Intrusion Detection Systems

Teaching goals

This course will teach you the techniques, tools and methodologies related to defensive cyber warfare. Competencies commonly used by SOC, CERT, and CTI teams such as threat analysis, intrusion detection, and digital investigation will be covered.

Course description

CTI – Threatanalysis

  • Intelligence Cyber gathering
  • Executive intelligence production
  • Application of intelligence for detection
  • Intelligence sharing and consolidation languages (STIX, OpenC2, TAXII, …)
  • Modelling opérating modes, tactics, and attack techniques (ATT&CK)

SOC – Intrusion destection 

  • Intrusion detection context
  • Regulatory and legal framework of detection and response to incidents
  • Collection and analysis of journals and events (HIDS, EDR, …)
  • Collection and analysis of network data (NIDS, NetFlow, …)
  • Aggregation, enrichment, and correlation mechanisms within a SIEM.

CERT – Computer forsenics 

  • Incident response stages
  • Detecting compromises
  • Forsenic analysis (disks, memory and network)
  • Malware analysis and producing compromise indicators
  • SOC/CSIRT team organization and training

Keywords

SOC, CERT, Cyber Threat Intelligence, Operations.

Prerequisite

  • Knowledge of TCP/IP protocols
  • Basic knowledge of system administration
  • Knowledge of operating system architectures
  • Basic knowledge of Python

Bibliography

  • Building Threat Hunting Strategies with the Diamond Model, by Sergio Caltagirone, 2016
  • Guide to Cyber Threat Information Sharing, by Chris Johnson, Lee Badger, David Waltermire, Julie Snyder and Clem Skorupka, 2016
  • Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, 2011
  • Traffic Light Protocol, by Cybersecurity & infrastructure security agency (CISA)
  • Prestataires de détection d’incidents de sécurité : Référentiel d’exigences, by Agence nationale de la sécurité des systèmes d’information (ANSSI), 2017
  • Integrated Cyber Defense (ICD) Conceptual Reference Model: White paper, by Alexander P. Lee and Jared C. Moon, 2019

Teaching team biography

Georges Bossert is product manager in charge of SEKOIA engineering and intelligence. He is specialized in scaling recent intrusion detection technologies, new valuations of new generation SIEMs (EDR, XDR…), TTP follow up, detection and correction (SOAR) harmonization and automatization, indicator sharing and interoperability CTI/SOC/CERT-CSIRT (Fusion Center). He has a doctorate in cybersecurity from CentraleSupelec with a focus on communication protocol back-engineering.

Frédéric Guihéry is in charge of R&D and Innovations at AMOSSYS in Rennes. The focus of his work is designing secure architectures, the increased security for OS, confidence in information technology, and most recently defensive cyber warfare . He is also specialized in program and protocol back-engineering, in particular through Netzob. Frédéric received his master’s in information system security from IFSIC at the University of Rennes in 2008. At AMOSSYS, he managed and contributed to several research projects with academic and industrial partners. Frédéric has presented his work at several conferences such as CCC, Black Hat, ICCC, ECW, and SSTIC.