Attack Monitoring Using Elastic Stack

Trainer Name: Himanshu Kumar Das & Prajal Kulkarni
Title: Attack Monitoring Using Elastic Stack
Duration: 2 Days
Dates: 28^th Feb - 1^st March 2018

Training Overview

The 2 day training course outlines defense in depth on Network and Application Layer attacks using Elastic stack. During the 2 day training programme, we would conduct hands-on exercise on simulating, correlating, analyzing and mitigating multiple attacks from Layer 4 - Layer 7. We would also cover various case-studies on day-day security requirements on cloud as well as enterprise networks. The course would end with a CTF exercise to participants on visualizing security facts using Elastic stack.

Detailed Course Abstract

With growing trend of Big data, companies tend to rely on high cost SIEM solutions. Continuous Security Monitoring / Alerting of medium and big enterprise is a large challenge in hand today. Logs from thousands of endpoints, servers and perimeter devices is difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organization usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure.

Our course would expose you to take control of enterprise wide logs, analyze them in real time using ELASTICSEARCH, LOGSTASH frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using KIBANA. This makes analysis of data and decision making simple.

This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.

Course outline

Day 1

Elastic 5

• Overview & Architecture of Elastic Stack
• Installing and Setting up Elastic search
• Capacity Planning of Elastic Stack
• Overview of Elastic Search API's
• Dumping data into Elastic Search
• Extending Elastic capabilities using X-Pack

Logstash 5

• Introduction to Logstash 5
• Installing and Setting up Logstash
• Exercise - Various use cases (webservers,syslog,etc.)
• Introduction to GROK filters
• Pattern matching using GROK filters
• Exercise - Normalizing Logs using GROK Filters (firewall, webserver, syslog etc.)

Elastic Stack on Cloud & Enterprise Network

• Introduction to Data shippers
• Shipping & Correlating logs from heterogeneous sources
• Exercise - Collect and correlate logs (filebeat, packetbeat)

Scaling Elastic Stack for High Availability

• Architectural overview of Scaling Elastic Stack using HAproxy & Redis

Interpolation of Security Events into Elastic Stack

• Exercise - Correlating Layer 4 and Layer 7 attacks (SYN Flood, HTTP Verb Flood)

Day 2

Kibana 5

• Overview of Kibana Dashboard
• Setting up Visualizations in Kibana
• Setting up multiple dashboards in Kibana
• Exercise - Kibana Visualizations(Area, Pie, Line etc.)

Alerting Attacks

• History on alerting - Evolving from script to automation
• Overview Of ElastAlerts
• Exercise - Writing Elastalert rules

Case Studies on Elastic Stack

• NMAP with Elastic Stack
• Burp with Elastic Stack
• Threat Intel with Elastic Stack

Approaching Internal Security on Cloud & Enterprise Network

• Overview and architecture of osquery
• Understanding tables & packs in osquery
• Integration of osquery with Elastic Stack

Capture The Flag on Elastic Stack

What To Expect

Over the duration of 2 day workshop, you would get a detailed knowledge on how Elastic Stack could be leveraged as one stop solution for external as well as internal security both on cloud as well as enterprise network. We will have various classroom exercise to engage participants on real world security use-cases as well as scaling the entire Elastic Stack for large scale networks. The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands on experience on production grade Elastic Stack.

What Not To Expect

• Elasticsearch programming
• Writing Plugins for Logstash
• Any exercise / demo on a physical network device

Pre-requisite of Training

• A laptop with administrator privileges
• 30 GB of free Hard Disk Space
• Ideally 8 GB of RAM but minimum 4 GB
• Laptop should have a working wireless and wired / Ethernet connection
• Latest Oracle Virtualbox (preferred) or VMWare Workstation or VMWare Fusion installed
• Other virtualization software might work but we will not be able to provide support for that

**Note: We do not support Windows XP

What you will get

• Tools and software provided for the training
• Completely documented script and programs
• A simple to follow step by step walkthrough of the entire training in a PDF file
• Virtual machines with code used during the training so that you can even practice after the training is over

Speaker Biography

Himanshu Kumar Das

Himanshu Kumar Das is a security engineer with expertise on Infrastructure and Payments security. He is passionate about system security and fuzzing. He participates in CTF with team SegFault. He has won Nullcon JailBreak 2012 and had been architect for HackIM CTF since 2012. While away from security, he spends his time playing console (FPS) and enjoys cooking.

Prajal Kulkarni

Prajal Kulkarni, is a Security Researcher currently working with FlipKart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web,mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com/). Code-Vigilant has disclosed over 200+ vulnerabilities in various wordpress plugins and themes. In the past he has disclosed several vulnerabilities in core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and done trainings at NullCon 2015, NullCon 2016, Confidence 2014, Gracehopper 2014 etc.