Building Blocks: The Security Analyst's Toolbox

BSidesDC 2016

Presented by: Kerry Hazelton
Date: Saturday October 22, 2016
Time: 09:00 - 18:00
Location: Meeting Room 15
Track: Training 3

This class will be designed for the following groups/individuals:

Information Technology Professionals (Sys Admins, Network Engineers, etc) looking for additional security training Security Professionals wanting to learn more about defense ("Blue Team") New Security Analysts just starting out in their role Anyone looking to step up their security game at home

The class will be divided into two main sections. In the first section, class participants will learn about and discuss some of the concepts, methods, and tools used in a traditional SOC (Security Operations Center) environment including, but not limited to; Snort, Suricata, ArcSight, Nagios, and Wireshark before participating in hands-on exercises in network flow monitoring and PCAP (packet capture) analysis using Wireshark. Currently, there is a planned contest where participants will group into teams and attempt to correctly identify as many types of attacks used in a given PCAP acquired from a recent cyber challenge. The winning team will be asked to present their analysis of the PCAP to the rest of the class and explain their dissection and identification methods.

In the second section, class participants will learn and discuss some of the concepts and techniques used in incident response and digital forensics including, but not limited to; memory analysis, registry analysis, browser history analysis, malware analysis, and event log analysis. Tool discussion will include Volatility (open source memory forensics framework), FRED (Forensic Registry Editor), EnCase, and TSK/Autopsy before participating in hands-on exercises using TSK/Autopsy to examine a "compromised" hard drive. There is also a planned challenge where participants will group into teams and will utilize forensics tools to analyze a "compromised" virtual server and correctly identify the different types of exploits used against it. The winning team will be asked to present their analysis to the rest of the class.

Following these two main sections, there will be a brief wrap-up session where participants will be encouraged to discuss what they have learned, and will be able to ask questions.

Kerry Hazelton

Kerry Hazelton has been actively involved in the IT industry since 1998, and has a wide range of experience with systems and network support, data center operations, and information security. He considers himself a "cybersecurity enthusiast" due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. In his spare time, if he is not spending time with his wife of fourteen years; he is likely either putting puzzles together with his son, teaching his son how to play classic NES and SNES games on RetroPie, or teaching his son the art of hacking.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats