Creating a framework for IDS alert criteria and response center
Document Security Policy and Procedures - 2 hr Lecture 3 hr labs
- IDS alarm severity levels
- Incident response sources
- Integrating IDS and firewalls
- IDS case studies
- Developing an effective incident response capability
- Hands-on exercises: Creating a template for managing the people and the processes for IDS Defense Procedures.
Lesson 5: Real-Time Reaction to Threats - 2 hr Lecture 3 hr labs
- Sending an alert — console, audible, pager, E-mail
- Taking action based on policy
- Forcing the session to disconnect
- Blocking access from the attacking source
- Blocking all network access
- Incident response resources
Validating the Threats: Looking at Hacker Attack Methods - 3 hr Lecture 3 hr labs
- Hacker attacks
- Bug exploitation
- Buffer overruns
- Attack Scenarios
- Common types of attacks that an IDS can help detect
- Network scans
- Port scans
- Denials-of-service: Smurf, Land, Trin00, Stacheldraht
- "DE-synching" an IDS
- What an IDS might not detect
- CGI exploits
- Malformed URL's
- Other application-layer attacks
- Race condition
- Trust exploitation
- Social engineering
- Physical access
- Hands-on exercises:
Real-time TCP/IP monitoring
- Live signature review and analysis
Grades - All students must ordinarily take all quizzes, labs, final exam and submit the class practical in order to be eligible for a Q/ISP, Q/IAP, Q/SSE, or Q/WP credential unless granted an exception in writing by the President.