Threat Analyst – We learn Security!

Although being a Pentester, I am also into that topic, since I also got some Incident Response experience. So I took the course as a wrap up for myself, in a special offer the course costs about 10$ instead of about 100$.

The course is starting with a short introduction of the instructor, followed by an overview and explanation of APT. The course itself is structured in four sections with a small multiple choice quiz after each section. At the end you get a certificate of completion.

Section 1: Understanding APTs

This includes an overview like motivation for attacks, some examples, organization of APT, actors, techniques, characteristics and so on.

A longer example follows which takes some examples from the show “Mr. Robot”, and the blog article https://medium.com/@jym/a-survey-of-attack-life-cycle-models-8bd04557af72 . The article is worth a look, also if you do not want to take the course.

The next chapters go more in depth about “Cyber Kill Chain & APT Lifecycle”. The wording is a bit militarized here (of course), but the content is valid. All steps of the “Kill Chain” are explained upon the models introduced before, including more techniques and tactics. I missed some things here, for example it was said that attackers dump hashes and then crack them to gain further access. As a tool there was Mimikatz introduced, but no word that credentials could be received in clear text.

After that an overview about APT1 (one video) is given as well as an overview about Stuxnet (three videos). For APT1 I highly recommend to read the original report by Mandiant (https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), for Stuxnet the movie Zero Days (https://www.imdb.com/title/tt5446858/). This is followed by a chapter about cyberwar and finally by the quiz.

Section 2: Equation Group

The next section is dealing with the highly sophisticated Equation Group, which was created be the NSA (likely). After an overview it goes down to components and infection ways.

The components videos explain the skills and techniques the group used to gain access, persistence, exploitation, like for example persistence on hard disks and the different attack platforms and backdoors. When seeing what some actors are capable of, I always ask myself what they can do now? Offensive security is a broad research field and the most sophisticated and up to date techniques and exploits are of course never mentioned at conferences. Lets just imagine a google project zero but much bigger and of course working for a specific actor. I think you get my point.

Videos about DoubleFantasy, EquationDrug, GrayFish, Fanny and about the infection mechanism follow. Sometimes the instructor is talking about a lab, but there is no lab, so I guess there is another version of the course that includes a lab. One video follows called “Lab 2” (there was no “Lab 1”), the lab is an overview of the site https://apt.securelist.com/#!/threats/. The site itself is good (changed design since the course), but I don’t know why the video is called Lab.

To the end the multiple choice quiz is following.

Section 3: Advanced Dissecting Techniques

The first two videos are an overview, followed by three videos about “Binary Instrumentation” introducing Intel PIN. The first video is about 8 minutes explaining what you can do with PIN. The second video explains the pintool APIs, the third videso explains some functions more deeply with finally simple example code for using PIN. Without having some basic experience in reversing this is hard to follow.

The next four videos are about automated string decoding, where vivisect, flare-dbg and pykd is introduced. For all tools it is explained how they help building an automation process, then a short example follows. In the videos the instructor talks about a step by step demo video, but this is not included.

Four videos follow for introducing Immunity Debugger PyCommands. Immunity is still 32 bit only, but nevertheless it is still used a lot in reversing and exploitation. I also recommend to have a look at xdbg64 and of course windbg.

The videos about Windows Kernel Driver Analysis cover a basic explanation of the analysis, tools needed, basic explanation of how drivers work. Finally some windbg commands are shown for helping debugging drivers. Again unfortunately no lab is available although mentioned in the course. The end is the quiz.

I liked this section, since I’ve spent some time debugging and reversing in the past and seeing the videos make me think about some stuff I may try in the future if I have more time ;).

Section 4: Fighting APTs

This is the fourth and last section of the course. The first three videos are about “The Challenge”. The challenge is of course defending versus APTs and this gives an overview as before.

The next two videos cover Callback detection strategy. This is about detection of malicious traffic. The topics Application Crashing Monitoring, Behaviour-based Analyses and Machine Learning are also covered in short videos and at the end is the quiz again. A lot of talking about 0-days in this chapter, so before hunting 0-days I strongly suggest to do some basics first. 0-Days are not even used in APTs too often.

Conclusion

The instructor is not always good to understand (especially if you run the videos faster), so I used subtitles. Subtitles seem to be generated automated, so this is not 100% consistent, for example Stuxnet becomes “stook net” or Bluetooth is “brutal”, which is funny sometimes. Some things are a bit simplified, which is natural and necessary when you start explaining a complex topic.

The labs that are mentioned in the video do not exist as mentioned before, which is a pity. Further there are no slides to download. In one slide you can see that there seems to be a different version of the course. In that course seem also to be forums and chats, that would make sense. In the forum of this versions are 3 questions, with one answer to the time of this writing.

Plenty of topics are missing from my personal point of view: Digital forensics, log analysis, logging with sysmon, using splunk, ELK, base lining, Incident Response process, tactics in fighting advanced attackers just to name a few.

I give the course 3,5 stars out of 5 for the low price, for beginners in this area it is worth a look for a first overview, although some parts are more advanced, like the Advanced Dissecting Techniques chapters, which I personally enjoyed. Would have loved to see some hands-on though.

Link List (not only from the course, also from stuff I looked up while watching it):

https://www.udemy.com/cyber-security-advanced-persistent-threat-defender/

https://nmap.org/

https://support.microsoft.com/en-us/help/555636

https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon