• Goa'19
  • Training
  • Building An Attack Monitoring Solution & Hardening Infrastructure Services

Building An Attack Monitoring Solution & Hardening Infrastructure Services

Himanshu Kumar Das & Prajal Kulkarni

Register Now
Himanshu Kumar Prajal Kulkarni

Trainer Name: Himanshu Kumar Das & Prajal Kulkarni
Title: Building An Attack Monitoring Solution & Hardening Infrastructure Services
Duration: 2 Days
Dates: 27th - 28th Feb 2019


The 2-days training course outlines defense in depth on Network, Application & System Layer of the OSI model. During the 2-day training programme, we would conduct hands-on exercises on simulating, correlating, analyzing and mitigating multiple attacks ranging from Layer 4 to Layer 7, and also on how to defend against these attacks by hardening your internet facing services.

Each topic in our session would outline day-day security requirements not only for a small startup but also for well-established enterprise.

Detailed Course Abstract

With the growing trend of Big data, companies tend to rely on high-cost SIEM solutions. Continuous security monitoring/alerting for medium and big organization is a huge challenge in hand today. Logs from thousands of endpoints, servers, and perimeter devices are difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organizations usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure. Our course would expose you to take control of enterprise-wide logs, analyze them in real time using the ELK frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using kibana making analysis of data and decision making simple.

This training will also cover simulating real-world attack scenarios, alerts customization necessary to respond to real-world attack anomalies. With growing cloud-based offerings it becomes crucial to understand systems for detecting and responding to attacks. With tools like osquery you would learn how a scalable solution for system-level anomaly detection can be built. We would also cover tools and techniques for strengthening and hardening production systems by using inbuilt tools and well-known techniques adhering to industry standards.

This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.

Course Outline


Guide to local lab setup

  • Overview of local lab setup
  • Starting the Lab VM

Prologue on Elastic Stack

  • Elasticsearch
    • Terminologies in Elasticsearch
    • Indexing in Elasticsearch
    • Elasticsearch Plugins (Overview & hands-on)
    • Exercise - (Elasticsearch API's)
  • Grok Filters
    • Introduction to Grok filters
    • Pattern matching using Grok filters
    • Exercise - Normalizing Logs using Grok Filters (firewall, web server, Syslog, custom logs, etc.)
  • Kibana
    • Overview of Kibana
    • Elasticsearch & Kibana Integration.
  • Beats
    • Overview of Beats Libraries
    • Streaming & Centralizing Events and Logs using Beats Library
    • Exercise - Collect and correlate logs (Filebeat)
  • Elastic Stack as Security Analytics Platform
    • Best practices - security standpoint
    • Scaling Elastic stack in production
  • Interpolation of Security Events into Elastic Stack
    • Implementing & Scaling RASP (Runtime Application Security Protection) - ModSecurity
    • Exercise - ELK integration with ModSecurity.
    • Case Studies on Layer 4 & Layer 7 attacks


  • Deep Dive into Kibana Visualizations
    • Extended Overview of Kibana.
    • Exercise - Security Analytics Visualization & Dashboard Management
  • Alerting Anomalies
    • The significance of alerting.
    • Evolution of Alerting(From script to feedback based actionable alerts).
    • Anomaly alerting using Elastalert.
    • Exercise - Elastalert(Frequency).
  • Epilogue - Elastic Stack
    • X-Pack for Security

Approaching Internal Security Threats

  • Osquery
    • Overview(terminologies & handons: modes,queries,packs)
    • osquery for anomaly detection
    • Exercise - File Integrity Monitoring.
    • Kolide - osquery in production (Exercise - setup kolide)
  • System Security
    • Overview & getting started guide. (DAC v/s MAC)
    • Selinux v/s apparmor
    • Apparmor case study.
    • Securing network stack(iptables, fail2bank, kernel sysctl tune)
    • Securing userspace using seccomp
    • Overview on Grsec and PAX.

What To Expect

Over the duration of the 2-days workshop, you would get a detailed knowledge on how to build a no-cost attack monitoring and system hardening solution for external as well as internal security both on the cloud as well as an enterprise network. We will have various classroom exercise to engage participants on real-world security use-cases as well as scaling the entire Elastic Stack for large-scale networks. Labs will include all necessary tools and configs necessary to run a fully functional stack for attack monitoring.
The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands-on experience on production grade Elastic Stack.

What Not To Expect:

  • Elasticsearch programming
  • Writing Plugins for Logstash
  • Any exercise/demo on a physical network device.

Pre-requisite of Training

  • A laptop with administrator privileges.
  • 30 GB of free Hard Disk Space.
  • 8 GB of RAM on host laptop.
  • Laptop should have a working wireless and wired/Ethernet connection.
  • Latest Oracle Virtualbox(preferred) or VMWare Workstation or VMWare Fusion installed
  • Other virtualization software might work but we will not be able to provide support for that.

Note: We do not support Windows XP

What you will get

  • Tools and software provided for the training.
  • Completely documented script and programs
  • A simple to follow step by step walkthrough of the entire training in a PDF file
  • Virtual machines with the code used during the training so that you can even practice after the training is over.

Trainer Profile

Himanshu Kumar Das

Himanshu Kumar Das is a security architect with expertise on Infrastructure and Payments security. Himanshu has spent most of his career in building in-house infrastructure security platforms and products. He is also passionate about system security and fuzzing. He participates in CTF with team SegFault, has won Nullcon JailBreak 2012 and had been architect for HackIM CTF since 2012. While away from computer, he spends his time playing console and enjoys cooking.

Prajal Kulkarni

Prajal Kulkarni, is a Security Researcher currently working with Flipkart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web, mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com/). Code-Vigilant has disclosed over 200+ vulnerabilities in various WordPress plugins and themes. In the past, he has disclosed several vulnerabilities in the core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and provided trainings at NullCon2015, NullCon2016,NullCon2018, Confidence 2014, Gracehopper 2014 etc.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved