Summit XII Training Classes

1) The Evolution of Privacy on a Global Basis

Role of the C-Suite in the Privacy Framework

Adriana Sanford (Training Session – September 21, 2022)

The practice of cybersecurity law continues to develop and mature as corporate counsel, external law firms, and corporate boards struggle to become familiar with the subject matter. Organizations must map personal and sensitive data that needs to be protected according to the various countries where they do business. They must also prioritize legal and compliance risks when multijurisdictional conflicts exist. We will compare the world’s privacy frameworks, how enforcement varies, and the impact on businesses, including the financial and criminal repercussions. In this session, you will also gain an overview of the history of privacy-related issues, including the encryption explosion, bulk data retention, electronic gag orders, and more!

The United States does not have a comprehensive national privacy law. One of the top concerns for executives and corporate boards is privacy and the handling of personal and sensitive data as standards differ from state to state (as well as country to country). California has the strongest privacy protections, but four additional states have also enacted their own standards. To reduce potential penalties, organizations must capture data properly and identify (1) which data subject can exercise their privacy rights, (2) what privacy rights these data subjects possess, and (3) how such data must be managed.

2) Using Deception to Implement an Enterprise Malware Strategy

Kevin Cardwell (2-day Training Session – September 20-21, 2022)

Architecture Review. The existing architecture is assessed to see if there are any places where slight changes can be made to help in the enterprise’s fight against malware. CESI has prior experience with similar size and scope architectures and there are areas that can be improved on when it comes to Malware Enterprise Planning. If there is no architecture in place, then the approach will be to build a segmented network and isolate traffic based on current best practice guidelines.

Configuration Review. In the configuration review, the filtering device rules are explored to verify they are not loose. All existing devices will be reviewed, and an assessment will be made on whether or not to use the current devices or start from scratch and avoid the potential corrupt hardware or software images within the existing device infrastructure. While on-site, comprehensive evaluation and Radio Frequency sweeping will be conducted to see if the devices are compromised in any detectable way. It is imperative to note that depending on the method and sophistication of the corruption there is a chance that the devices will not be usable and the enterprise architecture will be completely built from the ground up, this is the most secure way to do this.

Ingress Filtering. An important consideration when building an enterprise plan to defend against malware is controlling the inbound traffic. CESI will work with the site and establish best practices for ingress filtering. Specifically, the following will be discussed and explored:

  1. Sanity checking
  2. Bogon filtering and RFC 2827 – defeating denial of service attacks
  3. RFC 3704 and GEO IP blocking

With GEO IP blocking it might not be possible to block entire countries, but it is recommended to block access to anything other than the public website to entire countries. This will be explored in detail with the site and a solution will be recommended and discussed.

Egress Filtering. This is the most important step to stop the potential loss of data from the site. The steps are as follows:

  1. Block outbound initiated connection from servers
  2. Block any packet that does not have a source IP address of the site network
  3. Follow NIST 800-82 best practices
  4. Where possible tighten the filters such that site network-to-network communications are restricted to only the site enterprise network by service
  5. Blackhole routing review to improve the effectiveness of potential malware mitigations

Conclusion. At the conclusion of the training, you will know how to build an enterprise malware strategy along with the ability to create a first-level deception deployment.

3) Wireshark for Incident Response and Threat Hunting Workshop Setup

Michael Wylie (Training Session – September 21, 2022)

This workshop will take attendees’ Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and identifying anomalous network traffic. This workshop will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Throughout the workshop, we’ll examine what different attacks and malware look like while using Wireshark. Attendees will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and TTPs utilizing staged packet capture files. Labs start out easy and quickly progress in difficulty. There will be plenty of take-home labs for additional practice.

Attendee and Computer Requirements: https://github.com/themikewylie/wireshark/blob/main/README.md

4) The CISO Challenge

Miguel (Mike) Villegas (Training Session – September 20, 2022)

One of the biggest challenges of the CISO is to become a CISO and remain a CISO. The life expectancy of a CISO at any particular company is five years. If you have lasted more than five, you are doing great! This full-day session will cover two major topics. One is Information SecurityCybersecurity fundamentals that a CISO should be familiar with in order to manage the Information Security Program for their institution. You might be an expert in any number of cybersecurity topics but your breadth of knowledge is critical just to keep up with technological advances and their respective cybersecurity constructs. The second covers the CISO challenge itself. The CISO is a technician, a politician, a manager, an evangelist, an investigator, a leader, a project manager, a bearer of good and bad (sometimes very bad) news, a peacekeeper, a great communicator, an executive, an SME, and so much more. He or she understands business, strategic goals, how to lead and motivate, IT risk, risk mitigation, commensurate controls, reasonable assurance, and can weather major incidents when (not if) they happen. It requires passion and love for the job. Having been a CISO, audited, supported, seen, and experienced CISO’s my professional life, this session will be both information and fun! See you then.

5) AttackIQ – MITRE ATT&CK and Foundations Class (Purple Teaming & Building Threat-Informed Emulation Plans)

Jaymin Patel and Keith Wilson (Training Session – September 21, 2022)

AM session: MITRE ATT&CK and Foundations Class on Purple Teaming

1) Foundations of Operationalizing MITRE ATT&CK – https://academy.attackiq.com/courses/foundations-of-operationalizing-mitre-attck

This training session introduces students to the basics of the MITRE ATT&CK Framework. Topics include the history and evolution of MITRE ATT&CK, why organizations are adopting it, and how an organization can use MITRE ATT&CK to make its security program more efficient and effective. The class will also cover the tools and resources available for supplementing MITRE ATT&CK testing, including ATT&CK Navigator and MITRE CAR. AttackIQ’s book, The Dummies Guide to MITRE ATT&CK, serves as a foundational book for the course. You can download the Dummies Guide to MITRE ATT&CK on the AttackIQ website at www.AttackIQ.com/dummies

2) Foundations of Purple Teaming – https://academy.attackiq.com/courses/foundations-of-purple-teaming

This training session introduces the state-of-the-art practice of purple teaming and its essential nature as the joint operation of red and blue teams. Students will learn the core concepts, workflows, activities, and artifacts underpinning purple team methodology and will finish the class able both to explain how its programmatic implementation is essential to a threat-informed defense strategy and to plan a foundational purple-team exercise in their own environment.

PM session: Building Threat-Informed Emulation Plans

Building Threat-Informed Emulation Plans is a learning experience designed to put you in the driver’s seat of a purple teaming planning exercise. This is a project-based course in which the concepts and labs build upon each other as you protect and defend our fictional company Sable Bluff Labs. During the class, you will learn about the following topics with labs to reinforce learning:

  1. Threat-Informed Defense: Introduction to the basic principles of a threat-informed defense.
  2. Mission Analysis: Analyze what the company does, what is important to keep the company running, and how those things could be exploited.
  3. Threat Profiling: Threat profiling builds upon mission analysis by understanding who would exploit your company’s vulnerabilities and how they would do it.
  4. Emulation Planning: Emulation planning takes the work done in threat profiling and mission analysis and combines it into an actionable plan to test your enterprise against likely attacks from likely attackers.
  5. Implementing Emulations in AttackIQ: Taking the plans created during emulation planning, you will learn how to implement emulations in a breach and attack simulation tool to better automate and report on emulation activities.
  6. MITRE D3FEND: Take the output of your emulations and determine which preventive or detective measures can be put in place to better mitigate weaknesses discovered during testing.

You will have full access to AttackIQ Academy instructors to answer all your questions on emulation planning, breach and attack simulation, MITRE ATT&CK, and more. This is a truly unique, interactive experience that we cannot wait to share with you.