Security + Cloud + Machine Learning For Security Engineers

We can’t talk about security without mentioning cloud and machine learning any more. The current challenge the security industry faces is coming from the fact that there are too much of data to process to find anomalies in the systems and networks. Using human analysts to defend your network against hackers are not a viable option anymore. First, there are not enough human talents out there. Second, by nature, human analysts are not efficient in ROI perspective. Machine learning is not a good-to-have tool for security operation, it is a must-have.

This training course will give you a good idea about how the typical machine learning model building process looks like. Good model comes from good data and good data come from good sensors. We will focus on the sensors in the beginning and move on to the heuristic detections over the collected telemetry. Finally, we will discuss usual method to build solid machine learning model upon collected data. This course will provide POC level starting point for your corporate’s machine learning project or can give inspirations on how you can apply the methodology to your problem domain.

Time table

The following is the overall schedule over 5 day training course.

Day 1 - APT/Threat Intelligence/MITRE ATT&CK Matrix/Threat Analysis

  • Objectives:
    • Understand current APT landscape, Threat Intelligence
    • Understand threat modelling approach with MITRE ATT&CK Matrix
    • Investigate real world malware/APT attacks and investigate and match them with MITRE ATT&CK Matrix for deeper understanding
Start End Name Description
10:00 10:30 Introduction Introduction, overview of the courses and Exercise preparations
10:30 12:00 Threat Analysis/Threat Intelligence/Threat Modelling Understanding on the current threat landscape/APT vs Commodity Malware/PE vs Non-PE/Living-off-the-land Attacks/MITRE ATT&CK Matrix
12:00 13:30 Lunch Group Lunch
13:30 17:00 Exercise Living Off The Land Attack vs Detection Modeling

Day 2 - Sensors - Windows Events/Telemetry Collection/Event Hunting

  • Objectives:
    • Understand methods for collecting Windows Events
    • Hunt useful Windows Events
    • Learn using basic Windows Events tools (focusing on PowerShell cmdlets)
Start End Name Description
10:00 10:50 Windows Events Windows Events - concepts and tools
11:00 11:50 Advanced Windows Events PowerShell/WMI/Sysmon/AMSI
12:00 13:30 Lunch Group Lunch
13:30 17:00 Exercise Events Investigations: setup sysmon/winlogbeat, investigate malware activities based upon Windows Events, understanding sysmon/PowerShell/WMI/kernel events

Day 3 - Cloud + Threat Hunting

  • Objectives:
    • Understand cloud storage/distributed computing technology
    • Setup ElasticSearch+Kibana environment
    • Acquire and store telemetry data from Windows Events
    • Perform threat hunting upon the collected telemetry data sets - understanding methodology and limitations
Start End Name Description
10:00 11:50 Cloud Introduction to various cloud storage and distributed processing platforms (Hadoop/Spark/Azure Data Lake/ElasticSearch/Kibana)
12:00 13:30 Lunch Group Lunch
13:30 17:00 Exercise Telemetry collections and threat hunting using ElasticSearch & Kibana - Setup ElasticSearch/Kibana environment/Import snapshot data/hunt threats

Day 4 - Heuristics + Data Science

  • Objectives:
    • Understand heuristics approach for malware/APT detections and limitations
    • Learn data-scientific approach to real world problems
Start End Name Description
10:00 11:50 Exercise Timeline reconstruction (Python+Jupyter Notebook)
12:00 13:30 Lunch Group Lunch
13:30 17:00 Exercise Introduction to Machine Learning methods/concepts/exercise (Python+Jupyter Notebook)

Day 5 - Data Science

  • Objectives:
    • Apply various data science methodologies to security problems (focusing on the machine telemetry)
    • Understand importance of data clean-up
    • Understand process of feature set selections and extraction methods
Start End Name Description
10:00 11:50 Exercise Building Machine Learning Models (Python+Jupyter Notebook)
12:00 13:30 Lunch Group Lunch
13:30 17:00 Exercise Building Machine Learning Models (Python+Jupyter Notebook)


John Park


Past Trainings

  • Private trainings are not listed here

July 2019

  • When: Jul/29/2019 (Mon) ~ Aug/2/2019 (Fri)
  • Where: Seoul, South Korea