EDX courses can be taken for free. Of course then you will miss the certificate, but the content is the same. Also you have a time limit for viewing the content, but in my experience it is more than enough.
Here is a short example: After logging in with your account (register if you do not have one) search for the course you want attend to.
EOP (not End Of Protection 😉 but Exchange Online Protection)
Office 365 Threat Intelligence
Auditing and alerts
Advanced Security Management (AMS)
Discovery and insights
Introduction to Secure Score
Overview of Office 365 Secure Score
security related measurements
Office 365 Secure Score API
API & powershell
downstream data for other tools and SIEM etc.
The Secure Score dashboard
The Secure Score analyzer tab
Increasing your security posture
I liked some of the points:
Enabling multi-factor authentication on all admin accounts
Designating more than one global admin
Enabling auditing across workloads
Enabling mailbox auditing
Having a weekly review of sign-ins after multiple failures
Having a weekly review of sign-ins from unknown sources
Having a weekly review of sign-ins from multiple geographies
Implementing and Managing Office 365 ATP
Introduction to Exchange Online Protection
The anti-malware pipeline in Office 365
Zero-hour auto purge
ZAP, detect spam or malware that was undetected by heuristics and delivery patterns
Phishing and spoofing protection
SFP, DKIM, DMARC
Give overview of spoofing attempts, allow spoofing for certain senders for certain addresses
Managing spoof intelligence
Overview of Office 365 Advanced Threat Protection
How ATP expands protection provided by EOP
sandbox/detonation chamber 😀
Safe attachment policy options
URL detonation -> mix of safe links and sage attachements
Safe links policy options
Managing Safe Attachments
Creating safe attachment policies in the Security and Compliance Center
Creating safe attachments policies using Windows PowerShell
Modifying an existing safe attachments policy in the Security and Compliance Center
Creating a transport rule to bypass safe attachments
Safe attachments end user experience
Managing Safe Links
Creating safe links policies by using the Security and Compliance Center
Creating safe links policies using Windows PowerShell
Modifying an existing safe links policy
Create a transport rule to bypass safe links
Safe links user experience in email
Safe links user experience in Office 2016
Monitoring and reports
Threat protection status report
ATP message disposition report
ATP file types report
Malware detections report
Top Malware report
Top Senders and Recipients report
Spoof Mail report
Spam Detections report
Sent and received email report
Security & Compliance Report Demonstration
Using Office 365 Threat Intelligence
Office 365 Threat Intelligence
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Microsoft Intelligent Security Graph
Source: Windows, Office 365, Cloud Services, 3rd party
reporting tool for C-level
Using the Threat Detection dashboard
Threat detections in your tenant
Security and malware trends
Threat Intelligence Demonstration
Using Threat Explorer
Viewing options in Threat explorer
Filtering capabilities in Threat Explorer
Drilling for details
Implementing auditing, insights, and alerts
Overview of auditing in the Security & Compliance Center
Auditing architecture in Office 365
Office 365 Management Activity API
Enabling mailbox auditing in Exchange Online
Mailbox actions logged by mailbox audit logging
Enabling mailbox auditing
Specifying owner actions to audit
Changing the age limit for entries in the mailbox audit log
Searching the audit log
Enabling auditing in your tenant
Searching the audit log
Viewing the search results
Filtering the search results
Exporting the search results to a file
Searching the audit log by using Windows PowerShell
Using a SIEM application to access your auditing data
Enabling sharing auditing for SharePoint and OneDrive
The SharePoint sharing schema
The SharePoint Sharing model and sharing events
How to identify resources shared with external users
Managing insights and alerts in the Security & Compliance Center
Introduction to insights and alerts
Types of insights that are available
Types of alerts that are generated
Alerts features in the Security & Compliance Center
Alert policy settings
Default alert policies
Advanced Security Management
Overview of Advanced Security Management
Anomaly detection policies
Login authentication failures
Device and user agent
Anomaly detection and activity alerts
Productivity app discovery
Implementing policies and alerts
Enabling and accessing Advanced Security Management
Creating anomaly detection policies
Creating activity policies
Reviewing and taking action on alerts
Investigating activities in the Activity log
Grouping IP addresses to simplify management
Implementing app discovery
Log file requirements
Supported vendors and their data attributes
Creating app discovery reports
Reviewing app discovery findings
Troubleshooting errors when log files are uploaded
Implementing app permissions
App permissions architecture
Managing app permissions
Approving or banning an app
Unfortunately I do not have access to an Office 365 environment for testing. So I was thankful that the course gives a broad insight of the posibilites of the security configurations of Office 365. Lots of the topics come withshort examples (like phishing, spoofing etc.) and a short video clip.
From my side more insight on the security mechanisms and more detail on Threat Intelligence would have been great. The course goes into logging and how to find strange behaviour, malware and threat intelligence. Which was really nice to see how much effort Microsoft put into securing their cloud products.
A lot of the questions in the module assessements questions are more about configuration the platform itself or how tabs are named, I felt a bit like in a MS exam long time ago. Large parts of the content is text and not videos, most courses are a bit different here.
The course gave a good overview and insights for understanding Security in Office 365 for me, that’s what I was looking for.
Module 1 – Threat Intelligence Maturity Model is the intro, with an interesting analysis about maturity levels of organisations related to threat intelligence which I found pretty informative.
Module 2 – Campaigns and Open-Source Threat Intelligence comes with some information about OSINT and visualization, which is also covered a bit broader in the course that I took previously.
Module 3 – Sharing Operational Threat Intelligence is a bit more interesting, since here we start with “Sharing Operational Threat Intelligence”. This comes with some information about Crowdstrike & Alienvault, Yara, TLP, CybOX and STIX, TAXII. Finally some information about Tactical/Operational sharing, which was interesting, because the author seems to know that things like ROI etc. are also important when talking about security programs, the explanation of Analytic Confidence was also useful. The video about “Words of Estimative Probability” will almost certainly be useful in the future.
The tools are not explained in depth or compared to each other which is a pitty. I strongly suggest to have a look at sigma ;).
Module 4 – Strategic Threat Intelligence Analysis is something that was missing from the courses I viewed before. The topics here are:
Cognitive Bias and Logical Errors
Competing Hypothesis Analysis
Human Elements of Attribution
Strategic Review and Creating an Active Defense
For me the course was interesting and infomative, especially Module 3 & Module 4 brought a new perspective to me. Some of the example could be shown with more length. Further I got some more tools that I might try in future. I give the course 4/5 points.
As a second course (see previous blog post for the first course) I bought “Certified Cyber Threat Intelligence Analyst” which has the same instructor as “Certified Advanced Persistent Threat Analyst”.
Section 1: Phases Overview
The first three videos give an overview on the agenda (hunting, features&behavior extraction, attribution, tracking and take down).
The two videos following about hunting are explaining the goal of hunting, including information gathering from different sources, such as VirusTotal, underground forums, deep web and so on.
Features & Behavior Extraction covers what to extract from malware for further insight in five videos, like metadata, language, metadata, exif, strings, IPs etc..
The videos following are about Clustering and Correlation, Threat Actor Attribution, Tracking and Taking Down, followed by the quiz. Without going too deep, the videos cover sandboxing, dynamic and static malware analysis, malicious events, passive DNS, Graph DB, C2 infrastructure, TTP (yay!), OSINT and more.
The next sections go through each phase with more depth.
The two Deep Web parts are also pretty basic, nothing new if you are in cyber for some time. Also, I do not like it when “Deep/Dark Web” is only refered to shady or criminal activities. The next video is about Honeypot & OSINT, especially honeypots are big fun and you should setting up one.
The two lab videos are much longer than the other ones (<30min), and seem to be taken from a different course. The first is about VirusTotal Intelligence which gives a nice introduction to hunts, retrohunting, clustering and other functions of the platform. The second lab video is about yara. It is being said that you can get access to VT from the trainers, but I got no answer to my request, which is kind of disappointing.
Section 3: Features Extraction
The first two videos are a short introduction to the topic “Features Extraction Goal”, which is more like an introduction to static malware analysis.
The next two videos cover “Import Table Hash (imphash)”. I always have a bad feeling when people talk about MD5 in this area, since collisions are possible with MD5. Further some of the statements are a bit dangerous, for example “Cannot revert the hash to get original content” only applies for content with a certain size that is not available in any form. When you have a hash and find a matching file, for example in a antivirus database like virustotal you totally can get the original content. Just imagine a scenario where an analyst from company A is giving a bunch of MD5 to an external company B. When an employee of company A ever uploaded internal documents to VT, company B now can assign the MD5 to the uploaded document. This is why you do not share all your indicators folks.
The instructor is even talking about that hashes are “security protection features”. Pentesters love finding MD5 hashes of passwords, nothing cracks better ;).
So depending on the usecase please consider using stronger hash algorithms, also in malware analysis. Imphash might be OK at this place though, since it only refers to the import table and not to the whole binary.
“Just because two binaries have the same imphash value does not mean they belong to the same threat group, or even that they are part of the same malware family”. In the course it is being said that similar imphashes mean that the malware has more or less the same source code, which is unfortunate and false leading.
The following video is about “Fuzz Hash (ssdeep)”, refer the link list for further explanation.
The first lab video is “Extracting VBA Macros with Didier Stevens Tools”. If you ever have the chance of catching up Didier Stevens and one of his workshops at a conference go there, from all I heard it is awesome and I look forward to it. First the video is going into more features of VirusTotal, then going to emldump and oledump. The second lab video is about C2 IP Pivoting, which refers to finding IPs in VBA macros in this case.
The section ends of course with a quiz.
Section 4: Behavior Extraction
Eight short videos about dynamic analysis including “Dynamic Indicators”, “Process Infector and Keylogger”, “Passive DNS” and the quiz. I won’t go deep into it here, since the titles are pretty self explaning and mainly cuckoo output is used here. Play for yourself with that ;).
Section 5: Clustering & Correlation
The first four videos are about “How Clustering & Correlation Works”. Here some of the classifiers are explained with examples and what it is for. Two videos about GraphDB follow, and a longer lab video & of course the quiz. Interesting that the tutor is not refering to the product, but to a category (neo4j, maltego) when talking about GraphDB, which was a bit confusing first.
The lab video looked good and interesting, hope I will have some time in the future to play with the VT features. The video contains an intro to viper (awesome tool) and how to use viper for correlation.
Section 6: Attribution
The topics in this section are “Where are they located?”, “Who are the targets”, “Initial Compromise”, “Privilege Escalation”, “Persistance”, “Lateral Movement”, “Exfiltration Strategy”, “Profiling the Attacker” and the final quiz. Some parts are pretty similar to the APT course.
For the discussion about attribution, in my thinking it is an approach for getting useful information for fighting an attacker. If it works, great. On a higher level things might be a bit different and give much opportunity for open discussions ;).
Section 7: Tracking
In the tracking section the videos are about “Passive DNS & Internet Port Scan”, “Lookups, OSINT and Hacking Forums” as well as the quiz. The section is pretty short and goes only a bit more in depth as section 1.
Section 8: Taking Down
This is covering “Sinkhole”, “How it works?”, “Hacking Forums”, “Victim Notification” & the quiz, the section is also short as the two sections before. Of course this is simplified, be careful, a lot can go wrong here.
As in the APT course, the course is OK for beginners, but please have in mind that some content is not high qualitiy and not complete, which is hard. Therefore I give this course three stars out of five.
I can also recommend “Malicious Software and its Underground Economy: Two Sides to Every Story” (https://www.coursera.org/learn/malsoftware), if still possible, which I took some time ago, the author of this course actually took down a C2 infrastructure and it is pretty interesting.
Links, as in the previous artice I added some links that are not originaly from the course: