Trainings

Available trainings:

- IT Forensics for System Administrators

- IT Forensics for System Administrators - Second Part

The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 856726 (GN4-3).

We offer the security training recordings and presentations free of charge. We offer in-house schooling as well, if the current situation permits it.

Do contact us if interested in this possibility: mailto: veranstaltungen@dfn-cert.de

Training programme Overview

There is no need to stress the importance of security, and as a more recent addition: privacy, in NREN networks. But while the importance of security and privacy is widely recognized, training in these areas has often been aimed at the security personell tasked with handling incidents, while the system and network administration seems to have been neglected.

The “Operational network security” training programme has been created as a result of collating experiences and conducting discussions with security offices and network operators. Its aim is to address a number of common security risks that NRENs face in their day-to-day operations: authentication, logging, audit, privacy, 1st Hop security, DNS security and protection from Distributed Denial-of-Service attack.

Vulnerabilities, in software and sometimes even in hardware, are open gates attackers can utilize to gain access to private systems and networks. Worse, they have become a fact IT managers and administrators have to deal with, ever accompanied by the concern that a single critical vulnerability has been overlooked that will later be exploited.

"Vulnerability Management" addresses this problem with a systematic approach to make this a reliable and reoccurring process. This module gives an overview of standards, details how to distribute security advisories among your constituency and how to plan an roll out patches in your organization.

IT forensics have become a vital part in handling security incidents, and while putting the evidence together is a job for specifically trained investigators, administrators will often be left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence.

Unfortunately, many administrators are not trained in their role in a forensic investigation and didn’t receive the necessary guidance before they are thrown in at the deep end. The training programme 'IT Forensics for System Administrators' addresses these shortcomings with an introduction into the basic organisational steps of incident handling and forensics from the administrator’s perspective as well as how to ascertain that all incidents have been detected and uncovered. Methods and tools to collect the various forms of evidence data are explained so that administrators are enabled to fulfil their role in a forensic investigations.

Who will benefit from attending this training programme?

System/network administrators at NRENs or NREN member organisations
System administrators at computing centres or NOCs
Broader categories of professionals with the interest in these subjects

Pre-requisites

Basic administration knowledge about operating systems and networking should be present.

Please note: Clicking the sessions' recording links will take you to YouTube as the plattform's operator.

Operational Network Security

Find the complete playlist here

1. Operating system privacy and security (5 sessions)

Session 1: Operating System Telemetry – configuring protection in Windows 10

The session provides an insight into the telemetry mechanism Windows uses for data collection and how it can be configured to the needs of an organisation. It also explores additional ways to make Windows 10 more privacy friendly.

Find the first session's recording here

Find the first session's presentation here

Session 2: Logging and Audit – Log management and Audit strategies

All IT users know about log files and many of them, and not only system administrators, even regularly look at application logs, syslog entries, or Windows Eventlogs. However, without sound processes in place for analysing these logs, their value is significantly reduced.

The session provides an insight into log management as well as audit strategies and some practical tips for configuring windows & Linux logging/audit settings and understanding the need for central log collection and examination.

Find the second session's recording here

Find the second session's presentation here

Session 3: File Integrity Monitoring (FIM) for detecting security incidents

Detecting malicious changes to operating system files early and thoroughly is vital to the handling of security incidents. Programs to look out for such changes however are rarely used, although these have been around for a long time and their usefulness is unequivocally recognised. This seems rooted in the assumption that it is difficult and time-consuming to operate such programs properly.

The session introduces the concept of file integrity monitoring (FIM) and gives practical tips to participants on how to plan and start adopting FIM in their organisation. It also includes a live demonstration of one of the latest open source FIM solutions ‘Wazuh’.

Find the third session's recording here

Find the third session's presentation here

Session 4: Network 1st Hop Security

Configuring end-user systems for accessing directly attached networks is being facilitated through use of automatic configuration protocols such as DHCP or IPv6 Router Discovery. Also, for operation on attached links, finding the corresponding link-layer address to an ip-address is done using protocols such as ARP or IPv6 Neighbor Discovery.

While these protocols are vital to the operation of the network, they inherit a number of security risks, which are also explored in this session, as well as ways to mitigate some security risks.

Find the fourth session's recording here

Find the fourth session's presentation here

Session 5: Authentication methods – how to avoid common pitfalls

Authentication is the basis for any kind of secure system. Unfortunately, it is also easy to get wrong, and getting it wrong fundamentally breaches a system’s security.

The session provides an overview of authentication methods and outlined the most important and relevant approaches in more detail to help participants avoid the most common pitfalls in this area.

Find the fifth session's recording here

Find the fifth session's presentation here

2. Client Privacy and Security (5 sessions)

Session 1: Browser Security & Privacy

Web-browsers have long been ubiquitous as providing a window onto the internet, with their versatility being a key factor in their success. But web browsers can also be (mis)used for tracking the activities of their users. Not surprisingly, the security of browsers and the privacy of those who use them have become one of the most important topics in information security.

For Firefox and Chromium-based browsers, the session gives an introduction on how to secure them and how to avoid providing unnecessary personal data to websites or browser vendors. Participants are also shown how to avoid being tracked on their personal trail across the internet.

Find the first session's recording here

Find the first session's presentation here

Session 2: E-Mail Security and Privacy

One of the oldest practical uses of the Internet is email. Most of us use it on a daily basis, and e-mail has become one of the most important tools of business. Email has also become one of the most universal and persistent sources of privacy and security headaches.

The webinar gives an overview of the many challenges that email introduces and provides approaches of how to effectively deal with some of its more common issues.

Find the second session's recording here

Find the second session's presentation here

Session 3: Instant Messaging Security and Privacy

From the Microsoft Messenger and Internet Relay Chat of the nineties to the more current WhatsApp and Discord, instant messengers pre-date the World Wide Web, and while the client programs have changed and gained functionality, their usage shows no sign of decline.

Session participants are shown how to secure instant messenger clients and how to avoid common privacy pitfalls.

Find the third session's recording here

Find the third session's presentation here

Session 4: Videoconferencing Security and Privacy

Videoconferencing has been around for some time, but its use has increased manifold during the COVID-19 pandemic. With employees being locked down in their home offices, videoconferences have replaced business meetings and entire business trips, allowing the illusion of face-to-face interaction. This comes with the burden of an unknown impact on the privacy and confidentiality of the conversations, as well as the security of the client applications.

The webinar provides an overview of security and privacy issues with popular videoconferencing clients and services and shows how to address them.

Find the fourth session's recording here

Find the fourth session's presentation here

Session 5: Office Security and Privacy

Many people regularly use programs such as MS Office. Having started as simple text-editing programs, modern Office suites have turned into highly complex applications. They are available on every operating system, including mobile OSs, and are quickly evolving into cloud-based applications, allowing for convenient collaboration. However, the growing complexity of these programs has introduced a number of problems related to both privacy and security.

The talk offers participants an insight into common privacy issues and security risks and provides some practical tips to address them.

Find the fifth session's recording here

Find the fifth session's presentation here

3. Domain Name System (DNS) protection (4 sessions)

Session 1: Introduction to DNS and its Security Challenges – meet the challenges

The Domain Name System (DNS) is one of the core services of the Internet as we know it today. DNS was designed in 1983 and has been a critical part of the Internet infrastructure ever since.

This session gives an overview of how DNS works and, crucially, what the security implications of its design and operation are.

Find the first session's recording here

Find the first session's presentation here

Session 2: DNS for Network Defence – Using DNS to protect and observe

DNS is not only used for the mapping of names to IP addresses and vice versa.

This module shows several use cases using information provided by DNS servers that can be used to protect the local network from malicious activities, such as SPAM or drive-by infections. This is followed by a block on monitoring DNS queries to collect information about ongoing intruder activity on an organisation's network.

Find the second session's recording here

Find the second session's presentation here

Session 3: DNSSEC – Protecting the integrity of the Domain Naming System

Although hampered by slow adoption, DNSSEC has proven to deal effectively with the integrity problems of DNS.

This module introduces the general concepts of DNSSEC and provided a practical example by implementing DNSSEC in a local zone.

Find the third session's recording here

Find the third session's presentation here

Session 4: DNS Privacy Protocols – Encrypted DNS queries for privacy protection

With the integrity of DNS taken care of by DNSSEC, inspection of DNS query data has been used by various actors on the internet for both good and bad purposes. "DNS over TLS" (DoT) and "DNS over HTTPS" (DoH) have been created as ways to mitigate the latter, while unfortunately also interfering with the former.

The module gives insights into the workings and configuration of DoT and DoH and explains the trade-offs organisations' network administrators have to make between security and privacy, as well as showing how some of these can be dealt with.

Find the fourth session's recording here

Find the fourth session's presentation here

4. Distributed Denial of Service (DDoS) protection (4 sessions)

Session 1: Introduction to DDoS Attacks – An overview of motivation and modus operandi of attackers

DDoS attacks have been around for more than 20 years now, and over this time, they have gained in power, now reaching several terabits in bandwidth, enough to knock off ISPs. While the actual DDoS attacks have changed very little, the orchestration of the attacks, the deployment of their components and the motives of attackers have evolved.
The course gives participants an overview of the attacks, the attackers, and their motivation and modus operandi.

Find the first session's recording here

Find the first session's presentation here

Session 2: Details of selected DDoS Attacks – How the attacks work from a technical perspective

While DDoS attacks have become more powerful and easier to start for attackers, the technical details of DDoS attacks have been remarkably consistent over the last 20 years.

This course provides participants with an in-depth view of the technical details of the most common DDoS mechanisms: amplification and reflection and the services being exploited for them.

Find the second session's recording here

Find the second session's presentation here

Session 3: DDoS Detection – How to know if you are under attack or partake in an attack

DDoS Detection may in theory sound simple, i.e., when you can't access your systems, that means you're under attack. However, this may also happen due to technical problems or misconfigurations. And what if we want to detect attacks before falling victim to them?
The course shows participants the various ways in which DDoS attacks are detected on the internet.

Find the third session's recording here

Find the third session's presentation here

Session 4: DDoS Mitigation – What you can do against them?

Mitigating a DDoS attack, especially a large-scale one, can seem like a daunting task, especially where there is a determined attacker and when several sites are affected. The course shows some simple but proven techniques to combat DDoS attacks as well as to avoid unintentionally partaking in one.

Find the fourth session's recording here

Find the fourth session's presentation here

Vulnerability Management

Find the complete playlist here

Submodule 1 (3 sessions)

Session 1: Vulnerability Management Process & Standards

The task of dealing with Vulnerabilities in Software, and sometimes even in Hardware, has gone from an ad hoc, emergency activity to a continuous, planned task that has become one of the building blocks of reliable, secure systems and networks.

This webinar will give an overview of the existing standards and will cover some of the key elements, like CVE and CVSS, in depth, that will be referenced throughout the coming webinars on vulnerability management.

Find the first session's recording here

Find the first session's presentation here

Session 2: Vulnerability Information – How to gather and distribute security advisories to your constituency

Before one can address with vulnerabilities, one needs to be aware of them: their existence, their consequences, and what to do about them. While CSIRTs and PSIRTs take care of the initial steps in researching and publishing information, the task of actually forwarding this information to the administrators responsible for vulnerable systems, is something that every organisation has to deal with themselves.

This webinar will show how this task can be dealt with and what information should be included in a security advisory.

Find the second session's recording here

Find the second session's presentation here

Session 3: Patch Management – How to roll out and track security fixes to your systems

Patching' is the name given to the process of replacing vulnerable software with a corrected version. However, the sheer number of patches that has to be applied constantly has led to the requirement to automate and track the application of patches.

This webinar will give an overview of the process of applying patches and what tools can be used to automate the task.

Find the third session's recording here

Find the third session's presentation here

Submodule 2 (3 sessions)

Session 1: Looking into the network – how to scan local systems for vulnerabilities and misconfigurations

Today's systems are so complex that it's almost impossible to run a system without vulnerabilities and misconfigurations. And although there are plenty of benchmarks, baselines, and hardening guides available, it is difficult to apply them to the local environment.

This webinar will introduce some of the most useful frameworks and tools for local vulnerability scanning.

Find the first session's recording here

Find the first session's presentation here

Session 2: Network Vulnerability Scanning – Looking from Afar

In order to stay ahead of the threats to a large infrastructure, it is crucial to maintain a clear picture of whether there are vulnerabilities in the components deployed and, if so, which ones. Scanning systems through the network is one way of gaining insight into this issue.

This webinar will provide an introduction to the concepts of network scanning, its benefits, and its drawbacks, as well as offer some practical examples.

Find the second session's recording here

Find the second session's presentation here

Session 3: Penetration tests – how does your network stand up against real attacks?

No matter how much scanning for vulnerabilities and security process evaluating is done, one question remains: is this really enough against real attacks? Short of experiencing an attack in real life, penetration tests try to answer this question by conducting attacks in a controlled manner.

This webinar will give managers and administrators an introduction to the standards and workflow of penetration tests to help in planning and supervising penetration tests carried out on their networks.

Find the third session's recording here

Find the third session's presentation here

Submodule 3 (3 sessions)

Session 1: Code Audits

Software without bugs or vulnerabilities doesn't exist. If your organization runs software development teams they will likely have heard of things like secure software development lifecycles and the like.

This webinar will introduce some basic concepts as well as tools that help developers finding bugs before the software goes into production.

Find the first session's recording here

Find the first session's presentation here

Session 2: Vulnerability disclosure

So you have found vulnerabilities in other people's code. Or other people have found vulnerabilities in your code. Either way: How to handle the situation? In the long run, trying to keep information about the vulnerability under wraps is unlikely to work.

In this module, we will cover some aspects and strategies of how to approach this issue.

Find the second session's recording here

Find the second session's presentation here

Session 3: Breach and attack simulation – matching attacker behaviour with vulnerabilities

Breach and Attack Simulation (BAS) is a relatively new approach to vulnerability assessment that goes beyond simple scoring of vulnerabilities by also taking the modus operandi of adversaries into account.

This webinar will give an introduction into the topic and present some open source tools to do BAS.

Find the third session's recording here

Find the third session's presentation here

IT Forensics for System Administrators - First Part

IT forensics has become a vital part in handling security incidents, with system administrators often left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence. Furthermore, many administrators are not trained in their role in a forensic investigation and didn't receive the necessary guidance before they are thrown in at the deep end.

This first part shows system administrators the basic organisational steps to forensic incident handling and introcuced methods and tools to collect the various forms of evidence data.

Find the complete playlist here

Session 1: Organisation

Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks.
However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like “who’s in charge?” or “what are we looking for?”, even “why are we doing this?”.
This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed.

Find the first session's recording here

Find the first session's presentation here

Session 2: From Suspicion to Detection I

So, you or someone in your organisation notices “unusual system behaviour” or “suspicious network traffic” but you are not sure what to do about it.
The first step in incident response usually is to ascertain whether or not the activity observed really is an incident. While there is no formal process or definition for doing so, there is a large number of locations for possible indicators to look for that may eventually make an incident.
Participants will learn what first steps to take after a compromise has been detected.

Find the second session's recording here

Find the second session's presentation here

Session 3: From Suspicion to Detection II

Find the third session's recording here

Find the third session's presentation part 2 begin from slide 38 ff. here

Session 4: Memory Acquisition I

Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). And not only this, lots of other interesting stuff is present there too: IP-addresses of computers it has communicated with, data from attacks against other systems or even exfiltrated data. By getting information directly from the storage, compromised operating system components can be bypassed. No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
Before memory contents can be scrutinized, they will have to be acquired from the computer.
This webinar covers the basic principles and techniques behind memory acquisition on Linux, Windows and MacOS operating system.

Find the fourth session's recording here

Find the fourth session's presentation here

Session 5: Memory Acquisition II

Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
The previous webinar covered the basic, agnostic technique of acquiring memory through the use of kernel drivers and copying tools.
However, it required access to the operating system with root or administrator privileges.
This webinar covers advanced techniques that will relinquish some of these preconditions and are in some cases be better suited for doing the job of memory acquisition.

Find the fifth session's recording here

Find the fifth session's presentation here

Session 6: Persistent Storage Acquisition I

If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Even cloud storage is only persistent storage on another computer. Investigating the contents of harddisks, SSDs, and transportable media has been a standard operating procedure of IT forensics since the ’90s and remains to be so.

Before storage contents can be scrutinised, they will have to be acquired from the suspect computer.
This webinar covers the basic principles and techniques behind persistent storage acquisition on Linux, Windows and MacOS operating systems.

Find the sixth session's recording here

Find the sixth session's presentation here

Session 7: Persistent Storage Acquisition II

If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Investigating the contents of harddisks, SSDs, and transportable media is a standard operating procedure of IT forensics.

The previous webinar covered the basic, agnostic technique of acquiring persistent storage with raw device access and standard copying tools. However, it required access to the operating system with root or administrator privileges.
This webinar covers advanced techniques that will do away with some of this preconditions and might be better suited for the job in some situations.

Find the seventh session's recording here

Find the seventh session's presentation here

Session 8: Acquisition of Other Evidence

Are there more indicators of compromise than the contents of RAM and harddisks? Yes, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn’t there to begin with. One example is represented by crucial log messages that are now only present on a central loghost. Another example would be network traffic information from switches, firewalls or network IDS that may corroborate leads that would otherwise be vague or circumstantial.

This webinar introduces some of the more common forms of indicators not present on local systems and how or where to obtain it.

Find the eigth session's recording here

Find the eigth session's presentation here

IT Forensics for System Administrators - Second Part

This second part focuses on the analysis part of the forensic process, using open-source tools to dissect obfucated or encoded bits of information, search disk and memory images for indicators of compromise (IOCs), and create super-timelines.

Find the complete playlist here

Session 1: CyberChef

Since its first release in 2017 CyberChef - described as "The Cyber Swiss Army Knife" - has quickly become one of the go-to tools for many IT security practitioners. CyberChef is a free, browser-based, open source tool, that supports hundreds of different "cyber operations" such as encoding, encrypting, compressing, converting, analysing data, etc. It is especially useful for malware analysts as well as forensic investigators. This webinar/live demo will demonstrate many of CyberChef's powerful capabilities as well as some of the less well known operations.

Find the first session's recording here

Find the first session's presentation here

Session 2: Memory Analysis Basics - First Steps

Having obtained an image of the memory of a compromised system, what to do with it? This part of the forensic process is called analysis, and this webinar will go through the first steps of analysing a memory image, looking into processes, network and temporary filesystems as well as some operating system specific artefacts, such as the Windows registry of the Linux Bash history.

Find the second session's recording here

Find the second session's presentation here

Session 3: Advanced Memory Analysis - Dealing with Malicious Code

Malware that is other compressed and encrypted on disk is usually unpacked and in cleartext in memory. Likewise, rootkits that conceal adversary activities can be found with relative ease in the memory image of a compromised system. This webinar will show some techniques to obtain malware that works along common ways, such as DLL injection, malicious kernel modules, or system call table manipulation. Concluding the module, ways to extract suspicious code segments for further analysis are also shown.

Find the third session's recording here

Find the third session's presentation here

Session 4: Persistent Storage Forensics I - Basics and First Steps

In this session, we will discuss the basic concepts of persistent storage forensics. Furthermore, some approaches with easy-to-use basictools will be presented and demonstrated.

Find the fourth session's recording here

Find the fourth session's presentation here

Session 5: Persistent Storage Forensics II - Advanced Approaches

In this session, more advanced analysis methods and tools will be discussed. Furthermore, these methods and tools will be demonstrated inpractice with select case samples.

Find the fifth session's recording here

Find the fifth session's presentation here