Station Dark

Getting Started in Security with BHIS and MITRE ATT&CK

Written by –

Mike

This summer, I had the immense pleasure of taking “Getting Started in Security with BHIS and MITRE ATT&CK,” presented by John Strand and Black Hills Information Security. Sixteen hours of non-stop useful content — four intense afternoons!

My full notes are on GitLab here: Getting Started In Security BHIS

To give you a sense of everything John took us through, I’ve got the course outline below.

16 hours well spent!

Class Outline

  • A very short section on the Critical Controls
  • MITRE and the Controls
  • What are the Atomic Controls
    • (Hint, they are controls that will stop BHIS testers)
  • Application Allow-Listing the less dumb way
    • MITRE Impact ~ Why denylists fail ~ AV bypass ~ Applocker ~ LAB: Metasploit and Applocker
  • Password Controls
    • MITRE Impact ~ Password spraying attacks ~ Cracking passwords ~ 2FA ~ 2FA Bypass ~ Service Accounts and Kerberoasting ~ Password Managers ~ Privileged Identity Management ~ LAB: Password Cracking ~ LAB: Password Spraying
  • Egress Traffic Analysis
    • MITRE Impact ~ Zeek ~ Netflow ~ RITA ~ Egress capture approaches ~ Long Tail analysis ~ Security Onion ~ LAB: RITA
  • User Entity Behavior Analytics which requires Logging
    • MITRE Impact ~ Logs are a trainwreck ~ Lateral movement detection ~ False Positives ~ How UEBA works ~ LogonTracer ~ DeepBlueCLI ~ Why Logging is not working… ~ Sysmon ~ LAB:DeepBlueCLI ~ LAB: Sysmon
  • Advanced Endpoint Analysis
    • MITRE Impact ~ Overlapping fields of visibility ~ Bluespawn ~ Threat Emulation ~ LAB: Bluespawn and Atomic Red Team
  • Host Firewalls
    • MITRE Impact ~ Segmentation ~ How Lateral Movement works ~ Architecture ~ Endpoint Protection Firewalls ~ LAB: Nmap ~ LAB: Responder
  • Internet Allow-listing
    • MITRE Impact ~ Why Internet Denylists fail ~ DomainGain ~ Filtering strategies ~ Blocking Uncategorized domains ~ OpenDNS ~ DNS over HTTPS ~ Possible LAB: Domain Gain
  • Vulnerability Management
    • MITRE Impact ~ Prioritization ~ Low and Informational Blindspots ~ Sorting by Plugin ~ Security in your SDLC ~ Burp ~ ZAP ~ LAB: ZAP!
  • Active Directory Hardening
    • MITRE Impact ~ Bloodhound ~ PlumbHound ~ Mimizatz ~ Pingcastle ~ AD Honeyaccounts
  • Conclusions
WordPress Appliance - Powered by TurnKey Linux