Workshop

Advanced Detection Engineering in the Enterprise

March 16th, 17th & 18th

3 days training by Henri Hambartsumyan & Theo Raedschelders
This training will be given in ENGLISH

Normal price: CHF 3000.
Student price: CHF 2250.- (limited availability)

Workshop with certification (35 credit hours)

Great news! If you are part of this workshop you also have access to both days of conference.

Description

FalconForce developed a specialist workshop for security professionals to help taking their detection engineering capabilities to the next level. An ultimate detection engineering learning experience with the opportunity to go all-in with real-life, hands-on lab exercises.

The training covers a full, realistic attacker scenario in an enterprise environment: from the endpoint, through the Active Directory and into the cloud environment.

This training is led by experienced instructors that teach students to:

Understand how to research an attacker technique used in corporate environments.
Build resilient detections that are harder to evade by an attacker.
Validate their detections to make sure they keep functioning as intended.

The training focuses on Microsoft Sentinel and Defender XDR, but concepts can be applied to other stacks as well.

About the trainer

Henri Hambartsumyan

Henri is a technical security professional with 15 years of experience in cyber security. He started his career as offensive security specialist, performing penetration tests. After pentesting, Henri moved to red teaming, performing complex offensive projects. In the last few years, Henri pivoted more towards detection engineering, using his hands-on offensive skills to develop detections for EDR blindspots.

Theo Raedschelders

Theo is an offensive security specialist at FalconForce who enjoys developing malware and operating in heavily monitored environments. During the first decade of his professional career, Theo obtained a PhD in mathematics and continued his research at several universities across Europe, presenting his work at international conferences and workshops. In recent years, his interests shifted from mathematics to offensive security. Getting hooked quickly, he joined FalconForce to apply his skills in real-life offensive projects.

Follow the instructors:

LinkedIn | X | Bluesky

Course outline

Building resilient and automated detection capabilities requires a detailed understanding of attackers and their known or expected behavior. By thinking like an attacker, understanding the different techniques and procedures used by attackers and what indicators can be extracted, better detection capabilities can be developed.

This process is called Detection Engineering and it is a crucial aspect to be truly effective at discovering attackers in your network.

Our training focuses on the entire methodology of the detection engineering cycle. We guide participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion. Maintenance, testing and improvement is part of proper engineering as well as documentation. What to do when an alert triggers is as important to describe as what you are trying to detect in the first place.

Interactive training
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises, in which the students execute all attacks themselves in a dedicated lab environment.
These exercises are extensively documented in our lab guide and provide the option to get hints and (partial) solutions where needed. This allows the students to get familiar with the detection engineering methodology and prepare them to start implementing this practice at their organizations.

In the training we mix theory, discussion and lots of hands-on exercises in our training lab. Students will receive:

Reference materials.
Training slides.
Step-by-step digital lab guide.
Access to their own lab environment.
All tools and scripts used in the training.

The following topics will be covered in the training:

Detection Engineering Methodology

Introduction
Detection Engineering principles
Testing, Maintenance and Improvement
Automation

Endpoint

Initial Access
Command and Control use and detection
Credential Dumping
Lateral Movement

Active Directory and server-side attacks

Kerberos attacks
Active Directory Certificate Services (ADCS)

Cloud Infrastructure

Microsoft Entra ID (f.k.a. Azure Active Directory) abuse and misconfigurations
Azure KeyVault and Storage Accounts
Azure Virtual Machine attacks

The training covers a full, realistic attacker scenario in an enterprise environment: from the endpoint, through the Active Directory and into the cloud environment.

FalconForce successfully facilitated this training at both well-known security conferences, such as Black Hat US, as well as at various private organizations in different sectors.

Course requirements

Workshop level

Intermediate

Who should attend

Our training is intended for medium and senior level detection engineers / threat hunters / red teamers.
The methodology will also enable anyone with a hands-on role in security to learn more to improve the security posture of a company.

Key takeaways

This training is led by experienced instructors that teach students to:

Understand how to research an attacker technique used in corporate environments.
Build resilient detections that are harder to evade by an attacker.
Validate their detections to make sure they keep functioning as intended.

Course requirements

Students should be familiar with Windows endpoints, Active Directory and Azure cloud. Furthermore, at least some experience Azure Sentinel and its query language (Kusto) is required. Recommended study material to prepare will be supplied to the students several weeks in advance. To connect to our student lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the Internet on port 3389 TCP.